Contracts
- Abnormal Security Cloud Terms of Service
- Abnormal Security Support and Service Level Agreement Policy
- Abnormal Security Information Security Policy
- Abnormal Security Data Processing Addendum
- Abnormal Security Acceptable Use Policy
- Abnormal Security Master Service Agreement - Transactions Entered into Prior to April 5, 2022
- Abnormal Security Data Processing Addendum - Transactions April 6, 2023 and Prior
- Abnormal Security Reseller Terms
Abnormal Security Cloud Terms of Service
Effective September 21, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
If you have a separate written agreement with Abnormal Security Corporation with respect to use of the Service or any related services, these Cloud Terms of Service will not apply to you.
These Cloud Terms of Service (“Agreement”) govern your ("Customer") use of the Service and allow you to receive Support. By clicking a box indicating your acceptance of this Agreement, (e.g., “I Agree,” “Accept Terms,” “I Understand and Agree”) or similar button on the Service registration page, or executing an Order, as further described below, or by otherwise accessing the Service, you represent that (1) you have read, understand, and agree to be bound by this Agreement, (2) you are of legal age to form a binding contract with Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107, (“Abnormal,” “we,” “our,” or “us”, Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties”), and (3) you have the authority to enter into this Agreement personally or on behalf of the company or other organization you represent, and to bind that entity to this Agreement. In the event you are agreeing to this Agreement on behalf of a company or organization, “Customer,” will refer to the entity you are representing. We may update this Agreement from time to time in accordance with Section 17.5 (Updates).
Capitalized terms are defined in the Section 18 (Glossary) or in context below.
1. ACCESS OF THE SERVICE
1.1. The Service. Subject to this Agreement, Customer may use the Service for its own business purposes during each Subscription Term (“Permitted Use”). This includes the right to copy and use the Documentation as part of Customer’s Permitted Use.
1.2. Users. Customer is responsible for provisioning and managing its User accounts, for its Users’ actions through the Service and for Users' compliance with this Agreement. Customer will require that Users keep their login credentials confidential and will promptly notify Abnormal upon learning of any compromise of User accounts or credentials.
1.3. Affiliates. Customer’s Affiliates may serve as Users. Customer shall be responsible for its Affiliates’ use of the Service. Alternatively, Customer’s Affiliates may enter into their own Orders as mutually agreed with Abnormal, which creates a separate agreement between each such Affiliate and Abnormal incorporating this Agreement with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights under each other’s separate agreement with Abnormal, and breach or termination of any such separate agreement affects only that agreement.
1.4. Availability. Abnormal will adhere to the Service Level Availability Policy ("SLA") set out in the Documentation.
1.5. Support. Abnormal will provide Support for the Service in accordance with the Support Policy set out in the Documentation.
2. DATA
2.1. Customer Data. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service, Support, and Technical Services to Customer, and to generate Threat Intelligence Data. Use of Customer Data includes sharing Customer Data as Customer directs through the Service, but Abnormal will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
2.2. Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards as described in the Documentation that are designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
2.3. Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with, the “Data Processing Addendum” (“DPA”) made available from the dedicated DPA page of the Abnormal website.
2.4. Service Operations Data. Abnormal may collect Service Operations Data and use it to operate, improve and support the Service and for other lawful business purposes, including benchmarking and reports. However, Abnormal will not disclose Service Operations Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
2.5. Threat Intelligence Data. Abnormal may provide Customer with Threat Intelligence Data regarding the possibility or likelihood of fraudulent, harmful or malicious activity occurring in Customer's environment. Customer understands that Abnormal provides Threat Intelligence Data for Customer’s consideration, but that Customer is ultimately responsible for any actions taken or not taken in relation to such Threat Intelligence Data, including any configuration instructions of the Service regarding the level of auto-remediation. Abnormal may incorporate any subsequent action or inaction taken by Customer into its models, for the purpose of identifying future potential fraud, loss, or other harms to customers.
2.6. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer’s use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Abnormal is not responsible for Third-Party Platforms or how Customer's providers use Customer Data.
3. USE OF THE SERVICE
3.1. Compliance. Customer will comply with the Documentation in using the Service and represents and warrants that it has secured all necessary rights, consents, and permissions to use Customer Data with the Service and grant Abnormal the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the Parties, Customer is responsible for the content and accuracy of Customer Data.
3.2. Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes, including to develop a similar or competing product or service (e.g., benchmarking); (ii) conduct penetration testing on the Service, interfere with its operation or circumvent its access restrictions; (iii) market, sublicense, distribute, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available (in whole or part) to any third party, except to a third party that manages Customer’s computing environment, grant non-Users access to the Service or use the Service to provide a hosted or managed service to others; (iv) obtain or attempt to obtain the Service by any means or device with intent to avoid paying the fees that would otherwise be payable for such access or use; or (v) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of its components, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Abnormal.
4. MUTUAL COMPLIANCE WITH LAW. Each Party will comply with all laws, regulations, court orders or other binding requirements of a government authority (“Laws”) that apply to its performance under this Agreement.
5. REPRESENTATIONS AND WARRANTIES
5.1. Mutual Representations and Warranties. Each Party represents and warrants that:
(a) it has validly entered into this Agreement and has the legal power to do so, and
(b) it will use industry-standard measures to avoid introducing viruses, malicious code or similar harmful materials into the Service.
5.2. Abnormal Warranties. Abnormal warrants that:
(a) the Service will perform as materially described in the Documentation and Abnormal will not materially decrease the overall functionality of the Service during a Subscription Term (the “Performance Warranty”), and
(b) any Technical Services will be provided in a professional and workmanlike manner (the “Technical Services Warranty”).
5.3. Abnormal Warranty Remedies. Abnormal will use reasonable efforts to correct a verified breach of the Performance Warranty or Technical Services Warranty reported by Customer. If Abnormal fails to do so within 30 days after Customer’s warranty report, then either Party may terminate the affected Order as relates to the non-conforming Service or Technical Services, in which case Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Technical Services (for the Technical Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Service or 30 days after delivery of the relevant Technical Services. This Section 5.3 sets forth Customer’s exclusive remedies and Abnormal’s sole liability for breach of the Performance Warranty or Professional Services Warranty.
5.4. Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN SECTION 5.2 (ABNORMAL WARRANTIES), THE SERVICE, SUPPORT, AND TECHNICAL SERVICES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. ABNORMAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING ITS EXPRESS OBLIGATIONS IN THE SERVICE LEVEL AVAILABILITY COMMITMENT, ABNORMAL DOES NOT WARRANT THE RESULTS TO BE ACHIEVED FROM THE SERVICE OR THAT THE SERVICE IS ERROR-FREE, WILL PERFORM UNINTERRUPTED OR WILL MEET CUSTOMER’S REQUIREMENTS. THE WARRANTIES IN SECTION 5.2 (ABNORMAL WARRANTIES) DO NOT APPLY TO ISSUES ARISING FROM THIRD PARTY PLATFORMS OR MISUSE OR UNAUTHORIZED MODIFICATIONS OF THE SERVICE. THESE DISCLAIMERS APPLY TO THE FULL EXTENT PERMITTED BY LAW.
6. TECHNICAL SERVICES. Abnormal may perform Technical Services as described in an Order, which may identify additional terms or milestones for the Technical Services. Customer will give Abnormal timely access to Customer Materials reasonably needed for Abnormal’s provision of the Technical Services, and if Customer fails to do so, Abnormal’s obligation to provide Technical Services will be excused until access is provided. Abnormal will use the Customer Materials only for purposes of providing Technical Services. Abnormal may make use of service partners to provide the Technical Services. Subject to any limits in an Order, Customer will reimburse reasonable travel and lodging expenses incurred by Abnormal in providing Technical Services. Customer may use the product of any Technical Services that Abnormal furnishes as part of Technical Services only in connection with Customer’s authorized use of the Service under this Agreement.
7. FEES AND PAYMENT
7.1. Payment. Customer will pay the fees described in the applicable Order. Unless the Order states otherwise, all undisputed amounts are payable in U.S. dollars and due within 30 days from the date of an invoice (“Due Date”). All fees and expenses are non-refundable and non-cancellable except as expressly set out in the Agreement and any applicable Order. In addition to any other remedies set forth in this Agreement, if any undisputed, invoiced amount is not received by Abnormal by the Due Date, then those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than Abnormal’s income tax. Fees and expenses are exclusive of Taxes. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.
7.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Abnormal prior to the Due Date and the Parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either Party may pursue any available remedies.
7.4. Records and Validation. Customer is responsible for providing complete and accurate billing and contact information to Abnormal and notifying Abnormal of any changes to such information. Abnormal may conduct verification checks on the usage of the Service during the Subscription Term. If it is determined that the usage of the Service exceeds the baseline quantity stated in an applicable Order, the Parties (Channel Partner and Abnormal or Customer and Abnormal, as applicable) will address any over-usage in a separate Order. If Customer fails to pay for the over-usage, Abnormal may terminate access to the Service within thirty (30) days of Abnormal’s notice of non-compliance.
8. SUSPENSION. Abnormal may suspend Customer’s access to the Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Abnormal is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Abnormal will promptly restore Customer’s access to the Service in accordance with this Agreement. “Suspension Event” means (a) Customer’s account is 30 days or more overdue, (b) Customer is in breach of Section 3 (Use of the Service) or (c) Customer’s use of the Service risks material harm to the Service or others.
9. TERM AND TERMINATION
9.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the Parties agree on a different renewal Order or (b) either Party notifies the other (or Channel Partner notifies Abnormal, if applicable) of non-renewal at least 30 days prior to the end of the then current Subscription Term.
9.2. Term. The term of this Agreement will commence on the date you accept this Agreement ("Effective Date") and continues until expiration or termination of all Subscription Terms, unless otherwise terminated as permitted by this Agreement (the “Term”). If no Subscription Term is in effect, either Party may terminate this Agreement for any or no reason with notice to the other Party.
9.3. Termination. Either Party may terminate this Agreement, including all Subscription Terms, if the other Party (i) fails to cure a material breach of this Agreement (including a failure to pay fees) within 30 days after notice, (ii) ceases operation without a successor, or (iii) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that Party and not dismissed within 60 days. Customer shall receive a refund of any pre-paid, unused fees for the terminated portion of an applicable Subscription Term for such Customer-initiated terminations, and Customer will promptly pay Abnormal any and all outstanding fees and expenses due both as of the date of termination and for the terminated portion of the Subscription Term for any such Abnormal-initiated termination.
9.4. Data Export & Deletion. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation. After termination or expiration of this Agreement, Abnormal will delete Customer Data and each Party will delete any Confidential Information of the other in its possession or control. Nonetheless, Abnormal may retain Customer Data and each Party may retain Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 2.2 (Security), Section 10 (Confidentiality) and any DPA.
9.5. Effect of Termination.
(a) Customer’s right to use the Service, Support and Technical Services will immediately cease upon any termination or expiration of this Agreement, subject to this Section 9 (Term and Termination).
(b) In no event will any termination or expiration relieve Customer of the obligation to pay any expenses and fees payable to Abnormal for the period prior to the effective date of termination or expiration.
(c) The following Sections will survive expiration or termination of this Agreement: Section 2.4 (Service Operations Data), 2.5 (Threat Intelligence Data), 3 (Use of the Service), 5.4 (Disclaimers), 7.1 (Payment) (for amounts then due), 7.2 (Taxes), 9.4 (Data Export & Deletion), 9.5 (Effect of Termination), 10 (Confidentiality), 11 (Proprietary Rights), 12 (Limitations of Liability), 13 (Indemnification), 17 (General Terms), and 18 (Glossary).
10. CONFIDENTIALITY
10.1. Use and Protection. As recipient, each Party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without discloser’s prior approval, except as permitted in this Agreement, and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
10.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors, Affiliates, subcontractors and other representatives having a legitimate need to know (including, for Abnormal, any subprocessors referenced in the DPA or Service support providers as referenced in Section 17.8), provided recipient remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 10 (each, a “Representative”).
10.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without access to the Confidential Information.
10.4. Remedies. Breach of this Section 10 (Confidentiality) may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section 10, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
10.5. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance written notice of the required disclosure and reasonably cooperate, at the discloser’s expense, to contest or seek to limit the disclosure or obtain confidential treatment for the Confidential Information. If no protective order or other remedy is obtained, the recipient will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
11. PROPRIETARY RIGHTS
11.1. Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, Technical Services, and any feedback or suggestions Customer provides to Abnormal with respect to the Service or Technical Services. All feedback is provided “AS IS” and Abnormal will not publicly identify Customer as the source of feedback without Customer’s permission. Except for Customer’s express rights in this Agreement, as between the Parties, Abnormal and its licensors retain all intellectual property rights in the Service, and product of any Technical Services and related Abnormal technology.
11.2. Customer Property. Except for Abnormal’s express rights in this Agreement, as between the Parties, Customer owns and retains all right, title, and interest in and to the Customer Data and Customer Materials provided to Abnormal.
12. LIMITATIONS OF LIABILITY
12.1. General Cap. EACH PARTY’S ENTIRE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE GENERAL CAP.
12.2. Consequential Damages Waiver. NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF USE, LOST PROFITS OR INTERRUPTION OF BUSINESS, EVEN IF INFORMED OF THEIR POSSIBILITY IN ADVANCE.
12.3. Exceptions and Enhanced Cap. SECTIONS 12.1 (GENERAL CAP) AND 12.2 (CONSEQUENTIAL DAMAGES WAIVER) WILL NOT APPLY TO ENHANCED CLAIMS OR UNCAPPED CLAIMS. FOR ALL ENHANCED CLAIMS, EACH PARTY’S ENTIRE LIABILITY WILL NOT EXCEED THE ENHANCED CAP.
12.4. Nature of Claims. The waivers and limitations in this Section 12 (Limitations of Liability) apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
12.5. Liability Definitions. The following definitions apply to this Section 12 (Limitations of Liability).
| “Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s obligations in or breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
13. INDEMNIFICATION
13.1. By Abnormal. Abnormal, at its own cost, will defend Customer from and against any Abnormal-Covered Claims and will indemnify Customer from and against any damages or costs finally awarded against Customer by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Abnormal resulting from the Abnormal-Covered Claims.
13.2. Indemnification by Customer. Customer, at its own cost, will defend Abnormal from and against any Customer-Covered Claims and will indemnify Abnormal from and against any damages or costs finally awarded against Abnormal by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
13.3. Indemnification Definitions.
| “Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
13.4. Procedures. The indemnifying Party’s obligations in this Section 13 (Indemnification) are subject to receiving from the indemnified Party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying Party’s obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim’s investigation, defense and settlement and (c) reasonable cooperation at the indemnifying Party’s expense. The indemnifying Party may not settle a claim without the indemnified Party’s prior approval if settlement would require the indemnified Party to admit fault or take or refrain from taking any action (except regarding use of the Service when Abnormal is the indemnifying Party). The indemnified Party may participate in a claim with its own counsel at its own expense.
13.5. Mitigation & Exceptions. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Abnormal determines necessary to avoid material liability, Abnormal may, in its sole discretion: (a) procure rights for Customer’s continued use of the Service, (b) replace or modify the allegedly infringing portion of the Service to avoid infringement, without reducing the Service’s overall functionality or (c) terminate the affected Order or the Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. Abnormal’s obligations in this Section 13 (Indemnification) do not apply to claims resulting from (1) modification or unauthorized use of the Service or (2) use of the Service in combination with items not provided by Abnormal, including Third-Party Platforms. This Section 13 (Indemnification) sets out the indemnified Party’s exclusive remedy and the indemnifying Party’s sole liability regarding third-party claims of intellectual property infringement or misappropriation.
14. INSURANCE
14.1. Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
14.2. Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
15. TRIALS AND BETAS. Abnormal may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated on the Order (or if not designated in an Order or otherwise, 30 days). Either Party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT, ABNORMAL OFFERS NO WARRANTY, INDEMNITY, SLA OR SUPPORT FOR TRIALS AND BETAS AND ITS LIABILITY FOR TRIALS AND BETAS WILL NOT EXCEED US$50,000.
16. PUBLICITY. Neither Party may publicly announce this Agreement without the other Party’s prior approval or except as required by Laws.
17. GENERAL TERMS
17.1. Assignment. Neither Party may assign this Agreement without the prior consent of the other Party, except that either Party may assign this Agreement, with notice to the other Party, to an Affiliate or in connection with the assigning Party’s merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
17.2. Governing Law and Courts. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California.
17.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement will be in writing to the addresses on the Order or in this Agreement and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either Party may update its address with notice to the other.
(b) Abnormal may also send operational notices through the Service, including to update the Support Plan, Service Level Availability, or other policies to reflect new features or changing practices.
17.4. Entire Agreement. This Agreement, including all applicable Orders, is the Parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes, online terms, or invoicing portal used by Customer will not amend or modify this Agreement; any such documents are for administrative purposes only. In the event of any conflict or inconsistency between the Order and this Agreement, the Order will prevail.
17.5. Updates. Abnormal may modify this Agreement from time to time. If a modification materially impacts this Agreement, Abnormal will use reasonable efforts to notify Customer through the Service, the website and/or in accordance with this Section 17 (General Terms). Any changes to this Agreement posted on the website will be effective if Customer assents to such changes or upon Customer’s renewal Subscription Term, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Agreement, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew by canceling any Subscription Term set to auto-renew in accordance with Section 9.1 (Subscription Terms).
17.6. Waivers and Severability. Waivers must be signed by the waiving Party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
17.7. Force Majeure. Neither Party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Service for 30 or more consecutive days, either Party may terminate the affected Order upon notice to the other and Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer’s obligations to pay fees owed.
17.8. Service Support Providers. Abnormal may use Service support providers (e.g., third-party hosting and other service providers) in provision of the Service and Support and permit them to exercise Abnormal's rights and fulfill Abnormal's obligations, but Abnormal remains responsible for their compliance with this Agreement. This provision does not limit any additional terms for subprocessors under a DPA.
17.9. Independent Contractors. The Parties are independent contractors, not agents, partners or joint venturers.
17.10. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
17.11. Anti-Corruption and Export. Each Party will, and will cause its employees, consultants, and agents to, comply with the US Foreign Corrupt Practices Act of 1977 and the UK Bribery Act 2010. Customer agrees to comply with all applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control, or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designated countries, entities, and persons (“Sanctions Targets”); and agrees not to directly or indirectly export, re-export, or otherwise deliver the Service to a Sanctions Target, or broker, finance, or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that Customer is not a Sanctions Target or prohibited from receiving the Service. The Service will be used for non-prohibited, commercial purposes by non-prohibited Users and will not be exported or transferred to China or any Sanctions Target.
17.12. Government Rights. For purposes of this Agreement and to the extent applicable, the Service is "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined at FAR 2.101 developed at the private expense of Abnormal. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation ("FAR") and its successors. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202 of the DOD FAR Supplement ("DFARS") and its successors. This Section is in lieu of and supersedes any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
17.13. Channel Partner Service Subscriptions. This Section applies to any Customer access of the Service obtained through an authorized Abnormal channel partner (“Channel Partner”).
(a) Commercial Terms. Instead of paying Abnormal directly, Customer will pay applicable amounts to the Channel Partner as agreed between Customer and the Channel Partner. Customer’s order details (e.g., scope of use, Subscription Term, and fees) will be as stated in the Order placed by Channel Partner with Abnormal on Customer’s behalf. Customer’s Order will renew with Channel Partner in accordance with Section 9.1 (Subscription Terms), unless Channel Partner notifies Abnormal that it is opting-out of auto-renewal on Customer’s behalf as described in this Agreement or in the manner specified in the agreement between Channel Partner and Abnormal. Channel Partner is responsible for the accuracy of such Order. Abnormal may suspend or terminate Customer’s rights to use the Service if it does not receive the corresponding payment from the Channel Partner. If Customer is entitled to a refund under this Agreement, Abnormal will refund any applicable fees to the Channel Partner and the Channel Partner will be solely responsible for refunding the appropriate amounts to Customer, unless otherwise specified.
(b) Relationship with Abnormal. This Agreement is directly between Abnormal and Customer and governs all use of the Service by Customer. Channel Partners are not authorized to modify this Agreement or make any promises or commitments on Abnormal’s behalf, and Abnormal is not bound by any obligations to Customer other than as set forth in this Agreement. Abnormal is not party to (or responsible under) any separate agreement between Customer and Channel Partner. The amount paid or payable by the Channel Partner to Abnormal for Customer’s use of the applicable Service under this Agreement will be deemed the amount paid or payable by Customer to Abnormal under this Agreement for purposes of Section 12 (Limitations of Liability). Abnormal is not responsible for any acts, omissions, products or services provided by Channel Partner.
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ or ‘Abnormal Legal Center’ pages (legal.abnormalsecurity.com) of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective May 19, 2022 to September 21, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
If you have a separate written agreement with Abnormal Security Corporation with respect to use of the Service or any related services, these Cloud Terms of Service will not apply to you.
These Cloud Terms of Service (“Agreement”) govern your ("Customer") use of the Service and allow you to receive Support. By clicking a box indicating your acceptance of this Agreement, (e.g., “I Agree,” “Accept Terms,” “I Understand and Agree”) or similar button on the Service registration page, or executing an Order, as further described below, or by otherwise accessing the Service, you represent that (1) you have read, understand, and agree to be bound by this Agreement, (2) you are of legal age to form a binding contract with Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107, (“Abnormal,” “we,” “our,” or “us”, Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties”), and (3) you have the authority to enter into this Agreement personally or on behalf of the company or other organization you represent, and to bind that entity to this Agreement. In the event you are agreeing to this Agreement on behalf of a company or organization, “Customer,” will refer to the entity you are representing. We may update this Agreement from time to time in accordance with Section 17.5 (Updates).
Capitalized terms are defined in the Section 18 (Glossary) or in context below.
1. ACCESS OF THE SERVICE
1.1. The Service. Subject to this Agreement, Customer may use the Service for its own business purposes during each Subscription Term (“Permitted Use”). This includes the right to copy and use the Documentation as part of Customer’s Permitted Use.
1.2. Users. Customer is responsible for provisioning and managing its User accounts, for its Users’ actions through the Service and for Users' compliance with this Agreement. Customer will require that Users keep their login credentials confidential and will promptly notify Abnormal upon learning of any compromise of User accounts or credentials.
1.3. Affiliates. Customer’s Affiliates may serve as Users. Customer shall be responsible for its Affiliates’ use of the Service. Alternatively, Customer’s Affiliates may enter into their own Orders as mutually agreed with Abnormal, which creates a separate agreement between each such Affiliate and Abnormal incorporating this Agreement with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights under each other’s separate agreement with Abnormal, and breach or termination of any such separate agreement affects only that agreement.
1.4. Availability. Abnormal will adhere to the Service Level Availability Policy ("SLA") set out in the Documentation.
1.5. Support. Abnormal will provide Support for the Service in accordance with the Support Policy set out in the Documentation.
2. DATA
2.1. Customer Data. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service, Support, and Technical Services to Customer, and to generate Threat Intelligence Data. Use of Customer Data includes sharing Customer Data as Customer directs through the Service, but Abnormal will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
2.2. Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards as described in the Documentation that are designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
2.3. Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with, the “Data Processing Addendum” (“DPA”) made available from the dedicated DPA page of the Abnormal website.
2.4. Service Operations Data. Abnormal may collect Service Operations Data and use it to operate, improve and support the Service and for other lawful business purposes, including benchmarking and reports. However, Abnormal will not disclose Service Operations Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
2.5. Threat Intelligence Data. Abnormal may provide Customer with Threat Intelligence Data regarding the possibility or likelihood of fraudulent, harmful or malicious activity occurring in Customer's environment. Customer understands that Abnormal provides Threat Intelligence Data for Customer’s consideration, but that Customer is ultimately responsible for any actions taken or not taken in relation to such Threat Intelligence Data, including any configuration instructions of the Service regarding the level of auto-remediation. Abnormal may incorporate any subsequent action or inaction taken by Customer into our models, for the purpose of identifying future potential fraud, loss, or other harms to customers.
2.6. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer’s use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Abnormal is not responsible for Third-Party Platforms or how Customer's providers use Customer Data.
3. USE OF THE SERVICE
3.1. Compliance. Customer will comply with the Documentation in using the Service and represents and warrants that it has secured all necessary rights, consents, and permissions to use Customer Data with the Service and grant Abnormal the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the parties, Customer is responsible for the content and accuracy of Customer Data.
3.2. Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes, including to develop a similar or competing product or service (e.g., benchmarking); (ii) conduct penetration testing on the Service, interfere with its operation or circumvent its access restrictions; (iii) market, sublicense, distribute, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available (in whole or part) to any third party, except to a third party that manages Customer’s computing environment, grant non-Users access to the Service or use the Service to provide a hosted or managed service to others; (iv) obtain or attempt to obtain the Service by any means or device with intent to avoid paying the fees that would otherwise be payable for such access or use; or (v) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of its components, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Abnormal.
4. MUTUAL COMPLIANCE WITH LAW. Each Party will comply with all laws, regulations, court orders or other binding requirements of a government authority (“Laws”) that apply to its performance under this Agreement.
5. REPRESENTATIONS AND WARRANTIES
5.1. Mutual Representations and Warranties. Each Party represents and warrants that:
(a) it has validly entered into this Agreement and has the legal power to do so, and
(b) it will use industry-standard measures to avoid introducing viruses, malicious code or similar harmful materials into the Service.
5.2. Abnormal Warranties. Abnormal warrants that:
(a) the Service will perform as materially described in the Documentation and Abnormal will not materially decrease the overall functionality of the Service during a Subscription Term (the “Performance Warranty”), and
(b) any Technical Services will be provided in a professional and workmanlike manner (the “Technical Services Warranty”).
5.3. Abnormal Warranty Remedies. Abnormal will use reasonable efforts to correct a verified breach of the Performance Warranty or Technical Services Warranty reported by Customer. If Abnormal fails to do so within 30 days after Customer’s warranty report, then either Party may terminate the affected Order as relates to the non-conforming Service or Technical Services, in which case Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Technical Services (for the Technical Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Service or 30 days after delivery of the relevant Technical Services. This Section 5.3 sets forth Customer’s exclusive remedies and Abnormal’s sole liability for breach of the Performance Warranty or Professional Services Warranty.
5.4. Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN SECTION 5.2 (ABNORMAL WARRANTIES), THE SERVICE, SUPPORT, AND TECHNICAL SERVICES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. ABNORMAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING OUR EXPRESS OBLIGATIONS IN THE SERVICE LEVEL AVAILABILITY COMMITMENT, ABNORMAL DOES NOT WARRANT THE RESULTS TO BE ACHIEVED FROM THE SERVICE OR THAT THE SERVICE IS ERROR-FREE, WILL PERFORM UNINTERRUPTED OR WILL MEET CUSTOMER’S REQUIREMENTS. THE WARRANTIES IN SECTION 5.2 (ABNORMAL WARRANTIES) DO NOT APPLY TO ISSUES ARISING FROM THIRD PARTY PLATFORMS OR MISUSE OR UNAUTHORIZED MODIFICATIONS OF THE SERVICE. THESE DISCLAIMERS APPLY TO THE FULL EXTENT PERMITTED BY LAW.
6. TECHNICAL SERVICES. Abnormal may perform Technical Services as described in an Order, which may identify additional terms or milestones for the Technical Services. Customer will give Abnormal timely access to Customer Materials reasonably needed for Abnormal’s provision of the Technical Services, and if Customer fails to do so, Abnormal’s obligation to provide Technical Services will be excused until access is provided. Abnormal will use the Customer Materials only for purposes of providing Technical Services. Abnormal may make use of service partners to provide the Technical Services. Subject to any limits in an Order, Customer will reimburse reasonable travel and lodging expenses incurred by Abnormal in providing Technical Services. Customer may use the product of any Technical Services that Abnormal furnishes as part of Technical Services only in connection with Customer’s authorized use of the Service under this Agreement.
7. FEES AND PAYMENT
7.1. Payment. Customer will pay the fees described in the applicable Order. Unless the Order states otherwise, all undisputed amounts are payable in U.S. dollars and due within 30 days from the date of an invoice (“Due Date”). All fees and expenses are non-refundable and non-cancellable except as expressly set out in the Agreement and any applicable Order. In addition to any other remedies set forth in this Agreement, if any undisputed, invoiced amount is not received by Abnormal by the Due Date, then those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than Abnormal’s income tax. Fees and expenses are exclusive of Taxes. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.
7.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Abnormal prior to the Due Date and the parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either Party may pursue any available remedies.
7.4. Records and Validation. Customer is responsible for providing complete and accurate billing and contact information to Abnormal and notifying Abnormal of any changes to such information. Abnormal may conduct verification checks on the usage of the Service during the Subscription Term. If it is determined that the usage of the Service exceeds the baseline quantity stated in an applicable Order, the Parties (Partner and Abnormal or Customer and Abnormal, as applicable) will address any over-usage in a separate Order. If Customer fails to pay for the over-usage, Abnormal may terminate access to the Service within thirty (30) days of Abnormal’s notice of non-compliance.
8. SUSPENSION. Abnormal may suspend Customer’s access to the Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Abnormal is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Abnormal will promptly restore Customer’s access to the Service in accordance with this Agreement. “Suspension Event” means (a) Customer’s account is 30 days or more overdue, (b) Customer is in breach of Section 3 (Use of the Service) or (c) Customer’s use of the Service risks material harm to the Service or others.
9. TERM AND TERMINATION
9.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the Parties agree on a different renewal Order or (b) either Party notifies the other (or Partner notifies Abnormal, if applicable) of non-renewal at least 30 days prior to the end of the then current Subscription Term. Per-unit rates for renewal of the applicable Service will be the same as in the prior Subscription Term for the same Service, unless Abnormal notifies Customer at least 45 days in advance. If Customer objects to the increase, Customer must notify Abnormal of its intention not to renew the Order within 30 days of Customer’s receipt of such notice. Failure to timely notify Abnormal shall be deemed to constitute consent to the applicable fee increase.
9.2. Term. The term of this Agreement will commence on the date you accept this Agreement ("Effective Date") and continues until expiration or termination of all Subscription Terms, unless otherwise terminated as permitted by this Agreement (the “Term”). If no Subscription Term is in effect, either Party may terminate this Agreement for any or no reason with notice to the other Party.
9.3. Termination. Either Party may terminate this Agreement, including all Subscription Terms, if the other Party (i) fails to cure a material breach of this Agreement (including a failure to pay fees) within 30 days after notice, (ii) ceases operation with a successor, or (iii) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that Party and not dismissed within 60 days. Customer shall receive a refund of any pre-paid, unused fees for the terminated portion of an applicable Subscription Term for such Customer-initiated terminations, and Customer will promptly pay Abnormal any outstanding fees and expenses due for the terminated portion of the Subscription Term for any such Abnormal-initiated termination.
9.4. Data Export & Deletion. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation. After termination or expiration of this Agreement, Abnormal will delete Customer Data and each Party will delete any Confidential Information of the other in its possession or control. Nonetheless, Abnormal may retain Customer Data and each Party may retain Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 2.2 (Security), Section 10 (Confidentiality) and any DPA.
9.5. Effect of Termination.
(a) Customer’s right to use the Service, Support and Technical Services will immediately cease upon any termination or expiration of this Agreement, subject to this Section 9 (Term and Termination).
(b) In no event will any termination or expiration relieve Customer of the obligation to pay any expenses and fees payable to Abnormal for the period prior to the effective date of termination or expiration.
(c) The following Sections will survive expiration or termination of this Agreement: Section 2.4 (Service Operations Data), 2.5 (Threat Intelligence Data), 3 (Use of the Service), 5.4 (Disclaimers), 7.1 (Payment) (for amounts then due), 7.2 (Taxes), 9.4 (Data Export & Deletion), 9.5 (Effect of Termination), 10 (Confidentiality), 11 (Proprietary Rights), 12 (Limitations of Liability), 13 (Indemnification), 17 (General Terms), and 18 (Glossary).
10. CONFIDENTIALITY
10.1. Use and Protection. As recipient, each Party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without discloser’s prior approval, except as permitted in this Agreement, and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
10.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors, Affiliates, agents, subcontractors and other representatives having a legitimate need to know (including, for Abnormal, any subprocessors referenced in the DPA or Service support providers as referenced in Section 17.8), provided recipient remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 10 (each, a “Representative”).
10.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without access to the Confidential Information.
10.4. Remedies. Breach of this Section 10 (Confidentiality) may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section 10, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
10.5. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance written notice of the required disclosure and reasonably cooperate, at the discloser’s expense, to contest or seek to limit the disclosure or obtain confidential treatment for the Confidential Information. If no protective order or other remedy is obtained, the recipient will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
11. PROPRIETARY RIGHTS
11.1. Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, Technical Services, and any feedback or suggestions Customer provides to Abnormal with respect to the Service or Technical Services. All feedback is provided “AS IS” and Abnormal will not publicly identify Customer as the source of feedback without Customer’s permission. Except for Customer’s express rights in this Agreement, as between the parties, Abnormal and its licensors retain all intellectual property rights in the Service, and product of any Technical Services and related Abnormal technology.
11.2. Customer Property. Except for Abnormal’s express rights in this Agreement, as between the parties, Customer owns and retains all right, title, and interest in and to the Customer Data and Customer Materials provided to Abnormal.
12. LIMITATIONS OF LIABILITY
12.1. General Cap. EACH PARTY’S ENTIRE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE GENERAL CAP.
12.2. Consequential Damages Waiver. NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF USE, LOST PROFITS OR INTERRUPTION OF BUSINESS, EVEN IF INFORMED OF THEIR POSSIBILITY IN ADVANCE.
12.3. Exceptions and Enhanced Cap. SECTIONS 12.1 (GENERAL CAP) AND 12.2 (CONSEQUENTIAL DAMAGES WAIVER) WILL NOT APPLY TO ENHANCED CLAIMS OR UNCAPPED CLAIMS. FOR ALL ENHANCED CLAIMS, EACH PARTY’S ENTIRE LIABILITY WILL NOT EXCEED THE ENHANCED CAP.
12.4. Nature of Claims. The waivers and limitations in this Section 12 (Limitations of Liability) apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
12.5. Liability Definitions. The following definitions apply to this Section 12 (Limitations of Liability).
| “Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
13. INDEMNIFICATION
13.1. By Abnormal. Abnormal, at its own cost, will defend Customer from and against any Abnormal-Covered Claims and will indemnify Customer from and against any damages or costs finally awarded against Customer by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Abnormal resulting from the Abnormal-Covered Claims.
13.2. Indemnification by Customer. Customer, at its own cost, will defend Abnormal from and against any Customer-Covered Claims and will indemnify Abnormal from and against any damages or costs finally awarded against Abnormal by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
13.3. Indemnification Definitions.
| “Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
13.4. Procedures. The indemnifying Party’s obligations in this Section 13 (Indemnification) are subject to receiving from the indemnified Party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying Party’s obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim’s investigation, defense and settlement and (c) reasonable cooperation at the indemnifying Party’s expense. The indemnifying Party may not settle a claim without the indemnified Party’s prior approval if settlement would require the indemnified Party to admit fault or take or refrain from taking any action (except regarding use of the Service when Abnormal is the indemnifying Party). The indemnified Party may participate in a claim with its own counsel at its own expense.
13.5. Mitigation & Exceptions. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Abnormal determines necessary to avoid material liability, Abnormal may, in its sole discretion: (a) procure rights for Customer’s continued use of the Service, (b) replace or modify the allegedly infringing portion of the Service to avoid infringement, without reducing the Service’s overall functionality or (c) terminate the affected Order or the Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. Abnormal’s obligations in this Section 13 (Indemnification) do not apply to claims resulting from (a) modification or unauthorized use of the Service or (b) use of the Service in combination with items not provided by Abnormal, including Third-Party Platforms. This Section 13 (Indemnification) sets out the indemnified Party’s exclusive remedy and the indemnifying Party’s sole liability regarding third-party claims of intellectual property infringement or misappropriation.
14. INSURANCE
14.1. Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
14.2. Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
15. TRIALS AND BETAS. Abnormal may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated on the Order (or if not designated in an Order or otherwise, 30 days). Either Party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT, ABNORMAL OFFERS NO WARRANTY, INDEMNITY, SLA OR SUPPORT FOR TRIALS AND BETAS AND ITS LIABILITY FOR TRIALS AND BETAS WILL NOT EXCEED US$50,000.
16. PUBLICITY. Neither Party may publicly announce this Agreement without the other Party’s prior approval or except as required by Laws.
17. GENERAL TERMS
17.1. Assignment. Neither Party may assign this Agreement without the prior consent of the other Party, except that either Party may assign this Agreement, with notice to the other Party, to an Affiliate or in connection with the assigning Party’s merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
17.2. Governing Law and Courts. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California.
17.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement will be in writing to the addresses on the Order or in this Agreement and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either Party may update its address with notice to the other.
(b) Abnormal may also send operational notices through the Service, including to update the Support Plan, Service Level Availability, or other policies to reflect new features or changing practices.
17.4. Entire Agreement. This Agreement, including all applicable Orders, is the Parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes, online terms, or invoicing portal used by Customer will not amend or modify this Agreement; any such documents are for administrative purposes only. In the event of any conflict or inconsistency between the Order and this Agreement, the Order will prevail.
17.5. Updates. Abnormal may modify this Agreement from time to time. If a modification materially impacts this Agreement, Abnormal will use reasonable efforts to notify Customer through the Service, the website and/or in accordance with this Section 17 (General Terms). Any changes to this Agreement posted on the website will be effective if Customer assents to such changes or upon Customer’s renewal Subscription Term, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Agreement, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew by canceling any Subscription Term set to auto-renew in accordance with Section 9.1 (Subscription Terms).
17.6. Waivers and Severability. Waivers must be signed by the waiving Party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
17.7. Force Majeure. Neither Party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Service for 30 or more consecutive days, either Party may terminate the affected Order upon notice to the other and Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer’s obligations to pay fees owed.
17.8. Service Support Providers. Abnormal may use Service support providers (e.g., third-party hosting and other service providers) in provision of the Service and Support and permit them to exercise Abnormal's rights and fulfill Abnormal's obligations, but Abnormal remains responsible for their compliance with this Agreement. This provision does not limit any additional terms for subprocessors under a DPA.
17.9. Independent Contractors. The Parties are independent contractors, not agents, partners or joint venturers.
17.10. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
17.11. Anti-Corruption and Export. Each Party will, and will cause its employees, consultants, and agents to, comply with the US Foreign Corrupt Practices Act of 1977 and the UK Bribery Act 2010. Customer agrees to comply with all applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control, or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designated countries, entities, and persons (“Sanctions Targets”); and agrees not to directly or indirectly export, re-export, or otherwise deliver the Service to a Sanctions Target, or broker, finance, or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that Customer is not a Sanctions Target or prohibited from receiving the Service. The Service will be used for non-prohibited, commercial purposes by non-prohibited Users and will not be exported or transferred to China or any Sanctions Target.
17.12. Government Rights. For purposes of this Agreement and to the extent applicable, the Service is "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined at FAR 2.101 developed at the private expense of Abnormal. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation ("FAR") and its successors. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202 of the DOD FAR Supplement ("DFARS") and its successors. This Section is in lieu of and supersedes any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
17.13. Channel Partner Service Subscriptions. This Section applies to any Customer access of the Service obtained through an authorized Abnormal channel partner (“Channel Partner”).
(a) Commercial Terms. Instead of paying Abnormal directly, Customer will pay applicable amounts to the Channel Partner as agreed between Customer and the Channel Partner. Customer’s order details (e.g., scope of use, Subscription Term, and fees) will be as stated in the Order placed by Channel Partner with Abnormal on Customer’s behalf. Customer’s Order will renew with Channel Partner in accordance with Section 9.1 (Subscription Terms), unless Channel Partner notifies Abnormal that it is opting-out of auto-renewal on Customer’s behalf as described in this Agreement or in the manner specified in the agreement between Channel Partner and Abnormal. Channel Partner is responsible for the accuracy of such Order. Abnormal may suspend or terminate Customer’s rights to use the Service if it does not receive the corresponding payment from the Channel Partner. If Customer is entitled to a refund under this Agreement, Abnormal will refund any applicable fees to the Channel Partner and the Channel Partner will be solely responsible for refunding the appropriate amounts to Customer, unless otherwise specified.
(b) Relationship with Abnormal. This Agreement is directly between Abnormal and Customer and governs all use of the Service by Customer. Channel Partners are not authorized to modify this Agreement or make any promises or commitments on Abnormal’s behalf, and Abnormal is not bound by any obligations to Customer other than as set forth in this Agreement. Abnormal is not party to (or responsible under) any separate agreement between Customer and Channel Partner. The amount paid or payable by the Channel Partner to Abnormal for Customer’s use of the applicable Service under this Agreement will be deemed the amount paid or payable by Customer to Abnormal under this Agreement for purposes of Section 12 (Limitations of Liability). Abnormal is not responsible for any acts, omissions, products or services provided by Channel Partner.
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ or ‘Abnormal Legal Center’ pages of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 30, 2022 to May 19, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
If you have a separate written agreement with Abnormal Security Corporation with respect to use of the Service or any related services, these Cloud Terms of Service will not apply to you.
These Cloud Terms of Service (“Agreement”) govern your ("Customer") use of the Service and allow you to receive Support. By clicking a box indicating your acceptance of this Agreement, (e.g., “I Agree,” “Accept Terms,” “I Understand and Agree”) or similar button on the Service registration page, or executing an Order, as further described below, or by otherwise accessing the Service, you represent that (1) you have read, understand, and agree to be bound by this Agreement, (2) you are of legal age to form a binding contract with Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107, (“Abnormal,” “we,” “our,” or “us”, Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties”), and (3) you have the authority to enter into this Agreement personally or on behalf of the company or other organization you represent, and to bind that entity to this Agreement. In the event you are agreeing to this Agreement on behalf of a company or organization, “Customer,” will refer to the entity you are representing. We may update this Agreement from time to time in accordance with Section 17.5 (Updates).
Capitalized terms are defined in the Section 18 (Glossary) or in context below.
1. ACCESS OF THE SERVICE
1.1. The Service. Subject to this Agreement, Customer may use the Service for its own business purposes during each Subscription Term (“Permitted Use”). This includes the right to copy and use the Documentation as part of Customer’s Permitted Use.
1.2. Users. Customer is responsible for provisioning and managing its User accounts, for its Users’ actions through the Service and for Users' compliance with this Agreement. Customer will require that Users keep their login credentials confidential and will promptly notify Abnormal upon learning of any compromise of User accounts or credentials.
1.3. Affiliates. Customer’s Affiliates may serve as Users. Customer shall be responsible for its Affiliates’ use of the Service. Alternatively, Customer’s Affiliates may enter into their own Orders as mutually agreed with Abnormal, which creates a separate agreement between each such Affiliate and Abnormal incorporating this Agreement with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights under each other’s separate agreement with Abnormal, and breach or termination of any such separate agreement affects only that agreement.
1.4. Availability. Abnormal will adhere to the Service Level Availability Policy ("SLA") set out in the Documentation.
1.5. Support. Abnormal will provide Support for the Service in accordance with the Support Policy set out in the Documentation.
2. DATA
2.1. Customer Data. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service, Support, and Technical Services to Customer, and to generate Threat Intelligence Data. Use of Customer Data includes sharing Customer Data as Customer directs through the Service, but Abnormal will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
2.2. Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards as described in the Documentation that are designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
2.3. Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with, the “Data Processing Addendum” (“DPA”) made available from the dedicated DPA page of the Abnormal website.
2.4. Service Operations Data. Abnormal may collect Service Operations Data and use it to operate, improve and support the Service and for other lawful business purposes, including benchmarking and reports. However, Abnormal will not disclose Service Operations Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
2.5. Threat Intelligence Data. Abnormal may provide Customer with Threat Intelligence Data regarding the possibility or likelihood of fraudulent, harmful or malicious activity occurring in Customer's environment. Customer understands that Abnormal provides Threat Intelligence Data for Customer’s consideration, but that Customer is ultimately responsible for any actions taken or not taken in relation to such Threat Intelligence Data, including any configuration instructions of the Service regarding the level of auto-remediation. Abnormal may incorporate any subsequent action or inaction taken by Customer into our models, for the purpose of identifying future potential fraud, loss, or other harms to customers.
2.6. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer’s use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Abnormal is not responsible for Third-Party Platforms or how Customer's providers use Customer Data.
3. USE OF THE SERVICE
3.1. Compliance. Customer will comply with the Documentation in using the Service and represents and warrants that it has secured all necessary rights, consents, and permissions to use Customer Data with the Service and grant Abnormal the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the parties, Customer is responsible for the content and accuracy of Customer Data.
3.2. Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes, including to develop a similar or competing product or service (e.g., benchmarking); (ii) conduct penetration testing on the Service, interfere with its operation or circumvent its access restrictions; (iii) market, sublicense, distribute, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available (in whole or part) to any third party, except to a third party that manages Customer’s computing environment, grant non-Users access to the Service or use the Service to provide a hosted or managed service to others; (iv) obtain or attempt to obtain the Service by any means or device with intent to avoid paying the fees that would otherwise be payable for such access or use; or (v) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of its components, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Abnormal.
4. MUTUAL COMPLIANCE WITH LAW. Each Party will comply with all laws, regulations, court orders or other binding requirements of a government authority (“Laws”) that apply to its performance under this Agreement.
5. REPRESENTATIONS AND WARRANTIES
5.1. Mutual Representations and Warranties. Each Party represents and warrants that:
(a) it has validly entered into this Agreement and has the legal power to do so, and
(b) it will use industry-standard measures to avoid introducing viruses, malicious code or similar harmful materials into the Service.
5.2. Abnormal Warranties. Abnormal warrants that:
(a) the Service will perform as materially described in the Documentation and Abnormal will not materially decrease the overall functionality of the Service during a Subscription Term (the “Performance Warranty”), and
(b) any Technical Services will be provided in a professional and workmanlike manner (the “Technical Services Warranty”).
5.3. Abnormal Warranty Remedies. Abnormal will use reasonable efforts to correct a verified breach of the Performance Warranty or Technical Services Warranty reported by Customer. If Abnormal fails to do so within 30 days after Customer’s warranty report, then either Party may terminate the affected Order as relates to the non-conforming Service or Technical Services, in which case Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Technical Services (for the Technical Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Service or 30 days after delivery of the relevant Technical Services. This Section 5.3 sets forth Customer’s exclusive remedies and Abnormal’s sole liability for breach of the Performance Warranty or Professional Services Warranty.
5.4. Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN SECTION 5.2 (ABNORMAL WARRANTIES), THE SERVICE, SUPPORT, AND TECHNICAL SERVICES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. ABNORMAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING OUR EXPRESS OBLIGATIONS IN THE SERVICE LEVEL AVAILABILITY COMMITMENT, ABNORMAL DOES NOT WARRANT THE RESULTS TO BE ACHIEVED FROM THE SERVICE OR THAT THE SERVICE IS ERROR-FREE, WILL PERFORM UNINTERRUPTED OR WILL MEET CUSTOMER’S REQUIREMENTS. THE WARRANTIES IN SECTION 5.2 (ABNORMAL WARRANTIES) DO NOT APPLY TO ISSUES ARISING FROM THIRD PARTY PLATFORMS OR MISUSE OR UNAUTHORIZED MODIFICATIONS OF THE SERVICE. THESE DISCLAIMERS APPLY TO THE FULL EXTENT PERMITTED BY LAW.
6. TECHNICAL SERVICES. Abnormal may perform Technical Services as described in an Order, which may identify additional terms or milestones for the Technical Services. Customer will give Abnormal timely access to Customer Materials reasonably needed for Abnormal’s provision of the Technical Services, and if Customer fails to do so, Abnormal’s obligation to provide Technical Services will be excused until access is provided. Abnormal will use the Customer Materials only for purposes of providing Technical Services. Abnormal may make use of service partners to provide the Technical Services. Subject to any limits in an Order, Customer will reimburse reasonable travel and lodging expenses incurred by Abnormal in providing Technical Services. Customer may use the product of any Technical Services that Abnormal furnishes as part of Technical Services only in connection with Customer’s authorized use of the Service under this Agreement.
7. FEES AND PAYMENT
7.1. Payment. Customer will pay the fees described in the applicable Order. Unless the Order states otherwise, all undisputed amounts are payable in U.S. dollars and due within 30 days from the date of an invoice (“Due Date”). All fees and expenses are non-refundable and non-cancellable except as expressly set out in the Agreement and any applicable Order. In addition to any other remedies set forth in this Agreement, if any undisputed, invoiced amount is not received by Abnormal by the Due Date, then those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than Abnormal’s income tax. Fees and expenses are exclusive of Taxes. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.
7.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Abnormal prior to the Due Date and the parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either Party may pursue any available remedies.
7.4. Records and Validation. Customer is responsible for providing complete and accurate billing and contact information to Abnormal and notifying Abnormal of any changes to such information. Abnormal may conduct verification checks on the usage of the Service during the Subscription Term. If it is determined that the usage of the Service exceeds the baseline quantity stated in an applicable Order, the Parties (Partner and Abnormal or Customer and Abnormal, as applicable) will address any over-usage in a separate Order. If Customer fails to pay for the over-usage, Abnormal may terminate access to the Service within thirty (30) days of Abnormal’s notice of non-compliance.
8. SUSPENSION. Abnormal may suspend Customer’s access to the Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Abnormal is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Abnormal will promptly restore Customer’s access to the Service in accordance with this Agreement. “Suspension Event” means (a) Customer’s account is 30 days or more overdue, (b) Customer is in breach of Section 3 (Use of the Service) or (c) Customer’s use of the Service risks material harm to the Service or others.
9. TERM AND TERMINATION
9.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the Parties agree on a different renewal Order or (b) either Party notifies the other (or Partner notifies Abnormal, if applicable) of non-renewal at least 30 days prior to the end of the then current Subscription Term. Per-unit rates for renewal of the applicable Service will be the same as in the prior Subscription Term for the same Service, unless Abnormal notifies Customer at least 45 days in advance. If Customer objects to the increase, Customer must notify Abnormal of its intention not to renew the Order within 30 days of Customer’s receipt of such notice. Failure to timely notify Abnormal shall be deemed to constitute consent to the applicable fee increase.
9.2. Term. The term of this Agreement will commence on the date you accept this Agreement ("Effective Date") and continues until expiration or termination of all Subscription Terms, unless otherwise terminated as permitted by this Agreement (the “Term”). If no Subscription Term is in effect, either Party may terminate this Agreement for any or no reason with notice to the other Party.
9.3. Termination. Either Party may terminate this Agreement, including all Subscription Terms, if the other Party (i) fails to cure a material breach of this Agreement (including a failure to pay fees) within 30 days after notice, (ii) ceases operation with a successor, or (iii) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that Party and not dismissed within 60 days. Customer shall receive a refund of any pre-paid, unused fees for the terminated portion of an applicable Subscription Term for such Customer-initiated terminations, and Customer will promptly pay Abnormal any outstanding fees and expenses due for the terminated portion of the Subscription Term for any such Abnormal-initiated termination.
9.4. Data Export & Deletion. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation. After termination or expiration of this Agreement, Abnormal will delete Customer Data and each Party will delete any Confidential Information of the other in its possession or control. Nonetheless, Abnormal may retain Customer Data and each Party may retain Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 2.2 (Security), Section 10 (Confidentiality) and any DPA.
9.5. Effect of Termination.
(a) Customer’s right to use the Service, Support and Technical Services will immediately cease upon any termination or expiration of this Agreement, subject to this Section 9 (Term and Termination).
(b) In no event will any termination or expiration relieve Customer of the obligation to pay any expenses and fees payable to Abnormal for the period prior to the effective date of termination or expiration.
(c) The following Sections will survive expiration or termination of this Agreement: Section 2.4 (Service Operations Data), 2.5 (Threat Intelligence Data), 3 (Use of the Service), 5.4 (Disclaimers), 7.1 (Payment) (for amounts then due), 7.2 (Taxes), 9.4 (Data Export & Deletion), 9.5 (Effect of Termination), 10 (Confidentiality), 11 (Proprietary Rights), 12 (Limitations of Liability), 13 (Indemnification), 17 (General Terms), and 18 (Glossary).
10. CONFIDENTIALITY
10.1. Use and Protection. As recipient, each Party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without discloser’s prior approval, except as permitted in this Agreement, and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
10.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors, Affiliates, agents, subcontractors and other representatives having a legitimate need to know (including, for Abnormal, any subprocessors referenced in the DPA or Service support providers as referenced in Section 17.8), provided recipient remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 10 (each, a “Representative”).
10.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without access to the Confidential Information.
10.4. Remedies. Breach of this Section 10 (Confidentiality) may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section 10, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
10.5. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance written notice of the required disclosure and reasonably cooperate, at the discloser’s expense, to contest or seek to limit the disclosure or obtain confidential treatment for the Confidential Information. If no protective order or other remedy is obtained, the recipient will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
11. PROPRIETARY RIGHTS
11.1. Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, Technical Services, and any feedback or suggestions Customer provides to Abnormal with respect to the Service or Technical Services. All feedback is provided “AS IS” and Abnormal will not publicly identify Customer as the source of feedback without Customer’s permission. Except for Customer’s express rights in this Agreement, as between the parties, Abnormal and its licensors retain all intellectual property rights in the Service, and product of any Technical Services and related Abnormal technology.
11.2. Customer Property. Except for Abnormal’s express rights in this Agreement, as between the parties, Customer owns and retains all right, title, and interest in and to the Customer Data and Customer Materials provided to Abnormal.
12. LIMITATIONS OF LIABILITY
12.1. General Cap. EACH PARTY’S ENTIRE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE GENERAL CAP.
12.2. Consequential Damages Waiver. NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF USE, LOST PROFITS OR INTERRUPTION OF BUSINESS, EVEN IF INFORMED OF THEIR POSSIBILITY IN ADVANCE.
12.3. Exceptions and Enhanced Cap. SECTIONS 12.1 (GENERAL CAP) AND 12.2 (CONSEQUENTIAL DAMAGES WAIVER) WILL NOT APPLY TO ENHANCED CLAIMS OR UNCAPPED CLAIMS. FOR ALL ENHANCED CLAIMS, EACH PARTY’S ENTIRE LIABILITY WILL NOT EXCEED THE ENHANCED CAP.
12.4. Nature of Claims. The waivers and limitations in this Section 12 (Limitations of Liability) apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
12.5. Liability Definitions. The following definitions apply to this Section 12 (Limitations of Liability).
| “Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
13. INDEMNIFICATION
13.1. By Abnormal. Abnormal, at its own cost, will defend Customer from and against any Abnormal-Covered Claims and will indemnify Customer from and against any damages or costs finally awarded against Customer by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Abnormal resulting from the Abnormal-Covered Claims.
13.2. Indemnification by Customer. Customer, at its own cost, will defend Abnormal from and against any Customer-Covered Claims and will indemnify Abnormal from and against any damages or costs finally awarded against Abnormal by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
13.3. Indemnification Definitions.
| “Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
13.4. Procedures. The indemnifying Party’s obligations in this Section 13 (Indemnification) are subject to receiving from the indemnified Party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying Party’s obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim’s investigation, defense and settlement and (c) reasonable cooperation at the indemnifying Party’s expense. The indemnifying Party may not settle a claim without the indemnified Party’s prior approval if settlement would require the indemnified Party to admit fault or take or refrain from taking any action (except regarding use of the Service when Abnormal is the indemnifying Party). The indemnified Party may participate in a claim with its own counsel at its own expense.
13.5. Mitigation & Exceptions. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Abnormal determines necessary to avoid material liability, Abnormal may, in its sole discretion: (a) procure rights for Customer’s continued use of the Service, (b) replace or modify the allegedly infringing portion of the Service to avoid infringement, without reducing the Service’s overall functionality or (c) terminate the affected Order or the Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. Abnormal’s obligations in this Section 13 (Indemnification) do not apply to claims resulting from (a) modification or unauthorized use of the Service or (b) use of the Service in combination with items not provided by Abnormal, including Third-Party Platforms. This Section 13 (Indemnification) sets out the indemnified Party’s exclusive remedy and the indemnifying Party’s sole liability regarding third-party claims of intellectual property infringement or misappropriation.
14. INSURANCE
14.1. Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
14.2. Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
15. TRIALS AND BETAS. Abnormal may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated on the Order (or if not designated in an Order or otherwise, 30 days). Either Party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT, ABNORMAL OFFERS NO WARRANTY, INDEMNITY, SLA OR SUPPORT FOR TRIALS AND BETAS AND ITS LIABILITY FOR TRIALS AND BETAS WILL NOT EXCEED US$50,000.
16. PUBLICITY. Neither Party may publicly announce this Agreement without the other Party’s prior approval or except as required by Laws.
17. GENERAL TERMS
17.1. Assignment. Neither Party may assign this Agreement without the prior consent of the other Party, except that either Party may assign this Agreement, with notice to the other Party, to an Affiliate or in connection with the assigning Party’s merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
17.2. Governing Law and Courts. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California.
17.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement will be in writing to the addresses on the Order or in this Agreement and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either Party may update its address with notice to the other.
(b) Abnormal may also send operational notices through the Service, including to update the Support Plan, Service Level Availability, or other policies to reflect new features or changing practices.
17.4. Entire Agreement. This Agreement, including all applicable Orders, is the Parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes, online terms, or invoicing portal used by Customer will not amend or modify this Agreement; any such documents are for administrative purposes only. In the event of any conflict or inconsistency between the Order and this Agreement, the Order will prevail.
17.5. Updates. Abnormal may modify this Agreement from time to time. If a modification materially impacts this Agreement, Abnormal will use reasonable efforts to notify Customer through the Service, the website and/or in accordance with this Section 17 (General Terms). Any changes to this Agreement posted on the website will be effective if Customer assents to such changes or upon Customer’s renewal Subscription Term, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Agreement, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew by canceling any Subscription Term set to auto-renew in accordance with Section 9.1 (Subscription Terms).
17.6. Waivers and Severability. Waivers must be signed by the waiving Party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
17.7. Force Majeure. Neither Party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Service for 30 or more consecutive days, either Party may terminate the affected Order upon notice to the other and Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer’s obligations to pay fees owed.
17.8. Service Support Providers. Abnormal may use Service support providers (e.g., third-party hosting and other service providers) in provision of the Service and Support and permit them to exercise Abnormal's rights and fulfill Abnormal's obligations, but Abnormal remains responsible for their compliance with this Agreement. This provision does not limit any additional terms for subprocessors under a DPA.
17.9. Independent Contractors. The Parties are independent contractors, not agents, partners or joint venturers.
17.10. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
17.11. Anti-Corruption and Export. Each Party will, and will cause its employees, consultants, and agents to, comply with the US Foreign Corrupt Practices Act of 1977 and the UK Bribery Act 2010. Customer agrees to comply with all applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control, or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designated countries, entities, and persons (“Sanctions Targets”); and agrees not to directly or indirectly export, re-export, or otherwise deliver the Service to a Sanctions Target, or broker, finance, or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that Customer is not a Sanctions Target or prohibited from receiving the Service. The Service will be used for non-prohibited, commercial purposes by non-prohibited Users and will not be exported or transferred to China or any Sanctions Target.
17.12. Government Rights. For purposes of this Agreement and to the extent applicable, the Service is "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined at FAR 2.101 developed at the private expense of Abnormal. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation ("FAR") and its successors. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202 of the DOD FAR Supplement ("DFARS") and its successors. This Section is in lieu of and supersedes any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
17.13. Channel Partner Service Subscriptions. This Section applies to any Customer access of the Service obtained through an authorized Abnormal channel partner (“Channel Partner”).
(a) Commercial Terms. Instead of paying Abnormal directly, Customer will pay applicable amounts to the Channel Partner as agreed between Customer and the Channel Partner. Customer’s order details (e.g., scope of use, Subscription Term, and fees) will be as stated in the Order placed by Channel Partner with Abnormal on Customer’s behalf. Customer’s Order will renew with Channel Partner in accordance with Section 9.1 (Subscription Terms), unless Channel Partner notifies Abnormal that it is opting-out of auto-renewal on Customer’s behalf as described in this Agreement or in the manner specified in the agreement between Channel Partner and Abnormal. Channel Partner is responsible for the accuracy of such Order. Abnormal may suspend or terminate Customer’s rights to use the Service if it does not receive the corresponding payment from the Channel Partner. If Customer is entitled to a refund under this Agreement, Abnormal will refund any applicable fees to the Channel Partner and the Channel Partner will be solely responsible for refunding the appropriate amounts to Customer, unless otherwise specified.
(b) Relationship with Abnormal. This Agreement is directly between Abnormal and Customer and governs all use of the Service by Customer. Channel Partners are not authorized to modify this Agreement or make any promises or commitments on Abnormal’s behalf, and Abnormal is not bound by any obligations to Customer other than as set forth in this Agreement. Abnormal is not party to (or responsible under) any separate agreement between Customer and Channel Partner. The amount paid or payable by the Channel Partner to Abnormal for Customer’s use of the applicable Service under this Agreement will be deemed the amount paid or payable by Customer to Abnormal under this Agreement for purposes of Section 12 (Limitations of Liability). Abnormal is not responsible for any acts, omissions, products or services provided by Channel Partner.
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated "Customer Support' page of the Abnormal website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 24, 2022 to March 30, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
If you have a separate written agreement with Abnormal Security Corporation with respect to use of the Service or any related services, these Cloud Terms of Service will not apply to you.
These Cloud Terms of Service (“Agreement”) govern your (“Customer,”) of the Service and by clicking a box indicating your acceptance of this Agreement, “I Agree,” “Accept Terms,” “I Understand and Agree” or similar button on the Service registration page, or executing an Order, as further described, or by otherwise accessing the Service, you represent that (1) you have read, understand, and agree to be bound by this Agreement, (2) you are of legal age to form a binding contract with Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107, (“Abnormal,” “we,” “our,” or “us”, Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties”), and (3) you have the authority to enter into this Agreement personally or on behalf of the company or other organization you represent, and to bind that entity to this Agreement. In the event you are agreeing to this Agreement on behalf of a company or organization, “Customer,” will refer to the entity you are representing. We may update this Agreement from time to time in accordance with Section 17.5 (Updates).
This Agreement allows Customer to use Abnormal’s Service and receive Support. Capitalized terms are defined in the Section 18 (Glossary) or in context below.
1. ACCESS OF THE SERVICE
1.1. The Service. Subject to this Agreement, Customer may use the Service for its own business purposes during each Subscription Term (“Permitted Use”). This includes the right to copy and use the Documentation as part of Customer’s Permitted Use.
1.2. Users. Customer is responsible for provisioning and managing its User accounts, for its Users’ actions through the Service and for their compliance with this Agreement. Customer will ensure that Users keep their login credentials confidential and will promptly notify Company upon learning of any compromise of User accounts or credentials.
1.3. Affiliates. Customer’s Affiliates may serve as Users. Customer shall be responsible for its Affiliates’ use of the Service. Alternatively, Customer’s Affiliates may enter into their own Orders as mutually agreed with Abnormal, which creates a separate agreement between each such Affiliate and Abnormal incorporating this Agreement with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights under each other’s separate agreement with Abnormal, and breach or termination of any such separate agreement affects only that agreement.
1.4. Availability. Abnormal will adhere to the Service Level Availability Policy set out in the Documentation, which sets forth Customer’s exclusive remedies for any interruptions in the availability of the Service.
1.5. Support. Abnormal will provide Support for the Service in accordance with the Support Policy set out in the Documentation.
2. DATA
2.1. Customer Data. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service, Support, and Technical Services to Customer, and to generate Threat Intelligence Data. Use of Customer Data includes sharing Customer Data as Customer directs through the Service, but Abnormal will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
2.2. Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards as described in the Documentation as Security Measures that are designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
2.3. Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with the “Data Processing Addendum” (or “DPA”) made available from the dedicated DPA page of the Company website.
2.4. Service Operations Data. Abnormal may collect Service Operations Data and use it to operate, improve and support the Service and for other lawful business purposes, including benchmarking and reports. However, Abnormal will not disclose Service Operations Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
2.5. Threat Intelligence Data. Abnormal may provide Customer with Threat Intelligence Data regarding the possibility or likelihood of fraudulent, harmful or malicious activity occurring in their environment. Customer understands that Abnormal provides Threat Intelligence Data for Customer’s consideration, but that Customer is ultimately responsible for any actions taken or not taken in relation to such Threat Intelligence Data, including any configuration instructions of the Service regarding the level of auto-remediation. Abnormal may incorporate any subsequent action or inaction taken by Customer into our models, for the purpose of identifying future potential fraud, loss, or other harms to customers.
2.6. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer’s use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Abnormal is not responsible for Third-Party Platforms or how their providers use Customer Data.
3. USE OF THE SERVICE
3.1. Compliance. Customer will comply with the Documentation in using the Service and represents and warrants that it has secured all necessary rights, consents, and permissions to use Customer Data with the Service and grant the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the parties, Customer is responsible for the content and accuracy of Customer Data.
3.2. Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes, including to develop a similar or competing product or service (e.g., benchmarking); (ii) conduct penetration testing on the Service, interfere with its operation or circumvent its access restrictions; (iii) market, sublicense, distribute, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available (in whole or part) to any third party, except to a third party that manages Customer’s computing environment, grant non-Users access to the Service or use the Service to provide a hosted or managed service to others; (iv) obtain or attempt to obtain the Service by any means or device with intent to avoid paying the fees that would otherwise be payable for such access or use; or (v) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of its components, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Abnormal.
4. MUTUAL COMPLIANCE WITH LAW. Each party will comply with all laws, regulations, court orders or other binding requirements of a government authority (“Laws”) that apply to its performance under this Agreement.
5. REPRESENTATIONS AND WARRANTIES
5.1. Mutual Representations and Warranties. Each Party represents and warrants that:
(a) it has validly entered into this Agreement and has the legal power to do so, and
(b) it will use industry-standard measures to avoid introducing viruses, malicious code or similar harmful materials into the Service.
5.2. Abnormal Warranties. Abnormal warrants that:
(a) the Service will perform as materially described in the Documentation and Abnormal will not materially decrease the overall functionality of the Service during a Subscription Term (the “Performance Warranty”), and
(b) any Technical Services will be provided in a professional and workmanlike manner (the “Technical Services Warranty”).
5.3. Abnormal Warranty Remedies. Abnormal will use reasonable efforts to correct a verified breach of the Performance Warranty or Technical Services Warranty. If Abnormal fails to do so within 30 days after Customer’s warranty claim, then either party may terminate the affected Order as relates to the non-conforming Service or Technical Services, in which case Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Technical Services (for the Technical Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Service or 30 days after delivery of the relevant Technical Services. These procedures are Customer’s exclusive remedies and Abnormal’s sole liability for breach of the Performance Warranty or Professional Services Warranty.
5.4. Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN SECTION 5.2 (ABNORMAL WARRANTIES), THE SERVICE, SUPPORT, AND TECHNICAL SERVICES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. ABNORMAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING OUR EXPRESS OBLIGATIONS IN THE SERVICE LEVEL AVAILABILITY COMMITMENT, ABNORMAL DOES NOT WARRANT THE RESULTS TO BE ACHIEVED FROM THE SERVICE OR THAT THE SERVICE IS ERROR-FREE, WILL PERFORM UNINTERRUPTED OR WILL MEET CUSTOMER’S REQUIREMENTS. THE WARRANTIES IN SECTION 5.2 (ABNORMAL WARRANTIES) DO NOT APPLY TO ISSUES ARISING FROM THIRD PARTY PLATFORMS OR MISUSE OR UNAUTHORIZED MODIFICATIONS OF THE SERVICE. THESE DISCLAIMERS APPLY TO THE FULL EXTENT PERMITTED BY LAW.
6. TECHNICAL SERVICES. Abnormal may perform Technical Services as described in an Order, which may identify additional terms or milestones for the Technical Services. Customer will give Abnormal timely access to Customer Materials reasonably needed for Technical Services, and if Customer fails to do so, Abnormal’s obligation to provide Technical Services will be excused until access is provided. Abnormal will use the Customer Materials only for purposes of providing Technical Services. Abnormal may make use of service partners to provide the Technical Services. Subject to any limits in an Order, Customer will reimburse reasonable travel and lodging expenses incurred by Abnormal in providing Technical Services. Customer may use the product of any Technical Services that Abnormal furnishes as part of Technical Services only in connection with Customer’s authorized use of the Service under this Agreement.
7. FEES AND PAYMENT
7.1. Payment. Customer will pay the fees described in the applicable Order. Unless the Order states otherwise, all amounts are payable in U.S. dollars and due within 30 days from the date of an undisputed invoice (“Due Date”). All fees and expenses are non-refundable and non-cancellable except as expressly set out in the Agreement and any applicable Order. If any undisputed, invoiced amount is not received by Abnormal by the Due Date, then those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than Abnormal’s income tax. Fees and expenses are exclusive of Taxes. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.
7.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Abnormal prior to the Due Date and the parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either Party may pursue any available remedies.
7.4. Records and Validation. Customer is responsible for providing complete and accurate billing and contact information to Abnormal and notifying Abnormal of any changes to such information. Abnormal may conduct verification checks on the usage of the Service during the Subscription Term. If it is determined that the usage of the Service exceeds the baseline quantity stated in an applicable Order, the Parties (Partner and Abnormal or Customer and Abnormal, as applicable) will address any over-usage in a separate Order. If Customer fails to address the over-usage, Abnormal may terminate access to the Service within thirty (30) days of Abnormal’s notice of non-compliance.
8. SUSPENSION. Abnormal may suspend Customer’s access to the Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Abnormal is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Abnormal will promptly restore Customer’s access to the Service in accordance with this Agreement. “Suspension Event” means (a) Customer’s account is 30 days or more overdue, (b) Customer is in breach of Section 3 (Use of the Service) or (c) Customer’s use of the Service risks material harm to the Service or others.
9. TERM AND TERMINATION
9.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the Parties agree on a different renewal Order or (b) either Party notifies the other (or Partner notifies Abnormal, if applicable) of non-renewal at least 30 days prior to the end of the current Subscription Term. Per-unit rates for renewal of the applicable Service will be the same as in the prior Subscription Term for the same Service, unless Abnormal notifies Customer at least 45 days in advance. If Customer objects to the increase, Customer must notify Abnormal of its intention not to renew the Order within 30 days of Customer’s receipt of such notice. Failure to timely notify Abnormal shall be deemed to constitute consent to the applicable fee increase.
9.2. Term. The term of this Agreement will commence on the Effective Date and continues until expiration or termination of all Subscription Terms, unless otherwise terminated as permitted by this Agreement (the “Term”). If no Subscription Term is in effect, either party may terminate this Agreement for any or no reason with notice to the other party.
9.3. Termination. Either Party may terminate this Agreement, including all Subscription Terms, if the other Party (i) fails to cure a material breach of this Agreement (including a failure to pay fees) within 30 days after notice, (ii) ceases operation with a successor, or (iii) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that party and not dismissed within 60 days. Customer shall receive a refund of any pre-paid, unused fees for the terminated portion of an applicable Subscription Term for such Customer-initiated terminations, and Customer will promptly pay Abnormal any outstanding fees and expenses due for the terminated portion of the Subscription Term for any such Abnormal-initiated termination.
9.4. Data Export & Deletion. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation. After termination or expiration of this Agreement, Abnormal will delete Customer Data and each Party will delete any Confidential Information of the other in its possession or control. Nonetheless, Abnormal may retain Customer Data and the recipient may retain Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 2.2 (Security), Section 10 (Confidentiality) and any DPA.
9.5. Effect of Termination.
(a) Customer’s right to use the Service, Support and Technical Services will cease upon any termination or expiration of this Agreement, subject to this Section 9 (Term and Termination).
(b) In no event will any termination relieve Customer of the obligation to pay any expenses and fees payable to Abnormal for the period prior to the effective date of termination.
(c) The following Sections will survive expiration or termination of this Agreement: Section 2.4 (Service Operations Data), 2.5 (Threat Intelligence Data), 3 (Use of the Service), 5.4 (Disclaimers), 7.1 (Payment) (for amounts then due), 7.2 (Taxes), 9.4 (Data Export & Deletion), 9.5 (Effect of Termination), 10 (Confidentiality), 11 (Proprietary Rights), 12 (Limitations of Liability), 13 (Indemnification), 17 (General Terms), and 18 (Glossary).
10. CONFIDENTIALITY
10.1. Use and Protection. As recipient, each party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without discloser’s prior approval, except as permitted in this Agreement, and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
10.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors, Affiliates, agents, subcontractors and other representatives having a legitimate need to know (including, for Abnormal, any subprocessors referenced in the DPA or Service support providers as referenced in Section 17.9), provided it remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 10 (each, a “Representative”).
10.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without access to the Confidential Information.
10.4. Remedies. Breach of this Section 10 (Confidentiality) may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
10.5. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance written notice of the required disclosure and reasonably cooperate, at the discloser’s expense, to contest or seek to limit the disclosure or obtain confidential treatment for the Confidential Information. If no protective order or other remedy is obtained, the recipient will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
11. PROPRIETARY RIGHTS
11.1. Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, Technical Services, and any feedback or suggestions Customer provides to Abnormal with respect to the Service or Technical Services. All feedback is provided “AS IS” and Abnormal will not publicly identify Customer as the source of feedback without Customer’s permission. Except for Customer’s express rights in this Agreement, as between the parties, Abnormal and its licensors retain all intellectual property rights in the Service, and product of any Technical Services and related Abnormal technology.
11.2. Customer Property. Except for Abnormal’s express rights in this Agreement, as between the parties, Customer owns and retains all right, title, and interest in and to the Customer Data and Customer Materials provided to Abnormal.
12. LIMITATIONS OF LIABILITY
12.1. General Cap. EACH PARTY’S ENTIRE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE GENERAL CAP.
12.2. Consequential Damages Waiver. NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF USE, LOST PROFITS OR INTERRUPTION OF BUSINESS, EVEN IF INFORMED OF THEIR POSSIBILITY IN ADVANCE.
12.3. Exceptions and Enhanced Cap. SECTIONS 12.1 (GENERAL CAP) AND 12.2 (CONSEQUENTIAL DAMAGES WAIVER) WILL NOT APPLY TO ENHANCED CLAIMS OR UNCAPPED CLAIMS. FOR ALL ENHANCED CLAIMS, EACH PARTY’S ENTIRE LIABILITY WILL NOT EXCEED THE ENHANCED CAP.
12.4. Nature of Claims. The waivers and limitations in this Section 12 (Limitations of Liability) apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
12.5. Liability Definitions. The following definitions apply to this Section 12 (Limitations of Liability).
| “Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
13. INDEMNIFICATION
13.1. By Abnormal. Abnormal, at its own cost, will defend Customer from and against any Abnormal-Covered Claims and will indemnify and hold harmless Customer from and against any damages or costs finally awarded against Customer by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Abnormal resulting from the Abnormal-Covered Claims.
13.2. Indemnification by Customer. Customer, at its own cost, will defend Abnormal from and against any Customer-Covered Claims and will indemnify and hold harmless Abnormal from and against any damages or costs finally awarded against Abnormal by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
13.3. Indemnification Definitions.
| “Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
13.4. Procedures. The indemnifying party’s obligations in this Section 13 (Indemnification) are subject to receiving from the indemnified party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying party’s obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim’s investigation, defense and settlement and (c) reasonable cooperation at the indemnifying party’s expense. The indemnifying party may not settle a claim without the indemnified party’s prior approval if settlement would require the indemnified party to admit fault or take or refrain from taking any action (except regarding use of the Service when Abnormal is the indemnifying party). The indemnified party may participate in a claim with its own counsel at its own expense.
13.5. Mitigation & Exceptions. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Abnormal determines necessary to avoid material liability, Abnormal may: (a) procure rights for Customer’s continued use of the Service, (b) replace or modify the allegedly infringing portion of the Service to avoid infringement, without reducing the Service’s overall functionality or (c) terminate the affected Order or the Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. Abnormal’s obligations in this Section 13 (Indemnification) do not apply to claims resulting from (a) modification or unauthorized use of the Service or (b) use of the Service in combination with items not provided by Abnormal, including Third-Party Platforms. This Section 13 (Indemnification) sets out the indemnified party’s exclusive remedy and the indemnifying party’s sole liability regarding third-party claims of intellectual property infringement or misappropriation.
14. INSURANCE
14.1. Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
14.2. Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
15. TRIALS AND BETAS. Abnormal may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated by Customer on the Order (or if not designated in an Order or otherwise, 30 days). Either Party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT, COMPANY OFFERS NO WARRANTY, INDEMNITY, SLA OR SUPPORT FOR TRIALS AND BETAS AND ITS LIABILITY FOR TRIALS AND BETAS WILL NOT EXCEED US$50,000.
16. PUBLICITY. Neither party may publicly announce this Agreement without the other party’s prior approval or except as required by Laws.
17. GENERAL TERMS
17.1. Assignment. Neither Party may assign this Agreement without the prior consent of the other party, except that either party may assign this Agreement, with notice to the other party, in connection with the assigning Party’s merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
17.2. Governing Law and Courts. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California.
17.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement will be in writing to the email addresses on the Order or in this Agreement and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either Party may update its address with notice to the other.
(b) Abnormal may also send operational notices through the Service, including to update the Support Plan, Service Level Availability, or Security Measures to reflect new features or changing practices.
17.4. Entire Agreement. This Agreement, including all applicable Orders, is the Parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes, online terms, or invoicing portal used by Customer will not amend or modify this Agreement; any such documents are for administrative purposes only. This Agreement may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement. In the event of any conflict or inconsistency between the Order and this Agreement, the Order will prevail.
17.5. Updates. Abnormal may modify this Agreement from time to time. If a modification materially impacts this Agreement, Abnormal will use reasonable efforts to notify Customer through the Service, the website and/or in accordance with this Section 17 (General Terms). Any changes to this Agreement posted on the website will be effective if Customer assents to such changes or upon Customer’s renewal Subscription Term, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Agreement, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew by canceling any Subscription Term set to auto-renew in accordance with Section 9.1 (Subscription Terms).
17.6. Waivers and Severability. Waivers must be signed by the waiving party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
17.7. Force Majeure. Neither Party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Service for 30 or more consecutive days, either party may terminate the affected Order upon notice to the other and Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer’s obligations to pay fees owed.
17.8. Service Support Providers. Abnormal may use Service support providers (e.g., third-party hosting and other service providers) in supply of the Service and Support and permit them to exercise its rights and fulfill its obligations, but Abnormal remains responsible for their compliance with this Agreement and for its overall performance under this Agreement. This does not limit any additional terms for subprocessors under a DPA.
17.9. Independent Contractors. The Parties are independent contractors, not agents, partners or joint venturers.
17.10. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
17.11. Anti-Corruption and Export. Each Party will, and will cause its employees, consultants, and agents to, comply with the US Foreign Corrupt Practices Act of 1977 and the UK Bribery Act 2010. Customer agrees to comply with all applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control, or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designated countries, entities, and persons (“Sanctions Targets”); and agrees not to directly or indirectly export, re-export, or otherwise deliver the Service to a Sanctions Target, or broker, finance, or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that Customer is not a Sanctions Target or prohibited from receiving the Service. The Service will be used for non-prohibited, commercial purposes by non-prohibited Users and will not be exported or transferred to China or any Sanctions Target.
17.12. Government Rights. For purposes of this Agreement and to the extent applicable, the Service is "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined at FAR 2.101 developed at the private expense of Abnormal. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation ("FAR") and its successors. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202 of the DOD FAR Supplement ("DFARS") and its successors. This Section is in lieu of and supersedes any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
17.13. Channel Partner Service Subscriptions. This Section applies to any Customer access of the Service obtained through an authorized Abnormal channel partner (“Channel Partner”).
(a) Commercial Terms. Instead of paying Abnormal, Customer will pay applicable amounts to the Channel Partner as agreed between Customer and the Channel Partner. Customer’s order details (e.g., scope of use and fees) will be as stated in the Order placed by Channel Partner with Abnormal on Customer’s behalf. Customer’s Order will renew with Channel Partner in accordance with Section 9.4 (Subscription Term), unless Channel Partner notifies Abnormal that it is opting-out of auto-renewal on Customer’s behalf as described in this Agreement or in the manner specified in the agreement between Channel Partner and Abnormal. Channel Partner is responsible for the accuracy of such Order. Abnormal may suspend or terminate Customer’s rights to use the Service if it does not receive the corresponding payment from the Channel Partner. If Customer is entitled to a refund under this Agreement, Abnormal will refund any applicable fees to the Channel Partner and the Channel Partner will be solely responsible for refunding the appropriate amounts to Customer, unless otherwise specified.
(b) Relationship with Abnormal. This Agreement is directly between Abnormal and Customer and governs all use of the Service by Customer. Channel Partners are not authorized to modify this Agreement or make any promises or commitments on Abnormal’s behalf, and Abnormal is not bound by any obligations to Customer other than as set forth in this Agreement. Abnormal is not party to (or responsible under) any separate agreement between Customer and Channel Partner. The amount paid or payable by the Channel Partner to Abnormal for Customer’s use of the applicable Service under this Agreement will be deemed the amount paid or payable by Customer to Abnormal under this Agreement for purposes of Section 12 (Limitations of Liability). Abnormal is not responsible for any acts, omissions, products or services provided by Channel Partner.
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 23, 2022 to March 24, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
If you have a separate written agreement with Abnormal Security Corporation with respect to use of the Service or any related services, these Cloud Terms of Service will not apply to you.
These Cloud Terms of Service (“Agreement”) govern your (“Customer,”) of the Service and by clicking a box indicating your acceptance of this Agreement, “I Agree,” “Accept Terms,” “I Understand and Agree” or similar button on the Service registration page, or executing an Order, as further described, or by otherwise accessing the Service, you represent that (1) you have read, understand, and agree to be bound by this Agreement, (2) you are of legal age to form a binding contract with Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107, (“Abnormal,” “we,” “our,” or “us”, Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties”), and (3) you have the authority to enter into this Agreement personally or on behalf of the company or other organization you represent, and to bind that entity to this Agreement. In the event you are agreeing to this Agreement on behalf of a company or organization, “Customer,” will refer to the entity you are representing. We may update this Agreement from time to time in accordance with Section 17.5 (Updates).
This Agreement allows Customer to use Abnormal’s Service and receive Support. Capitalized terms are defined in the Section 18 (Glossary) or in context below.
1. ACCESS OF THE SERVICE
1.1. The Service. Subject to this Agreement, Customer may use the Service for its own business purposes during each Subscription Term (“Permitted Use”). This includes the right to copy and use the Documentation as part of Customer’s Permitted Use.
1.2. Users. Customer is responsible for provisioning and managing its User accounts, for its Users’ actions through the Service and for their compliance with this Agreement. Customer will ensure that Users keep their login credentials confidential and will promptly notify Company upon learning of any compromise of User accounts or credentials.
1.3. Affiliates. Customer’s Affiliates may serve as Users. Customer shall be responsible for its Affiliates’ use of the Service. Alternatively, Customer’s Affiliates may enter into their own Orders as mutually agreed with Abnormal, which creates a separate agreement between each such Affiliate and Abnormal incorporating this Agreement with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights under each other’s separate agreement with Abnormal, and breach or termination of any such separate agreement affects only that agreement.
1.4. Availability. Abnormal will adhere to the Service Level Availability Policy set out in the Documentation, which sets forth Customer’s exclusive remedies for any interruptions in the availability of the Service.
1.5. Support. Abnormal will provide Support for the Service in accordance with the Support Policy set out in the Documentation.
2. DATA
2.1. Customer Data. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service, Support, and Technical Services to Customer, and to generate Threat Intelligence Data. Use of Customer Data includes sharing Customer Data as Customer directs through the Service, but Abnormal will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
2.2. Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards as described in the Documentation as Security Measures that are designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
2.3. Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with the “Data Processing Addendum” (or “DPA”) made available from the dedicated DPA page of the Company website.
2.4. Service Operations Data. Abnormal may collect Service Operations Data and use it to operate, improve and support the Service and for other lawful business purposes, including benchmarking and reports. However, Abnormal will not disclose Service Operations Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
2.5. Threat Intelligence Data. Abnormal may provide Customer with Threat Intelligence Data regarding the possibility or likelihood of fraudulent, harmful or malicious activity occurring in their environment. Customer understands that Abnormal provides Threat Intelligence Data for Customer’s consideration, but that Customer is ultimately responsible for any actions taken or not taken in relation to such Threat Intelligence Data, including any configuration instructions of the Service regarding the level of auto-remediation. Abnormal may incorporate any subsequent action or inaction taken by Customer into our models, for the purpose of identifying future potential fraud, loss, or other harms to customers.
2.6. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer’s use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Abnormal is not responsible for Third-Party Platforms or how their providers use Customer Data.
3. USE OF THE SERVICE
3.1. Compliance. Customer will comply with the Documentation in using the Service and represents and warrants that it has secured all necessary rights, consents, and permissions to use Customer Data with the Service and grant the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the parties, Customer is responsible for the content and accuracy of Customer Data.
3.2. Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes, including to develop a similar or competing product or service (e.g., benchmarking); (ii) conduct penetration testing on the Service, interfere with its operation or circumvent its access restrictions; (iii) market, sublicense, distribute, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available (in whole or part) to any third party, except to a third party that manages Customer’s computing environment, grant non-Users access to the Service or use the Service to provide a hosted or managed service to others; (iv) obtain or attempt to obtain the Service by any means or device with intent to avoid paying the fees that would otherwise be payable for such access or use; or (v) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of its components, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Abnormal.
4. MUTUAL COMPLIANCE WITH LAW. Each party will comply with all laws, regulations, court orders or other binding requirements of a government authority (“Laws”) that apply to its performance under this Agreement.
5. REPRESENTATIONS AND WARRANTIES
5.1. Mutual Representations and Warranties. Each Party represents and warrants that:
(a) it has validly entered into this Agreement and has the legal power to do so, and
(b) it will use industry-standard measures to avoid introducing viruses, malicious code or similar harmful materials into the Service.
5.2. Abnormal Warranties. Abnormal warrants that:
(a) the Service will perform as materially described in the Documentation and Abnormal will not materially decrease the overall functionality of the Service during a Subscription Term (the “Performance Warranty”), and
(b) any Technical Services will be provided in a professional and workmanlike manner (the “Technical Services Warranty”).
5.3. Abnormal Warranty Remedies. Abnormal will use reasonable efforts to correct a verified breach of the Performance Warranty or Technical Services Warranty. If Abnormal fails to do so within 30 days after Customer’s warranty claim, then either party may terminate the affected Order as relates to the non-conforming Service or Technical Services, in which case Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Technical Services (for the Technical Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Service or 30 days after delivery of the relevant Technical Services. These procedures are Customer’s exclusive remedies and Abnormal’s sole liability for breach of the Performance Warranty or Professional Services Warranty.
5.4. Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN SECTION 5.2 (ABNORMAL WARRANTIES), THE SERVICE, SUPPORT, AND TECHNICAL SERVICES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. ABNORMAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING OUR EXPRESS OBLIGATIONS IN THE SERVICE LEVEL AVAILABILITY COMMITMENT, ABNORMAL DOES NOT WARRANT THE RESULTS TO BE ACHIEVED FROM THE SERVICE OR THAT THE SERVICE IS ERROR-FREE, WILL PERFORM UNINTERRUPTED OR WILL MEET CUSTOMER’S REQUIREMENTS. THE WARRANTIES IN SECTION 5.2 (ABNORMAL WARRANTIES) DO NOT APPLY TO ISSUES ARISING FROM THIRD PARTY PLATFORMS OR MISUSE OR UNAUTHORIZED MODIFICATIONS OF THE SERVICE. THESE DISCLAIMERS APPLY TO THE FULL EXTENT PERMITTED BY LAW.
6. TECHNICAL SERVICES. Abnormal may perform Technical Services as described in an Order, which may identify additional terms or milestones for the Technical Services. Customer will give Abnormal timely access to Customer Materials reasonably needed for Technical Services, and if Customer fails to do so, Abnormal’s obligation to provide Technical Services will be excused until access is provided. Abnormal will use the Customer Materials only for purposes of providing Technical Services. Abnormal may make use of service partners to provide the Technical Services. Subject to any limits in an Order, Customer will reimburse reasonable travel and lodging expenses incurred by Abnormal in providing Technical Services. Customer may use the product of any Technical Services that Abnormal furnishes as part of Technical Services only in connection with Customer’s authorized use of the Service under this Agreement.
7. FEES AND PAYMENT
7.1. Payment. Customer will pay the fees described in the applicable Order. Unless the Order states otherwise, all amounts are payable in U.S. dollars and due within 30 days from the date of an undisputed invoice (“Due Date”). All fees and expenses are non-refundable and non-cancellable except as expressly set out in the Agreement and any applicable Order. If any undisputed, invoiced amount is not received by Abnormal by the Due Date, then those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than Abnormal’s income tax. Fees and expenses are exclusive of Taxes. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.
7.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Abnormal prior to the Due Date and the parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either Party may pursue any available remedies.
7.4. Records and Validation. Customer is responsible for providing complete and accurate billing and contact information to Abnormal and notifying Abnormal of any changes to such information. Abnormal may conduct verification checks on the usage of the Service during the Subscription Term. If it is determined that the usage of the Service exceeds the baseline quantity stated in an applicable Order, the Parties (Partner and Abnormal or Customer and Abnormal, as applicable) will address any over-usage in a separate Order. If Customer fails to address the over-usage, Abnormal may terminate access to the Service within thirty (30) days of Abnormal’s notice of non-compliance.
8. SUSPENSION. Abnormal may suspend Customer’s access to the Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Abnormal is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Abnormal will promptly restore Customer’s access to the Service in accordance with this Agreement. “Suspension Event” means (a) Customer’s account is 30 days or more overdue, (b) Customer is in breach of Section 3 (Use of the Service) or (c) Customer’s use of the Service risks material harm to the Service or others.
9. TERM AND TERMINATION
9.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the Parties agree on a different renewal Order or (b) either Party notifies the other (or Partner notifies Abnormal, if applicable) of non-renewal at least 30 days prior to the end of the current Subscription Term. Per-unit rates for renewal of the applicable Service will be the same as in the prior Subscription Term for the same Service, unless Abnormal notifies Customer at least 45 days in advance. If Customer objects to the increase, Customer must notify Abnormal of its intention not to renew the Order within 30 days of Customer’s receipt of such notice. Failure to timely notify Abnormal shall be deemed to constitute consent to the applicable fee increase.
9.2. Term. The term of this Agreement will commence on the Effective Date and continues until expiration or termination of all Subscription Terms, unless otherwise terminated as permitted by this Agreement (the “Term”). If no Subscription Term is in effect, either party may terminate this Agreement for any or no reason with notice to the other party.
9.3. Termination. Either Party may terminate this Agreement, including all Subscription Terms, if the other Party (i) fails to cure a material breach of this Agreement (including a failure to pay fees) within 30 days after notice, (ii) ceases operation with a successor, or (iii) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that party and not dismissed within 60 days. Customer shall receive a refund of any pre-paid, unused fees for the terminated portion of an applicable Subscription Term for such Customer-initiated terminations, and Customer will promptly pay Abnormal any outstanding fees and expenses due for the terminated portion of the Subscription Term for any such Abnormal-initiated termination.
9.4. Data Export & Deletion. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation. After termination or expiration of this Agreement, Abnormal will delete Customer Data and each Party will delete any Confidential Information of the other in its possession or control. Nonetheless, Abnormal may retain Customer Data and the recipient may retain Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 2.2 (Security), Section 10 (Confidentiality) and any DPA.
9.5. Effect of Termination.
(a) Customer’s right to use the Service, Support and Technical Services will cease upon any termination or expiration of this Agreement, subject to this Section 9 (Term and Termination).
(b) In no event will any termination relieve Customer of the obligation to pay any expenses and fees payable to Abnormal for the period prior to the effective date of termination.
(c) The following Sections will survive expiration or termination of this Agreement: Section 2.4 (Service Operations Data), 2.5 (Threat Intelligence Data), 3 (Use of the Service), 5.4 (Disclaimers), 7.1 (Payment) (for amounts then due), 7.2 (Taxes), 9.4 (Data Export & Deletion), 9.5 (Effect of Termination), 10 (Confidentiality), 11 (Proprietary Rights), 12 (Limitations of Liability), 13 (Indemnification), 17 (General Terms), and 18 (Glossary).
10. CONFIDENTIALITY
10.1. Use and Protection. As recipient, each party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without discloser’s prior approval, except as permitted in this Agreement, and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
10.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors, Affiliates, agents, subcontractors and other representatives having a legitimate need to know (including, for Abnormal, any subprocessors referenced in the DPA or Service support providers as referenced in Section 17.9), provided it remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 10 (each, a “Representative”).
10.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without access to the Confidential Information.
10.4. Remedies. Breach of this Section 10 (Confidentiality) may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
10.5. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance written notice of the required disclosure and reasonably cooperate, at the discloser’s expense, to contest or seek to limit the disclosure or obtain confidential treatment for the Confidential Information. If no protective order or other remedy is obtained, the recipient will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
11. PROPRIETARY RIGHTS
11.1. Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, Technical Services, and any feedback or suggestions Customer provides to Abnormal with respect to the Service or Technical Services. All feedback is provided “AS IS” and Abnormal will not publicly identify Customer as the source of feedback without Customer’s permission. Except for Customer’s express rights in this Agreement, as between the parties, Abnormal and its licensors retain all intellectual property rights in the Service, and product of any Technical Services and related Abnormal technology.
11.2. Customer Property. Except for Abnormal’s express rights in this Agreement, as between the parties, Customer owns and retains all right, title, and interest in and to the Customer Data and Customer Materials provided to Abnormal.
12. LIMITATIONS OF LIABILITY
12.1. General Cap. EACH PARTY’S ENTIRE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE GENERAL CAP.
12.2. Consequential Damages Waiver. NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF USE, LOST PROFITS OR INTERRUPTION OF BUSINESS, EVEN IF INFORMED OF THEIR POSSIBILITY IN ADVANCE.
12.3. Exceptions and Enhanced Cap. SECTIONS 12.1 (GENERAL CAP) AND 12.2 (CONSEQUENTIAL DAMAGES WAIVER) WILL NOT APPLY TO ENHANCED CLAIMS OR UNCAPPED CLAIMS. FOR ALL ENHANCED CLAIMS, EACH PARTY’S ENTIRE LIABILITY WILL NOT EXCEED THE ENHANCED CAP.
12.4. Nature of Claims. The waivers and limitations in this Section 12 (Limitations of Liability) apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
12.5. Liability Definitions. The following definitions apply to this Section 12 (Limitations of Liability).
| “Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
13. INDEMNIFICATION
13.1. By Abnormal. Abnormal, at its own cost, will defend Customer from and against any Abnormal-Covered Claims and will indemnify and hold harmless Customer from and against any damages or costs finally awarded against Customer by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Abnormal resulting from the Abnormal-Covered Claims.
13.2. Indemnification by Customer. Customer, at its own cost, will defend Abnormal from and against any Customer-Covered Claims and will indemnify and hold harmless Abnormal from and against any damages or costs finally awarded against Abnormal by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
13.3. Indemnification Definitions.
| “Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
13.4. Procedures. The indemnifying party’s obligations in this Section 13 (Indemnification) are subject to receiving from the indemnified party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying party’s obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim’s investigation, defense and settlement and (c) reasonable cooperation at the indemnifying party’s expense. The indemnifying party may not settle a claim without the indemnified party’s prior approval if settlement would require the indemnified party to admit fault or take or refrain from taking any action (except regarding use of the Service when Abnormal is the indemnifying party). The indemnified party may participate in a claim with its own counsel at its own expense.
13.5. Mitigation & Exceptions. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Abnormal determines necessary to avoid material liability, Abnormal may: (a) procure rights for Customer’s continued use of the Service, (b) replace or modify the allegedly infringing portion of the Service to avoid infringement, without reducing the Service’s overall functionality or (c) terminate the affected Order or the Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. Abnormal’s obligations in this Section 13 (Indemnification) do not apply to claims resulting from (a) modification or unauthorized use of the Service or (b) use of the Service in combination with items not provided by Abnormal, including Third-Party Platforms. This Section 13 (Indemnification) sets out the indemnified party’s exclusive remedy and the indemnifying party’s sole liability regarding third-party claims of intellectual property infringement or misappropriation.
14. INSURANCE
14.1. Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
14.2. Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
15. TRIALS AND BETAS. Abnormal may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated by Customer on the Order (or if not designated in an Order or otherwise, 30 days). Either Party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT, COMPANY OFFERS NO WARRANTY, INDEMNITY, SLA OR SUPPORT FOR TRIALS AND BETAS AND ITS LIABILITY FOR TRIALS AND BETAS WILL NOT EXCEED US$50,000.
16. PUBLICITY. Neither party may publicly announce this Agreement without the other party’s prior approval or except as required by Laws.
17. GENERAL TERMS
17.1. Assignment. Neither Party may assign this Agreement without the prior consent of the other party, except that either party may assign this Agreement, with notice to the other party, in connection with the assigning Party’s merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
17.2. Governing Law and Courts. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California.
17.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement will be in writing to the email addresses on the Order or in this Agreement and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either Party may update its address with notice to the other.
(b) Abnormal may also send operational notices through the Service, including to update the Support Plan, Service Level Availability, or Security Measures to reflect new features or changing practices.
17.4. Entire Agreement. This Agreement, including all applicable Orders, is the Parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes, online terms, or invoicing portal used by Customer will not amend or modify this Agreement; any such documents are for administrative purposes only. This Agreement may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement. In the event of any conflict or inconsistency between the Order and this Agreement, the Order will prevail.
17.5. Updates. Abnormal may modify this Agreement from time to time. If a modification materially impacts this Agreement, Abnormal will use reasonable efforts to notify Customer through the Service, the website and/or in accordance with this Section 17 (General Terms). Any changes to this Agreement posted on the website will be effective if Customer assents to such changes or upon Customer’s renewal Subscription Term, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Agreement, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew by canceling any Subscription Term set to auto-renew in accordance with Section 9.1 (Subscription Terms).
17.6. Waivers and Severability. Waivers must be signed by the waiving party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
17.7. Force Majeure. Neither Party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Service for 30 or more consecutive days, either party may terminate the affected Order upon notice to the other and Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer’s obligations to pay fees owed.
17.8. Service Support Providers. Abnormal may use Service support providers (e.g., third-party hosting and other service providers) in supply of the Service and Support and permit them to exercise its rights and fulfill its obligations, but Abnormal remains responsible for their compliance with this Agreement and for its overall performance under this Agreement. This does not limit any additional terms for subprocessors under a DPA.
17.9. Independent Contractors. The Parties are independent contractors, not agents, partners or joint venturers.
17.10. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
17.11. Anti-Corruption and Export. Each Party will, and will cause its employees, consultants, and agents to, comply with the US Foreign Corrupt Practices Act of 1977 and the UK Bribery Act 2010. Customer agrees to comply with all applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control, or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designated countries, entities, and persons (“Sanctions Targets”); and agrees not to directly or indirectly export, re-export, or otherwise deliver the Service to a Sanctions Target, or broker, finance, or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that Customer is not a Sanctions Target or prohibited from receiving the Service. The Service will be used for non-prohibited, commercial purposes by non-prohibited Users and will not be exported or transferred to China or any Sanctions Target.
17.12. Government Rights. For purposes of this Agreement and to the extent applicable, the Service is "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined at FAR 2.101 developed at the private expense of Abnormal. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation ("FAR") and its successors. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202 of the DOD FAR Supplement ("DFARS") and its successors. This Section is in lieu of and supersedes any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
17.13. Channel Partner Service Subscriptions. This Section applies to any Customer access of the Service obtained through an authorized Abnormal channel partner (“Channel Partner”).
(a) Commercial Terms. Instead of paying Abnormal, Customer will pay applicable amounts to the Channel Partner as agreed between Customer and the Channel Partner. Customer’s order details (e.g., scope of use and fees) will be as stated in the Order placed by Channel Partner with Abnormal on Customer’s behalf. Customer’s Order will renew with Channel Partner in accordance with Section 9.4 (Subscription Term), unless Channel Partner notifies Abnormal that it is opting-out of auto-renewal on Customer’s behalf as described in this Agreement or in the manner specified in the agreement between Channel Partner and Abnormal. Channel Partner is responsible for the accuracy of such Order. Abnormal may suspend or terminate Customer’s rights to use the Service if it does not receive the corresponding payment from the Channel Partner. If Customer is entitled to a refund under this Agreement, Abnormal will refund any applicable fees to the Channel Partner and the Channel Partner will be solely responsible for refunding the appropriate amounts to Customer, unless otherwise specified.
(b) Relationship with Abnormal. This Agreement is directly between Abnormal and Customer and governs all use of the Service by Customer. Channel Partners are not authorized to modify this Agreement or make any promises or commitments on Abnormal’s behalf, and Abnormal is not bound by any obligations to Customer other than as set forth in this Agreement. Abnormal is not party to (or responsible under) any separate agreement between Customer and Channel Partner. The amount paid or payable by the Channel Partner to Abnormal for Customer’s use of the applicable Service under this Agreement will be deemed the amount paid or payable by Customer to Abnormal under this Agreement for purposes of Section 12 (Limitations of Liability). Abnormal is not responsible for any acts, omissions, products or services provided by Channel Partner.
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration or other professional services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 21, 2022 to March 23, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
If you have a separate written agreement with Abnormal Security Corporation with respect to use of the Service or any related services, these Cloud Terms of Service will not apply to you.
These Cloud Terms of Service (“Agreement”) govern your (“Customer,”) of the Service and by clicking a box indicating your acceptance of this Agreement, “I Agree,” “Accept Terms,” “I Understand and Agree” or similar button on the Service registration page, or executing an Order, as further described, or by otherwise accessing the Service, you represent that (1) you have read, understand, and agree to be bound by this Agreement, (2) you are of legal age to form a binding contract with Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107, (“Abnormal,” “we,” “our,” or “us”, Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties”), and (3) you have the authority to enter into this Agreement personally or on behalf of the company or other organization you represent, and to bind that entity to this Agreement. In the event you are agreeing to this Agreement on behalf of a company or organization, “Customer,” will refer to the entity you are representing. We may update this Agreement from time to time in accordance with Section 17.5 (Updates).
This Agreement allows Customer to use Abnormal’s Service and receive Support. Capitalized terms are defined in the Section 18 (Glossary) or in context below.
1. ACCESS OF THE SERVICE
1.1. The Service. Subject to this Agreement, Customer may use the Service for its own business purposes during each Subscription Term (“Permitted Use”). This includes the right to copy and use the Documentation as part of Customer’s Permitted Use.
1.2. Users. Customer is responsible for provisioning and managing its User accounts, for its Users’ actions through the Service and for their compliance with this Agreement. Customer will ensure that Users keep their login credentials confidential and will promptly notify Company upon learning of any compromise of User accounts or credentials.
1.3. Affiliates. Customer’s Affiliates may serve as Users. Customer shall be responsible for its Affiliates’ use of the Service. Alternatively, Customer’s Affiliates may enter into their own Orders as mutually agreed with Abnormal, which creates a separate agreement between each such Affiliate and Abnormal incorporating this Agreement with the Affiliate treated as “Customer”. Neither Customer nor any Customer Affiliate has any rights under each other’s separate agreement with Abnormal, and breach or termination of any such separate agreement affects only that agreement.
1.4. Availability. Abnormal will adhere to the Service Level Availability Policy set out in the Documentation, which sets forth Customer’s exclusive remedies for any interruptions in the availability of the Service.
1.5. Support. Abnormal will provide Support for the Service in accordance with the Support Policy set out in the Documentation.
2. DATA
2.1. Customer Data. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service, Support, and Technical Services to Customer, and to generate Threat Intelligence Data. Use of Customer Data includes sharing Customer Data as Customer directs through the Service, but Abnormal will not otherwise disclose Customer Data to third parties except as permitted in this Agreement.
2.2. Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards as described in the Documentation as Security Measures that are designed to prevent unauthorized access, use, alteration or disclosure of Customer Data.
2.3. Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with the “Data Processing Addendum” (or “DPA”) made available from the dedicated DPA page of the Company website.
2.4. Service Operations Data. Abnormal may collect Service Operations Data and use it to operate, improve and support the Service and for other lawful business purposes, including benchmarking and reports. However, Abnormal will not disclose Service Operations Data externally unless it is (a) de-identified so that it does not identify Customer, its Users or any other person and (b) aggregated with data across other customers.
2.5. Threat Intelligence Data. Abnormal may provide Customer with Threat Intelligence Data regarding the possibility or likelihood of fraudulent, harmful or malicious activity occurring in their environment. Customer understands that Abnormal provides Threat Intelligence Data for Customer’s consideration, but that Customer is ultimately responsible for any actions taken or not taken in relation to such Threat Intelligence Data, including any configuration instructions of the Service regarding the level of auto-remediation. Abnormal may incorporate any subsequent action or inaction taken by Customer into our models, for the purpose of identifying future potential fraud, loss, or other harms to customers.
2.6. Third-Party Platforms. Customer may choose to enable integrations or exchange Customer Data with Third-Party Platforms. Customer’s use of a Third-Party Platform is governed by its agreement with the relevant provider, not this Agreement, and Abnormal is not responsible for Third-Party Platforms or how their providers use Customer Data.
3. USE OF THE SERVICE
3.1. Compliance. Customer will comply with the Documentation in using the Service and represents and warrants that it has secured all necessary rights, consents, and permissions to use Customer Data with the Service and grant the rights to Customer Data specified in this Agreement, without violating third-party intellectual property, privacy or other rights. Between the parties, Customer is responsible for the content and accuracy of Customer Data.
3.2. Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes, including to develop a similar or competing product or service (e.g., benchmarking); (ii) conduct penetration testing on the Service, interfere with its operation or circumvent its access restrictions; (iii) market, sublicense, distribute, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available (in whole or part) to any third party, except to a third party that manages Customer’s computing environment, grant non-Users access to the Service or use the Service to provide a hosted or managed service to others; (iv) obtain or attempt to obtain the Service by any means or device with intent to avoid paying the fees that would otherwise be payable for such access or use; or (v) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of its components, except to the extent these restrictions are prohibited by Laws and then only upon advance notice to Abnormal.
4. MUTUAL COMPLIANCE WITH LAW. Each party will comply with all laws, regulations, court orders or other binding requirements of a government authority (“Laws”) that apply to its performance under this Agreement.
5. REPRESENTATIONS AND WARRANTIES
5.1. Mutual Representations and Warranties. Each Party represents and warrants that:
(a) it has validly entered into this Agreement and has the legal power to do so, and
(b) it will use industry-standard measures to avoid introducing viruses, malicious code or similar harmful materials into the Service.
5.2. Abnormal Warranties. Abnormal warrants that:
(a) the Service will perform as materially described in the Documentation and Abnormal will not materially decrease the overall functionality of the Service during a Subscription Term (the “Performance Warranty”), and
(b) any Technical Services will be provided in a professional and workmanlike manner (the “Technical Services Warranty”).
5.3. Abnormal Warranty Remedies. Abnormal will use reasonable efforts to correct a verified breach of the Performance Warranty or Technical Services Warranty. If Abnormal fails to do so within 30 days after Customer’s warranty claim, then either party may terminate the affected Order as relates to the non-conforming Service or Technical Services, in which case Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term (for the Performance Warranty) or for the non-conforming Technical Services (for the Technical Services Warranty). To receive these remedies, Customer must report a breach of warranty in reasonable detail within 30 days after discovering the issue in the Service or 30 days after delivery of the relevant Technical Services. These procedures are Customer’s exclusive remedies and Abnormal’s sole liability for breach of the Performance Warranty or Professional Services Warranty.
5.4. Disclaimer. WITH THE EXCEPTION OF THE LIMITED WARRANTIES SET FORTH IN SECTION 5.2 (ABNORMAL WARRANTIES), THE SERVICE, SUPPORT, AND TECHNICAL SERVICES ARE PROVIDED “AS IS” TO THE FULLEST EXTENT PERMITTED BY LAW. ABNORMAL AND ITS LICENSORS EXPRESSLY DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF PERFORMANCE, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSES, TITLE AND NON-INFRINGEMENT. WITHOUT LIMITING OUR EXPRESS OBLIGATIONS IN THE SERVICE LEVEL AVAILABILITY COMMITMENT, ABNORMAL DOES NOT WARRANT THE RESULTS TO BE ACHIEVED FROM THE SERVICE OR THAT THE SERVICE IS ERROR-FREE, WILL PERFORM UNINTERRUPTED OR WILL MEET CUSTOMER’S REQUIREMENTS. THE WARRANTIES IN SECTION 5.2 (ABNORMAL WARRANTIES) DO NOT APPLY TO ISSUES ARISING FROM THIRD PARTY PLATFORMS OR MISUSE OR UNAUTHORIZED MODIFICATIONS OF THE SERVICE. THESE DISCLAIMERS APPLY TO THE FULL EXTENT PERMITTED BY LAW.
6. TECHNICAL SERVICES. Abnormal may perform Technical Services as described in an Order, which may identify additional terms or milestones for the Technical Services. Customer will give Abnormal timely access to Customer Materials reasonably needed for Technical Services, and if Customer fails to do so, Abnormal’s obligation to provide Technical Services will be excused until access is provided. Abnormal will use the Customer Materials only for purposes of providing Technical Services. Abnormal may make use of service partners to provide the Technical Services. Subject to any limits in an Order, Customer will reimburse reasonable travel and lodging expenses incurred by Abnormal in providing Technical Services. Customer may use the product of any Technical Services that Abnormal furnishes as part of Technical Services only in connection with Customer’s authorized use of the Service under this Agreement.
7. FEES AND PAYMENT
7.1. Payment. Customer will pay the fees described in the applicable Order. Unless the Order states otherwise, all amounts are payable in U.S. dollars and due within 30 days from the date of an undisputed invoice (“Due Date”). All fees and expenses are non-refundable and non-cancellable except as expressly set out in the Agreement and any applicable Order. If any undisputed, invoiced amount is not received by Abnormal by the Due Date, then those charges may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower.
7.2. Taxes. Customer is responsible for any sales, use, GST, value-added, withholding or similar taxes or levies that apply to its Orders, whether domestic or foreign (“Taxes”), other than Abnormal’s income tax. Fees and expenses are exclusive of Taxes. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement.
7.3. Payment Disputes. If Customer disputes an invoice in good faith, it will notify Abnormal prior to the Due Date and the parties will seek to resolve the dispute over a 15-day discussion period. Customer is not required to pay disputed amounts during the discussion period, but will timely pay all undisputed amounts. After the discussion period, either Party may pursue any available remedies.
7.4. Records and Validation. Customer is responsible for providing complete and accurate billing and contact information to Abnormal and notifying Abnormal of any changes to such information. Abnormal may conduct verification checks on the usage of the Service during the Subscription Term. If it is determined that the usage of the Service exceeds the baseline quantity stated in an applicable Order Form, the Parties (Partner and Abnormal or Customer and Abnormal, as applicable) will address any over-usage in a separate Order Form. If Customer fails to address the over-usage, Abnormal may terminate access to the Service within thirty (30) days of Abnormal’s notice of non-compliance.
8. SUSPENSION. Abnormal may suspend Customer’s access to the Service and related services due to a Suspension Event, but where practicable will give Customer prior notice so that Customer may seek to resolve the issue and avoid suspension. Abnormal is not required to give prior notice in exigent circumstances or for a suspension made to avoid material harm or violation of Law. Once the Suspension Event is resolved, Abnormal will promptly restore Customer’s access to the Service in accordance with this Agreement. “Suspension Event” means (a) Customer’s account is 30 days or more overdue, (b) Customer is in breach of Section 3 (Use of the Service) or (c) Customer’s use of the Service risks material harm to the Service or others.
9. TERM AND TERMINATION
9.1. Subscription Terms. Each Subscription Term will last for an initial 12-month period unless the Order states otherwise. Each Subscription Term will renew for successive periods unless (a) the Parties agree on a different renewal Order or (b) either Party notifies the other (or Partner notifies Abnormal, if applicable) of non-renewal at least 30 days prior to the end of the current Subscription Term. Per-unit rates for renewal of the applicable Service will be the same as in the prior Subscription Term, unless Abnormal notifies Customer at least 45 days in advance. If Customer objects to the increase, Customer must notify Abnormal of its intention not to renew the Order within 30 days of Customer’s receipt of such notice. Failure to timely notify Abnormal shall be deemed to constitute consent to the applicable fee increase.
9.2. Term. The term of this Agreement will commence on the Effective Date and continues until expiration or termination of all Subscription Terms, unless otherwise terminated as permitted by this Agreement (the “Term”). If no Subscription Term is in effect, either party may terminate this Agreement for any or no reason with notice to the other party.
9.3. Termination. Either Party may terminate this Agreement, including all Subscription Terms, if the other Party (i) fails to cure a material breach of this Agreement (including a failure to pay fees) within 30 days after notice, (ii) ceases operation with a successor, or (iii) seeks protection under a bankruptcy, receivership, trust deed, creditors’ arrangement, composition or comparable proceeding, or if such a proceeding is instituted against that party and not dismissed within 60 days. Customer shall receive a refund of any pre-paid, unused fees for the terminated portion of an applicable Subscription Term for such Customer-initiated terminations, and Customer will promptly pay Abnormal any outstanding fees and expenses due for the terminated portion of the Subscription Term for any such Abnormal-initiated termination.
9.4. Data Export & Deletion. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation. After termination or expiration of this Agreement, Abnormal will delete Customer Data and each Party will delete any Confidential Information of the other in its possession or control. Nonetheless, Abnormal may retain Customer Data and the recipient may retain Confidential Information in accordance with its standard backup or record retention policies or as required by Law, subject to Section 2.2 (Security), Section 10 (Confidentiality) and any DPA.
9.5. Effect of Termination.
(a) Customer’s right to use the Service, Support and Technical Services will cease upon any termination or expiration of this Agreement, subject to this Section 9 (Term and Termination).
(b) In no event will any termination relieve Customer of the obligation to pay any expenses and fees payable to Abnormal for the period prior to the effective date of termination.
(c) The following Sections will survive expiration or termination of this Agreement: Section 2.4 (Service Operations Data), 2.5 (Threat Intelligence Data), 3 (Use of the Service), 5.4 (Disclaimers), 7.1 (Payment) (for amounts then due), 7.2 (Taxes), 9.4 (Data Export & Deletion), 9.5 (Effect of Termination), 10 (Confidentiality), 11 (Proprietary Rights), 12 (Limitations of Liability), 13 (Indemnification), 17 (General Terms), and 18 (Glossary).
10. CONFIDENTIALITY
10.1. Use and Protection. As recipient, each party will (a) use Confidential Information only to fulfill its obligations and exercise its rights under this Agreement, (b) not disclose Confidential Information to third parties without discloser’s prior approval, except as permitted in this Agreement, and (c) protect Confidential Information using at least the same precautions recipient uses for its own similar information and no less than a reasonable standard of care.
10.2. Permitted Disclosures. The recipient may disclose Confidential Information to its employees, agents, contractors, Affiliates, agents, subcontractors and other representatives having a legitimate need to know (including, for Abnormal, any subprocessors referenced in the DPA or Service support providers as referenced in Section 17.9), provided it remains responsible for their compliance and they are bound to confidentiality obligations no less protective than this Section 10 (each, a “Representative”).
10.3. Exclusions. These confidentiality obligations do not apply to information that the recipient can document (a) is or becomes public knowledge through no fault of the recipient, (b) it rightfully knew or possessed, without confidentiality restrictions, prior to receipt from the discloser, (c) it rightfully received from a third party without confidentiality restrictions or (d) it independently developed without access to the Confidential Information.
10.4. Remedies. Breach of this Section 10 (Confidentiality) may cause substantial harm for which monetary damages are an insufficient remedy. Upon a breach of this Section, the discloser is entitled to seek appropriate equitable relief, including an injunction, in addition to other remedies.
10.5. Required Disclosures. The recipient may disclose Confidential Information (including Customer Data) to the extent required by Laws. If permitted by Law, the recipient will give the discloser reasonable advance written notice of the required disclosure and reasonably cooperate, at the discloser’s expense, to contest or seek to limit the disclosure or obtain confidential treatment for the Confidential Information. If no protective order or other remedy is obtained, the recipient will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
11. PROPRIETARY RIGHTS
11.1. Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, Technical Services, and any feedback or suggestions Customer provides to Abnormal with respect to the Service or Technical Services. All feedback is provided “AS IS” and Abnormal will not publicly identify Customer as the source of feedback without Customer’s permission. Except for Customer’s express rights in this Agreement, as between the parties, Abnormal and its licensors retain all intellectual property rights in the Service, and product of any Technical Services and related Abnormal technology.
11.2. Customer Property. Except for Abnormal’s express rights in this Agreement, as between the parties, Customer owns and retains all right, title, and interest in and to the Customer Data and Customer Materials provided to Abnormal.
12. LIMITATIONS OF LIABILITY
12.1. General Cap. EACH PARTY’S ENTIRE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE GENERAL CAP.
12.2. Consequential Damages Waiver. NEITHER PARTY WILL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR INDIRECT, SPECIAL, INCIDENTAL, RELIANCE, EXEMPLARY OR CONSEQUENTIAL DAMAGES OR DAMAGES FOR LOSS OF USE, LOST PROFITS OR INTERRUPTION OF BUSINESS, EVEN IF INFORMED OF THEIR POSSIBILITY IN ADVANCE.
12.3. Exceptions and Enhanced Cap. SECTIONS 12.1 (GENERAL CAP) AND 12.2 (CONSEQUENTIAL DAMAGES WAIVER) WILL NOT APPLY TO ENHANCED CLAIMS OR UNCAPPED CLAIMS. FOR ALL ENHANCED CLAIMS, EACH PARTY’S ENTIRE LIABILITY WILL NOT EXCEED THE ENHANCED CAP.
12.4. Nature of Claims. The waivers and limitations in this Section 12 (Limitations of Liability) apply regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise and will survive and apply even if any limited remedy in this Agreement fails of its essential purpose.
12.5. Liability Definitions. The following definitions apply to this Section 12 (Limitations of Liability).
| “Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
13. INDEMNIFICATION
13.1. By Abnormal. Abnormal, at its own cost, will defend Customer from and against any Abnormal-Covered Claims and will indemnify and hold harmless Customer from and against any damages or costs finally awarded against Customer by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Abnormal resulting from the Abnormal-Covered Claims.
13.2. Indemnification by Customer. Customer, at its own cost, will defend Abnormal from and against any Customer-Covered Claims and will indemnify and hold harmless Abnormal from and against any damages or costs finally awarded against Abnormal by a court of competent jurisdiction (including reasonable attorneys’ fees) or agreed in settlement by Customer resulting from the Customer-Covered Claims.
13.3. Indemnification Definitions.
| “Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
13.4. Procedures. The indemnifying party’s obligations in this Section 13 (Indemnification) are subject to receiving from the indemnified party: (a) prompt notice of the claim (but delayed notice will only reduce the indemnifying party’s obligations to the extent it is prejudiced by the delay), (b) the exclusive right to control the claim’s investigation, defense and settlement and (c) reasonable cooperation at the indemnifying party’s expense. The indemnifying party may not settle a claim without the indemnified party’s prior approval if settlement would require the indemnified party to admit fault or take or refrain from taking any action (except regarding use of the Service when Abnormal is the indemnifying party). The indemnified party may participate in a claim with its own counsel at its own expense.
13.5. Mitigation & Exceptions. In response to an infringement or misappropriation claim, if required by settlement or injunction or as Abnormal determines necessary to avoid material liability, Abnormal may: (a) procure rights for Customer’s continued use of the Service, (b) replace or modify the allegedly infringing portion of the Service to avoid infringement, without reducing the Service’s overall functionality or (c) terminate the affected Order or the Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. Abnormal’s obligations in this Section 13 (Indemnification) do not apply to claims resulting from (a) modification or unauthorized use of the Service or (b) use of the Service in combination with items not provided by Abnormal, including Third-Party Platforms. This Section 13 (Indemnification) sets out the indemnified party’s exclusive remedy and the indemnifying party’s sole liability regarding third-party claims of intellectual property infringement or misappropriation.
14. INSURANCE
14.1. Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
14.2. Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
15. TRIALS AND BETAS. Abnormal may offer optional Trials and Betas. Use of Trials and Betas is permitted only for Customer’s internal evaluation during the period designated by Customer on the Order (or if not designated in an Order or otherwise, 30 days). Either Party may terminate Customer’s use of Trials and Betas at any time for any reason. Trials and Betas may be inoperable, incomplete or include features never released. NOTWITHSTANDING ANYTHING ELSE IN THIS AGREEMENT, COMPANY OFFERS NO WARRANTY, INDEMNITY, SLA OR SUPPORT FOR TRIALS AND BETAS AND ITS LIABILITY FOR TRIALS AND BETAS WILL NOT EXCEED US$50,000.
16. PUBLICITY. Neither party may publicly announce this Agreement without the other party’s prior approval or except as required by Laws.
17. GENERAL TERMS
17.1. Assignment. Neither Party may assign this Agreement without the prior consent of the other party, except that either party may assign this Agreement, with notice to the other party, in connection with the assigning Party’s merger, reorganization, acquisition or other transfer of all or substantially all of its assets or voting securities. Any non-permitted assignment is void. This Agreement will bind and inure to the benefit of each Party’s permitted successors and assigns.
17.2. Governing Law and Courts. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California.
17.3. Notices.
(a) Except as set out in this Agreement, notices, requests and approvals under this Agreement will be in writing to the email addresses on the Order or in this Agreement and will be deemed given: (1) upon receipt if by personal delivery, (2) upon receipt if by certified or registered U.S. mail (return receipt requested), (3) one day after dispatch if by a commercial overnight delivery or (4) upon delivery if by email. Either Party may update its address with notice to the other.
(b) Abnormal may also send operational notices through the Service, including to update the Support Plan, Service Level Availability, or Security Measures to reflect new features or changing practices.
17.4. Entire Agreement. This Agreement, including all applicable Orders, is the Parties’ entire agreement regarding its subject matter and supersedes any prior or contemporaneous agreements regarding its subject matter. In this Agreement, headings are for convenience only and “including” and similar terms are to be construed without limitation. Excluding Orders, terms in business forms, purchase orders or quotes, online terms, or invoicing portal used by Customer will not amend or modify this Agreement; any such documents are for administrative purposes only. This Agreement may be executed in counterparts (including electronic copies and PDFs), each of which is deemed an original and which together form one and the same agreement. In the event of any conflict or inconsistency between the Order and this Agreement, the Order will prevail.
17.5. Updates. Abnormal may modify this Agreement from time to time. If a modification materially impacts this Agreement, Abnormal will use reasonable efforts to notify Customer through the Service, the website and/or in accordance with this Section 17 (General Terms). Any changes to this Agreement posted on the website will be effective if Customer assents to such changes or upon Customer’s renewal Subscription Term, except changes required by law or as necessary for new features will immediately become effective to the extent necessary to comply with such law or as required to use such new features. If Customer objects to the updated Agreement, as Customer’s exclusive remedy and without penalty, Customer may choose not to renew by canceling any Subscription Term set to auto-renew in accordance with Section 9.1 (Subscription Terms).
17.6. Waivers and Severability. Waivers must be signed by the waiving party’s authorized representative and cannot be implied from conduct. If any provision of this Agreement is held invalid, illegal or unenforceable, it will be limited to the minimum extent necessary so the rest of this Agreement remains in effect.
17.7. Force Majeure. Neither Party is liable for a delay or failure to perform this Agreement due to a Force Majeure. If a Force Majeure materially adversely affects the Service for 30 or more consecutive days, either party may terminate the affected Order upon notice to the other and Abnormal will refund to Customer any pre-paid, unused fees for the terminated portion of the Subscription Term. However, this Section does not limit Customer’s obligations to pay fees owed.
17.8. Service Support Providers. Abnormal may use Service support providers (e.g., third-party hosting and other service providers) in supply of the Service and Support and permit them to exercise its rights and fulfill its obligations, but Abnormal remains responsible for their compliance with this Agreement and for its overall performance under this Agreement. This does not limit any additional terms for subprocessors under a DPA.
17.9. Independent Contractors. The Parties are independent contractors, not agents, partners or joint venturers.
17.10. No Third-Party Beneficiaries. There are no third-party beneficiaries to this Agreement.
17.11. Anti-Corruption and Export. Each Party will, and will cause its employees, consultants, and agents to, comply with the US Foreign Corrupt Practices Act of 1977 and the UK Bribery Act 2010. Customer agrees to comply with all applicable laws administered by the U.S. Commerce Bureau of Industry and Security, U.S. Treasury Office of Foreign Assets Control, or other governmental entity imposing export controls and trade sanctions (“Export Laws”), including designated countries, entities, and persons (“Sanctions Targets”); and agrees not to directly or indirectly export, re-export, or otherwise deliver the Service to a Sanctions Target, or broker, finance, or otherwise facilitate any transaction in violation of any Export Laws. Customer represents that Customer is not a Sanctions Target or prohibited from receiving the Service. The Service will be used for non-prohibited, commercial purposes by non-prohibited Users and will not be exported or transferred to China or any Sanctions Target.
17.12. Government Rights. For purposes of this Agreement and to the extent applicable, the Service is "commercial computer software" and a "commercially available off-the-shelf (COTS) item" as defined at FAR 2.101 developed at the private expense of Abnormal. If acquired by or on behalf of a civilian agency, the U.S. Government acquires this commercial computer software and/or commercial computer software documentation and other technical data subject to the terms of the Agreement as specified in 48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal Acquisition Regulation ("FAR") and its successors. If acquired by or on behalf of any agency within the Department of Defense ("DOD"), the U.S. Government acquires this commercial computer software and/or commercial computer software documentation subject to the terms of the Agreement as specified in 48 C.F.R. 227.7202 of the DOD FAR Supplement ("DFARS") and its successors. This Section is in lieu of and supersedes any other FAR, DFARS, or other clause or provision that addresses government rights in computer software or technical data.
17.13. Channel Partner Service Subscriptions. This Section applies to any Customer access of the Service obtained through an authorized Abnormal channel partner (“Channel Partner”).
(a) Commercial Terms. Instead of paying Abnormal, Customer will pay applicable amounts to the Channel Partner as agreed between Customer and the Channel Partner. Customer’s order details (e.g., scope of use and fees) will be as stated in the Order placed by Channel Partner with Abnormal on Customer’s behalf. Customer’s Order will renew with Channel Partner in accordance with Section 9.4 (Subscription Term), unless Channel Partner notifies Abnormal that it is opting-out of auto-renewal on Customer’s behalf as described in this Agreement or in the manner specified in the agreement between Channel Partner and Abnormal. Channel Partner is responsible for the accuracy of such Order. Abnormal may suspend or terminate Customer’s rights to use the Service if it does not receive the corresponding payment from the Channel Partner. If Customer is entitled to a refund under this Agreement, Abnormal will refund any applicable fees to the Channel Partner and the Channel Partner will be solely responsible for refunding the appropriate amounts to Customer, unless otherwise specified.
(b) Relationship with Abnormal. This Agreement is directly between Abnormal and Customer and governs all use of the Service by Customer. Channel Partners are not authorized to modify this Agreement or make any promises or commitments on Abnormal’s behalf, and Abnormal is not bound by any obligations to Customer other than as set forth in this Agreement. Abnormal is not party to (or responsible under) any separate agreement between Customer and Channel Partner. The amount paid or payable by the Channel Partner to Abnormal for Customer’s use of the applicable Service under this Agreement will be deemed the amount paid or payable by Customer to Abnormal under this Agreement for purposes of Section 12 (Limitations of Liability). Abnormal is not responsible for any acts, omissions, products or services provided by Channel Partner.
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration or other professional services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Abnormal Security Support and Service Level Agreement Policy
Effective June 24, 2022
DownloadTable of Contents
ABNORMAL SECURITY SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Abnormal Security Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time. Capitalized terms not defined in this Policy shall have the meaning given to them in the Agreement.
I. Support
- Support Services. As part of providing the Service and as further described in the Documentation, Abnormal implements processes designed to perform robust testing and validation to minimize Errors.
- General Support Offering. Customer shall designate one primary contact who will have administrator privileges and may designate additional contacts (“Customer Contacts”). Abnormal shall provide English-speaking remote assistance to Customer Contacts for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Contacting Abnormal Support. Customer Contacts may contact Abnormal Support by: (a) submitting a Support request to the Abnormal webpage hosting the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Abnormal Community”) and designating the appropriate severity level according to Table 1 below, (b) submitting a Support request in the web interface as described in the Documentation, (c) submitting the Support request to support@abnormalsecurity.com if Customer Contacts cannot access the Abnormal Community, or (d) in the event Customer Contacts cannot access Abnormal Community or email, they may contact Abnormal Support by phone at the intake phone number identified in the Abnormal Community solely for purposes of having the Support request submitted on their behalf (each a “Support Case”). All Customer Contacts must be reasonably trained in the use and functionality of the Service and the Abnormal Documentation and shall use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity. Customer Contacts will assist Abnormal to resolve its Support Case by complying with the Customer obligations set forth in Table 1.
- Submission of Support Cases. Each Support Case shall; (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer Account that experienced the error; (c) include information sufficiently detailed to allow Abnormal Support to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) provide contact information for the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
- Other Support and Training. Abnormal also offers various support and training resources such as documentation, FAQs and user guides available on the Abnormal Community.
Table 1: Error Severity Level Definitions and Response Times | |||||||
|---|---|---|---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | ||||
Severity Level 1 (Urgent Severity) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions quickly. | ||||
Severity Level 2 (High Severity) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error on a temporary basis without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions upon receipt. | ||||
Severity Level 3 (Normal Severity) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas, or (b) experiencing intermittent issues. The Customer can still access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | ||||
Severity Level 4 (Low Severity) | How-to Questions and Service issues with no Service degradation. | Twenty-Four (24) Business Hours | Monitor and respond as necessary. | ||||
RFE | Requests for enhancements to the Service. | 2 Business Days | N/A | ||||
- Error Response. Upon receipt of a Support Case, Abnormal Support will attempt to determine the Error and assign the applicable Severity Level based on descriptions in Table 1. If Abnormal’s Severity Level designation is different from that assigned by Customer, Abnormal will promptly notify Customer in advance of such designation. If Customer notifies Abnormal of a reasonable basis for disagreeing with Abnormal’s designated Severity Level, the parties each will make a good faith effort to discuss, escalate internally, and mutually agree on the appropriate Severity Level. Abnormal shall use commercially reasonable efforts to meet the Initial Response Time Target for the applicable Severity Level, as measured during in-region Abnormal Support hours set forth in Table 2 below (such hour(s), “Business Hour(s)” with the total Business Hours in an in-region support day being “Business Day(s)”).
Table 2: Abnormal Support Hours | ||
|---|---|---|
Global Support Business Hours | ||
Sev 1 | Sev 2-4 | Excluded Holidays Sev 2-4 |
24 x 7 x 365 | 6AM-6PM PT Mon-Fri | Recognized U.S. Federal Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credit Calculation | |
|---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Effective April 4, 2022 to June 24, 2022
DownloadTable of Contents
ABNORMAL SECURITY SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Abnormal Security Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time. Capitalized terms not defined in this Policy shall have the meaning given to them in the Agreement.
I. Support
- Support Services. As part of providing the Service and as further described in the Documentation, Abnormal implements processes designed to perform robust testing and validation to minimize Errors.
- General Support Offering. Customer shall designate one primary contact who will have administrator privileges and may designate additional contacts (“Customer Contacts”). Abnormal shall provide English-speaking remote assistance to Customer Contacts for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Contacting Abnormal Support. Customer Contacts may contact Abnormal Support by: (a) submitting a Support request to the Abnormal webpage hosting the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Abnormal Community”) and designating the appropriate severity level according to Table 1 below, (b) submitting a Support request in the web interface as described in the Documentation, (c) submitting the Support request to support@abnormalsecurity.com if Customer Contacts cannot access the Abnormal Community, or (d) in the event Customer Contacts cannot access Abnormal Community or email, they may contact Abnormal Support by phone at the intake phone number identified in the Abnormal Community solely for purposes of having the Support request submitted on their behalf (each a “Support Case”). All Customer Contacts must be reasonably trained in the use and functionality of the Service and the Abnormal Documentation and shall use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity. Customer Contacts will assist Abnormal to resolve its Support Case by complying with the Customer obligations set forth in Table 1.
- Submission of Support Cases. Each Support Case shall; (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer Account that experienced the error; (c) include information sufficiently detailed to allow Abnormal Support to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) provide contact information for the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
- Other Support and Training. Abnormal also offers various support and training resources such as documentation, FAQs and user guides available on the Abnormal Community.
Table 1: Error Severity Level Definitions and Response Times | ||||
|---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | |
Severity Level 1 (Urgent Severity) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions quickly. | |
Severity Level 2 (High Severity) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error on a temporary basis without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions upon receipt. | |
Severity Level 3 (Normal Severity) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas, or (b) experiencing intermittent issues. The Customer can still access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | |
Severity Level 4 (Low Severity) | How-to Questions and Service issues with no Service degradation. | Twenty-Four (24) Business Hours | Monitor and respond as necessary. | |
RFE | Requests for enhancements to the Service. | 2 Business Days | N/A | |
- Error Response. Upon receipt of a Support Case, Abnormal Support will attempt to determine the Error and assign the applicable Severity Level based on descriptions in Table 1. If Abnormal’s Severity Level designation is different from that assigned by Customer, Abnormal will promptly notify Customer in advance of such designation. If Customer notifies Abnormal of a reasonable basis for disagreeing with Abnormal’s designated Severity Level, the parties each will make a good faith effort to discuss, escalate internally, and mutually agree on the appropriate Severity Level. Abnormal shall use commercially reasonable efforts to meet the Initial Response Time Target for the applicable Severity Level, as measured during in-region Abnormal Support hours set forth in Table 2 below (such hour(s), “Business Hour(s)” with the total Business Hours in an in-region support day being “Business Day(s)”).
Table 2: Abnormal Support Hours | ||
|---|---|---|
Global Support Business Hours | ||
Sev 1 | Sev 2-4 | Excluded Holidays Sev 2-4 |
24 x 7 x 365 | 6AM-6PM PT Mon-Fri | Recognized U.S. Federal Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credit Calculation | |
|---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Abnormal Security Information Security Policy
Effective April 12, 2022
DownloadTable of Contents
ABNORMAL SECURITY INFORMATION SECURITY POLICY
During the Term of the Agreement, Abnormal will maintain an Information Security Program (“Security Program”) in accordance with the requirements of this Information Security Policy (“Security Policy”). Terms not otherwise defined herein have the same meanings as set forth in the written subscription agreement under which Abnormal provides its Service as entered into by and between Customer and Abnormal ("Agreement"). In the event of a conflict between the terms of this Security Policy and the terms of the Agreement, the terms of this Security Policy will apply.
Elements of the Security Program.
Minimum Security Standards. The Security Program will use industry standard controls designed to protect the confidentiality, integrity, and availability of Customer Data against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss or destruction or damage. The Security Program will maintain administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of Abnormal business; (b) the type of information that Abnormal stores; and (c) the need for security and confidentiality of such information.
1. Security Policies and Procedures. Abnormal will maintain and implement security policies and procedures designed to ensure that the Service and its employees and contractors process Customer Data in accordance with this Security Policy. Abnormal will implement and enforce disciplinary measures against employees and contractors for failure to abide by its security policies and procedures.
2. Intrusion Prevention. Abnormal will take reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and stringent firewall rules.
3. Physical Access Controls. Abnormal will establish limits on physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and other areas where Customer Data is stored is limited to authorized individuals. Data centers leverage camera or video surveillance systems at critical internal and external entry points.
4. Logical Access Controls.
Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for all employees or contractors with access to Customer Data, including without limitation, by assigning each employee or contractor unique authentication credentials for accessing any system on which Customer Data is accessed and prohibiting employees or contractors from sharing their authentication credentials. Abnormal will restrict access to Customer Data to those employees or contractors who need access to Customer Data to perform Abnormal obligations under the Agreement.
Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help prevent unauthorized access to, and to detect unauthorized attempts to access, its networks, servers, and applications. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal will have policies in place that are designed to ensure that, upon termination of any employee or contractor, the terminated employee’s or contractor’s access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases revocation will occur no later than twenty-four (24) hours following such termination.
5. Environmental Access Controls. If Abnormal supplies data center services, Abnormal will implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
6. Disaster Recovery and Backup Controls. If Abnormal supplies data center services, Abnormal will: (a) back up its production file systems and databases according to a defined schedule; and (b) maintain a formal disaster recovery plan for the production data center and conduct regular testing of the effectiveness of such plan.
7. Business Continuity and Incident Response Plans. If Abnormal processes, stores, or transmits Customer Data, then Abnormal will take reasonable measures to maintain business continuity plans and incident response plans to manage and minimize the effects of unplanned operational disruptions (cyber, physical or natural) (“Incident Response Plans”). These plans will include procedures to be followed in the event of an actual or suspected Security Breach or business interruption and have a stated goal of resumption of routine service within 48 hours of such an incident. The Incident Response Plans will require Abnormal to undertake a root cause analysis of any actual or suspected Security Breach and to document remediation measures.
8. Security Breach Notification. Abnormal will notify Customer of any unauthorized access to Customer Data in accordance with the terms and conditions of the Agreement. In the event no such terms are specified in the Agreement, the following terms will apply:
Abnormal will notify Customer of any unauthorized, unlawful or accidental access to, or disclosure, transfer, destruction, loss or alteration of, Customer Data (each, a “Security Breach”) within two business days of Abnormal’s knowledge of the Security Breach, regardless of whether the Security Breach triggers any applicable breach notification law. Abnormal will notify Customer of a Security Breach by email to Abnormal’s primary contact within the Customer organization.
Notice to Customer will include: (a) a description of the nature of the Security Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Breach; (d) a description of the measures taken or proposed to address the Security Breach; and (e) a description of measures to mitigate the adverse effects of the Security Breach.
9. Storage and Transmission Security.
Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol.
Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices.
10. Secure Disposal.
Upon expiration or termination of the Agreement, Abnormal will return or delete Customer Data in accordance with the Agreement. If deletion is required, Customer Data will be securely deleted in accordance with industry leading methods (e.g., NIST SP 800-88), except that Customer Data stored electronically in Abnormal backup or email systems may be deleted over time in accordance with Abnormal records management practices.
If Abnormal stores Customer Data in Abnormal cloud computing services, Abnormal will retain Customer Data stored in its cloud computing services for the duration of any active the Subscription Term or until the expiration or termination of this Agreement. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation.
11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and determine if existing controls, policies, and procedures are adequate.
12. Subcontractors. Prior to engaging new third-party service providers or adding new technologies to its Service that will access or process Customer Data (collectively, for the purposes of this Security Policy, “Subcontractors”), Abnormal will conduct a risk assessment of each Subcontractor’s data security practices. Abnormal enters into written agreements with its Subcontractors with security obligations substantially similar to those contained in this Security Policy. Abnormal will be responsible for the acts or omissions of Subcontractors under the Agreement. This paragraph does not limit Abnormal’s obligations regarding Sub-processors as set out in the DPA.
13. Change and Configuration Management. Abnormal will implement and maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
14. Training and Background Checks. Abnormal will undertake the following measures that are designed to ensure that personnel who will have access to Customer Data are appropriately qualified.
14.1. Background Checks. Employees and contractors of Abnormal who will have access to Customer Data or systems that process Customer Data will undergo a civil and criminal background check, where permitted by applicable law. Upon written request, not more than once per 12-month period, Abnormal will certify its compliance to Customer with this Section.
14.2. Information Security Awareness Training. Abnormal will provide new hire security awareness training, and refresher security awareness training at least once a year thereafter, to all personnel who process or may have access to Customer Data. Abnormal will make available to Customer documentation to validate compliance with this security awareness training requirement for the current year. Abnormal security awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against data loss, misuse or breach through physical, logical and social engineering mechanisms.
14.3. Secure Code Training. Abnormal will provide annual training on secure coding principles and their application (Secure Code Training) to all personnel who develop or handle any Abnormal source code. Abnormal training will cover topics such as: (a) the Open Web Application Security Project (OWASP) list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.
15. Security Program Proof of Compliance.
Third Party Standards and Assessments. During the Term of the Agreement and at Abnormal’s expense, Abnormal will undertake the following third-party assessments of the networks, servers, applications and operations where Customer Data is processed, stored or transmitted.
15.1. Third-Party Security Audit.
Abnormal engages an industry-recognized third party auditor to conduct a SOC 2 Type 2 security audit on at least an annual basis in order to demonstrate its compliance with the security requirements of the Security Program.
The Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability and Confidentiality developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Abnormal will make available to Customer copies of Abnormal’s current SOC 2 report annually upon written request.
Where Abnormal is not permitted to audit the data processing facilities of its Subcontractors that store or process Customer Data (e.g., cloud data centers), Abnormal will seek assurances from such Subcontractors (e.g., in the form of an independent third party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations).
15.2. Penetration Tests.
If Abnormal processes, stores, or transmits Customer Data, then at least once every year, Abnormal will undertake a network penetration test by an independent third party. Abnormal will remediate all critical and high vulnerabilities that the penetration test identifies within 30 days of the date they were first identified and will remediate all identified medium level vulnerabilities within a reasonable time period.
Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data, which will be deemed Confidential Information under the Agreement.
15.3. Audit and Vendor Risk Assessment.
From time to time, during regular business hours and upon reasonable notice, Customer, its regulators and/or designated third-party auditor(s) (that are not considered competitors of Abnormal) may perform, and Abnormal will reasonably assist with, a Vendor Risk Assessment (VRA). The VRA shall consist of a review of Abnormal’s security related documentation regarding its compliance with this Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Abnormals’s compliance with this Security Policy, provided that Customer shall not exercise this right more than once per year, and Abnormal will make its security personnel available to answer such questions related to Abnormal’s compliance with this Security Policy and applicable regulations and laws. All reasonable costs and expenses actually incurred of such an audit shall be borne by the Customer. For the avoidance of doubt, Abnormal will pay all costs and expenses incurred in connection with Abnormal’s own regulatory compliance and financial reporting requirements. In the event of a Security Breach that requires reporting a supervisory authority or other governmental authority, Customer may conduct an audit or VRA on no less than three days’ notice, at Abnormal’s expense.
In addition to Customer’s audit rights, Abnormal agrees to reasonably cooperate and respond to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Abnormal Confidential Information.
16. Disclosure by Law.
In the event Abnormal is required by law, regulation, or legal process to disclose any Customer Data, Abnormal will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
17. Updates.
As Abnormal releases new products, services, functionality, and features, Abnormal may update this Security Policy to account for such products, services, functionality, and features.
Effective April 4, 2022 to April 12, 2022
DownloadTable of Contents
ABNORMAL SECURITY INFORMATION SECURITY POLICY
During the Term of the Agreement, Abnormal will maintain an Information Security Program (“Security Program”) in accordance with the requirements of this Information Security Policy (“Security Policy”). Terms not otherwise defined herein have the same meanings as set forth in the written subscription agreement under which Abnormal provides its Service as entered into by and between Customer and Abnormal ("Agreement"). In the event of a conflict between the terms of this Security Policy and the terms of the Agreement, the terms of this Security Policy will apply.
Elements of the Security Program.
Minimum Security Standards. The Security Program will use industry standard controls designed to protect the confidentiality, integrity, and availability of Customer Data against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss or destruction or damage. The Security Program will maintain administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of Abnormal business; (b) the type of information that Abnormal stores; and (c) the need for security and confidentiality of such information.
1. Security Policies and Procedures. Abnormal will maintain and implement security policies and procedures designed to ensure that the Service and its employees and contractors process Customer Data in accordance with this Security Policy. Abnormal will implement and enforce disciplinary measures against employees and contractors for failure to abide by its security policies and procedures.
2. Intrusion Prevention. Abnormal will take reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and stringent firewall rules.
3. Physical Access Controls. Abnormal will establish limits on physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and other areas where Customer Data is stored is limited to authorized individuals. Data centers leverage camera or video surveillance systems at critical internal and external entry points.
4. Logical Access Controls.
Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for all employees or contractors with access to Customer Data, including without limitation, by assigning each employee or contractor unique authentication credentials for accessing any system on which Customer Data is accessed and prohibiting employees or contractors from sharing their authentication credentials. Abnormal will restrict access to Customer Data to those employees or contractors who need access to Customer Data to perform Abnormal obligations under the Agreement.
Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help prevent unauthorized access to, and to detect unauthorized attempts to access, its networks, servers, and applications. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal will have policies in place that are designed to ensure that, upon termination of any employee or contractor, the terminated employee’s or contractor’s access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases revocation will occur no later than twenty-four (24) hours following such termination.
5. Environmental Access Controls. If Abnormal supplies data center services, Abnormal will implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
6. Disaster Recovery and Backup Controls. If Abnormal supplies data center services, Abnormal will: (a) back up its production file systems and databases according to a defined schedule; and (b) maintain a formal disaster recovery plan for the production data center and conduct regular testing of the effectiveness of such plan.
7. Business Continuity and Incident Response Plans. If Abnormal processes, stores, or transmits Customer Data, then Abnormal will take reasonable measures to maintain business continuity plans and incident response plans to manage and minimize the effects of unplanned operational disruptions (cyber, physical or natural) (“Incident Response Plans”). These plans will include procedures to be followed in the event of an actual or suspected Security Breach or business interruption and have a stated goal of resumption of routine service within 48 hours of such an incident. The Incident Response Plans will require Abnormal to undertake a root cause analysis of any actual or suspected Security Breach and to document remediation measures.
8. Security Breach Notification. Abnormal will notify Customer of any unauthorized access to Customer Data in accordance with the terms and conditions of the Agreement. In the event no such terms are specified in the Agreement, the following terms will apply:
Abnormal will notify Customer of any unauthorized, unlawful or accidental access to, or disclosure, transfer, destruction, loss or alteration of, Customer Data (each, a “Security Breach”) within two business days of Abnormal’s knowledge of the Security Breach, regardless of whether the Security Breach triggers any applicable breach notification law. Abnormal will notify Customer of a Security Breach by email to Abnormal’s primary contact within the Customer organization.
Notice to Customer will include: (a) a description of the nature of the Security Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Breach; (d) a description of the measures taken or proposed to address the Security Breach; and (e) a description of measures to mitigate the adverse effects of the Security Breach.
9. Storage and Transmission Security.
Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol.
Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices.
10. Secure Disposal.
Upon expiration or termination of the Agreement, Abnormal will return or delete Customer Data in accordance with the Agreement. If deletion is required, Customer Data will be securely deleted in accordance with industry leading methods (e.g., NIST SP 800-88), except that Customer Data stored electronically in Abnormal backup or email systems may be deleted over time in accordance with Abnormal records management practices.
If Abnormal stores Customer Data in Abnormal cloud computing services, Abnormal will retain Customer Data stored in its cloud computing services for the duration of any active the Subscription Term or until the expiration or termination of this Agreement. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation.
11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and determine if existing controls, policies, and procedures are adequate.
12. Subcontractors. Prior to engaging new third-party service providers or adding new technologies to its Service that will access or process Customer Data (collectively, for the purposes of this Security Policy, “Subcontractors”), Abnormal will conduct a risk assessment of each Subcontractor’s data security practices. Abnormal enters into written agreements with its Subcontractors with security obligations substantially similar to those contained in this Security Policy. Abnormal will be responsible for the acts or omissions of Subcontractors under the Agreement. This paragraph does not limit Abnormal’s obligations regarding Sub-processors as set out in the DPA.
13. Change and Configuration Management. Abnormal will implement and maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
14. Training and Background Checks. Abnormal will undertake the following measures that are designed to ensure that personnel who will have access to Customer Data are appropriately qualified.
14.1. Background Checks. Employees and contractors of Abnormal who will have access to Customer Data or systems that process Customer Data will undergo a civil and criminal background check, where permitted by applicable law, prior to accessing Customer Data or systems. Upon written request, not more than once per 12-month period, Abnormal will certify its compliance to Customer with this Section.
14.2. Information Security Awareness Training. Abnormal will provide new hire security awareness training, and refresher security awareness training at least once a year thereafter, to all personnel who process or may have access to Customer Data. Abnormal will make available to Customer documentation to validate compliance with this security awareness training requirement for the current year. Abnormal security awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against data loss, misuse or breach through physical, logical and social engineering mechanisms.
14.3. Secure Code Training. Abnormal will provide annual training on secure coding principles and their application (Secure Code Training) to all personnel who develop or handle any Abnormal source code. Abnormal training will cover topics such as: (a) the Open Web Application Security Project (OWASP) list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.
15. Security Program Proof of Compliance.
Third Party Standards and Assessments. During the Term of the Agreement and at Abnormal’s expense, Abnormal will undertake the following third-party assessments of the networks, servers, applications and operations where Customer Data is processed, stored or transmitted.
15.1. Third-Party Security Audit.
Abnormal engages an industry-recognized third party auditor to conduct a SOC 2 Type 2 security audit on at least an annual basis in order to demonstrate its compliance with the security requirements of the Security Program.
The Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability and Confidentiality developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Abnormal will make available to Customer copies of Abnormal’s current SOC 2 report annually upon written request.
Where Abnormal is not permitted to audit the data processing facilities of its Subcontractors that store or process Customer Data (e.g., cloud data centers), Abnormal will seek assurances from such Subcontractors (e.g., in the form of an independent third party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations).
15.2. Penetration Tests.
If Abnormal processes, stores, or transmits Customer Data, then at least once every year, Abnormal will undertake a network penetration test by an independent third party. Abnormal will remediate all critical and high vulnerabilities that the penetration test identifies within 30 days of the date they were first identified and will remediate all identified medium level vulnerabilities within a reasonable time period.
Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data, which will be deemed Confidential Information under the Agreement.
15.3. Audit and Vendor Risk Assessment.
From time to time, during regular business hours and upon reasonable notice, Customer, its regulators and/or designated third-party auditor(s) (that are not considered competitors of Abnormal) may perform, and Abnormal will reasonably assist with, a Vendor Risk Assessment (VRA). The VRA shall consist of a review of Abnormal’s security related documentation regarding its compliance with this Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Abnormals’s compliance with this Security Policy, provided that Customer shall not exercise this right more than once per year, and Abnormal will make its security personnel available to answer such questions related to Abnormal’s compliance with this Security Policy and applicable regulations and laws. All reasonable costs and expenses actually incurred of such an audit shall be borne by the Customer. For the avoidance of doubt, Abnormal will pay all costs and expenses incurred in connection with Abnormal’s own regulatory compliance and financial reporting requirements. In the event of a Security Breach that requires reporting a supervisory authority or other governmental authority, Customer may conduct an audit or VRA on no less than three days’ notice, at Abnormal’s expense.
In addition to Customer’s audit rights, Abnormal agrees to reasonably cooperate and respond to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Abnormal Confidential Information.
16. Disclosure by Law.
In the event Abnormal is required by law, regulation, or legal process to disclose any Customer Data, Abnormal will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
17. Updates.
As Abnormal releases new products, services, functionality, and features, Abnormal may update this Security Policy to account for such products, services, functionality, and features.
Abnormal Security Data Processing Addendum
Effective April 20, 2023
DownloadTable of Contents
Abnormal Security
Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements and is incorporated into the Agreement.
1. Definitions.
The definitions of certain capitalized terms used in this DPA are set forth below. Others are defined in the body of the DPA. Capitalized terms not defined in this DPA are defined in the Agreement.
1.1. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
1.2. “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder and the California Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection (“FADP”), (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) and (v) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.
1.3. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.4. “EEA” means European Economic Area.
1.5.“Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Data Protection Laws.
1.6.“Privacy Data Sheet” means the applicable document, if and when made available on the Abnormal Trust Portal and incorporated by reference into this DPA, that describes the Processing activities in relation to the specific Service supplied to Customer under the Agreement.
1.7.“Processing” and inflections thereof refer to any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8.“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
1.9. “Restricted Transfer” means: (i) where EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination, (ii) where UK GDPR applies, a transfer ofPersonal Data from the United Kingdom to any country that is not subject to an adequacy determination, or (iii) where FADP applies, a transfer of Personal Data from Switzerland to any country that is not subject to an adequacy determination.
1.10. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Abnormal.
1.11. “Specified Notice Period” is 48 hours.
1.12. “Subprocessor” means any third party authorized by Abnormal to Process any Personal Data.
1.13. “Subprocessor List” means the list of Abnormal’s Subprocessors as identified below.
1.14. “Trust Portal” means https://security.abnormalsecurity.com/.
2. Scope and Duration.
2.1. Roles of the Parties. This DPA applies to Abnormal as a Processor of Personal Data and to Customer as a Controller or Processor of Personal Data.
2.2. Scope of DPA. This DPA applies to Abnormal’s Processing of Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
2.3. Duration of DPA. This DPA commences on the Agreement Effective Date and terminates upon expiration or termination of the Agreement (or, if later, the date on which Abnormal has ceased all Processing of Personal Data).
2.4. Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses or other measures to which the Parties have agreed in Schedule 3 (Cross-Border Transfer Mechanisms) or Schedule 4 (Region-Specific Terms), (2) this DPA, and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA (including its Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.
3. Processing of Personal Data.
3.1. Customer Instructions.
(a). Abnormal will Process Personal Data as a Processor only: (i) in accordance with Customer Instructions, or (ii) to comply with Abnormal’s obligations under applicable laws, subject to any notice requirements under Data Protection Laws.
(b) “Customer Instructions” means: (i) Processing to provide the Service and as described in the Agreement (including this DPA and the applicable Privacy Data Sheet) and (ii) other reasonable documented instructions of Customer consistent with the terms of the Agreement.
(c) Details regarding the Processing of Personal Data by Abnormal are set forth in Schedule 1 (Subject Matter and Details of Processing) and the applicable Privacy Data Sheet.
(d) Abnormal will notify Customer if it receives an instruction that Abnormal reasonably determines infringes Data Protection Laws (but Abnormal has no obligation to actively monitor Customer’s compliance with Data Protection Laws). In such an instance, Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws.
3.2. Confidentiality.
(a) Abnormal will protect Personal Data in accordance with its confidentiality obligations as set forth in the Agreement.
(b) Abnormal will ensure personnel who Process Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.
3.3. Compliance with Laws.
(a) Abnormal and Customer will each comply with Data Protection Laws in their respective Processing of Personal Data.
(b) Customer will comply with Data Protection Laws in its issuing of Customer Instructions to Abnormal. Customer will ensure that it has established all necessary lawful bases under Data Protection Laws to enable Abnormal to lawfully Process Personal Data for the purposes contemplated by the Agreement (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
3.4. Changes to Laws. The Parties will work together in good faith to negotiate an amendment to this DPA as either Party reasonably considers necessary to address the requirements of Data Protection Laws from time to time.
4. Subprocessors.
4.1. Use of Subprocessors.
(a) Customer generally authorizes Abnormal to engage Subprocessors to Process Personal Data. Customer further agrees that Abnormal may engage its Affiliates as Subprocessors.
(b) Abnormal will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA and (ii) remain liable for compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Abnormal to breach any of its obligations under this DPA.
4.2. Subprocessor List. Abnormal will maintain an up-to-date list of its Subprocessors, including their functions and locations, as specified in the Subprocessor List set forth in Schedule 1 or the applicable Privacy Data Sheet.
4.3. Notice of New Subprocessors. Abnormal may update the Subprocessor List from time to time. At least 30 days before any new Subprocessor Processes any Personal Data, Abnormal will add such Subprocessor to the Subprocessor List and notify Customer through email or other means.
4.4. Objection to New Subprocessors.
(a) If, within 30 days after notice of a new Subprocessor, Customer notifies Abnormal in writing that Customer objects to Abnormal’s appointment of such new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith.
(b) If the Parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected Service for convenience and Abnormal will refund any prepaid, unused fees for the terminated portion of the Subscription Term.
5. Security.
5.1. Security Measures. Abnormal will implement and maintain reasonable and appropriate technical and organizational measures, procedures and practices, as appropriate to the nature of the Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Personal Data and protect against Security Incidents, in accordance with Abnormal’s Security Measures referenced in the Agreement and as further described in Schedule 2 (Technical and Organizational Measures). Abnormal will regularly monitor its compliance with its Security Measures and Schedule 2 (Technical and Organizational Measures).
5.2. Incident Notice and Response.
(a) Abnormal will implement and follow procedures to detect and respond to Security Incidents.
(b) Abnormal will: (i) notify Customer without undue delay and, in any event, not later than the Specified Notice Period, after becoming aware of a Security Incident affecting Customer and (ii) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Abnormal’s reasonable control.
(c) Upon Customer’s request and taking into account the nature of the applicable Processing, Abnormal will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws.
(d) Customer acknowledges that Abnormal’s notification of a Security Incident is not an acknowledgement by Abnormal of its fault or liability.
(e) Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
5.3. Customer Responsibilities.
(a) Customer is responsible for reviewing the information made available by Abnormal relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
(b) Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.
6. Data Protection Impact Assessment.
Upon Customer’s request and taking into account the nature of the applicable Processing, to the extent such information is available to Abnormal, Abnormal will assist Customer in fulfilling Customer’s obligations under Data Protection Laws to carry out a data protection impact or similar risk assessment related to Customer’s use of the Service, including, if required by Data Protection Laws, by assisting Customer in consultations with relevant government authorities.
7. Data Subject Requests.
7.1. Assisting Customer. Upon Customer’s request and taking into account the nature of the applicable Processing, Abnormal will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Service).
7.2. Data Subject Requests. If Abnormal receives a request from a Data Subject in relation to the Data Subject’s Personal Data, Abnormal will notify Customer and advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws), and Customer will be responsible for responding to any such request.
8. Data Return or Deletion.
8.1. During Subscription Term. During the Subscription Term, Customer may, through the features of the Service or such other means, access, return to itself or delete Personal Data.
8.2. Post Termination.
(a) Following termination or expiration of the Agreement, Abnormal will, in accordance with its obligations under the Agreement, delete all Personal Data from Abnormal’s systems.
(b) Deletion will be in accordance with industry-standard secure deletion practices. Abnormal will issue a certificate of deletion upon Customer’s request.
(c) Notwithstanding the foregoing, Abnormal may retain Personal Data: (i) as required by Data Protection Laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Abnormal will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Personal Data and (y) not further Process retained Personal Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.
9. Audits.
9.1. Abnormal Records Generally. Abnormal will keep records of its Processing in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer any records reasonably necessary to demonstrate compliance with Abnormal’s obligations under this DPA and Data Protection Laws.
9.2. Third-Party Compliance Program.
(a) Abnormal will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request at reasonable intervals (but not more than once annually) (subject to confidentiality obligations).
(b) Customer may share a copy of Audit Reports with relevant government authorities as required upon their request.
(c) Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by Audit Reports and the procedures of Section 9.3 (Customer Audit) below.
9.3. Customer Audit. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this exhibit by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 9.3 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 9.3 within a mutually agreeable timeframe.
10. Cross-Border Transfers/Region-Specific Terms.
10.1 Cross-Border Data Transfers.
(a) Abnormal (and its Affiliates) may Process and transfer Personal Data globally as necessary to provide the Service.
(b) If Abnormal engages in a Restricted Transfer, it will comply with Schedule 3 (Cross-Border Transfer Mechanisms).
10.2. Region-Specific Terms. To the extent that Abnormal Processes Personal Data protected by Data Protection Laws in one of the regions listed in Schedule 4 (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
SCHEDULE 1 – Subject Matter and Details of Processing
Customer may subscribe to the Abnormal Security Trust Portal (the “Trust Portal”) to receive email notifications with detailed information about certain updates to the processing operations of the Abnormal Service, including as published in the applicable Privacy Data Sheet(s). By clicking on the “Subscribe” link located in the upper right-hand corner of the Trust Portal, Customer will receive an email notification when a Trust Center Update in the Trust Portal is made.
A. LIST OF PARTIES
Data exporter(s):
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Data importer(s):
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
The Controller has authorised the use of the following Subprocessors: The Subprocessors located on the agreed list available at www.abnormalsecurity.com/trust, the Abnormal Trust Portal, and as published in the applicable Privacy Data Sheet. As of the effective date, the current list of Subprocessors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that customers submit when requesting support may be Processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Customer Relationship Management Software
SCHEDULE 2 – Technical and Organizational Measures
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal. Further up-to-date Service specific technical and organisational measures will be as set out in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.
1.1. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
1.2. “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
1.3. In addition:
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
2. EU Transfers. Where Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:
2.1. The EU SCCs are hereby incorporated by reference as follows:
(a) Module 2 (Controller to Processor) applies where Customer is a Controller of Personal Data and Provider is a Processor of Personal Data;
(b) Module 3 (Processor to Processor) applies where Customer is a Processor of Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Personal Data;
(c) Customer is the "data exporter" and Provider is the "data importer"; and
(d) by entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.
2.2. For each Module, where applicable the following applies:
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
2.3. Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.
3. Swiss Transfers. Where Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:
3.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
4. UK Transfers. Where Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:
4.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
(a) each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;
(b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Personal Data;
(c) in Table 1 of the UK Addendum, the parties’ key contact information is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;
(e) in Table 3 of the UK Addendum:
(i) the list of parties is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(ii) the description of transfer is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(iii) Annex II is located in Schedule 2 (Technical and Organizational Measures) to this DPA; and
(iv) the list of Subprocessors is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA.
(f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and
(g) in Part 2: Part 2 - Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of those Mandatory Clauses.
SCHEDULE 4: Region-Specific Terms
CALIFORNIA
1. Definitions. CCPA/CPRA and other capitalized terms not defined in this Schedule are defined in the DPA.
1.1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA/CPRA.
1.2. The definition of “Data Subject” includes “consumer” as defined under the CCPA/CPRA.
1.3. The definition of “Controller” includes “business” as defined under the CCPA/CPRA.
1.4. The definition of “Processor” includes “service provider” as defined under the CCPA/CPRA.
2. Obligations.
2.1. Customer is providing the Personal Data to Abnormal, acting as a service provider, under the Agreement for the limited and specific business purposes of providing the Service as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA or the applicable Privacy Data Sheet, and otherwise performing under the Agreement.
2.2. Abnormal will comply with its applicable obligations under the CCPA/CPRA and provide the same level of privacy protection to Personal Data as is required by the CCPA/CPRA.
2.3. Abnormal acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Abnormal use of Personal Data is consistent with Customer’s obligations under the CCPA/CPRA, (ii) receive from Abnormal notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA/CPRA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
2.4. Abnormal will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA/CPRA.
2.5. Absent Customer Instructions or the Customer’s prior written agreement, or generating Threat Intelligence Data, Abnormal will not retain, use or disclose Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4, or (ii) outside of the direct business relationship between Abnormal with Customer, except, in either case, where and to the extent permitted by the CCPA/CPRA.
2.6. Abnormal will not sell or share Personal Data received under the Agreement.
2.7. Abnormal will not combine Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA/CPRA.
Effective April 7, 2023 to April 20, 2023
DownloadTable of Contents
Abnormal Security
Data Protection Addendum
This Data Protection Addendum (“DPA”) supplements and is incorporated into the Agreement.
1. Definitions.
The definitions of certain capitalized terms used in this DPA are set forth below. Others are defined in the body of the DPA. Capitalized terms not defined in this DPA are defined in the Agreement.
1.1. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
1.2. “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder and the California Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection (“FADP”), (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) and (v) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.
1.3. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.4. “EEA” means European Economic Area.
1.5.“Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Data Protection Laws.
1.6.“Privacy Data Sheet” means the applicable document, if and when made available on the Abnormal Trust Portal and incorporated by reference into this DPA, that describes the Processing activities in relation to the specific Service supplied to Customer under the Agreement.
1.7.“Processing” and inflections thereof refer to any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8.“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
1.9. “Restricted Transfer” means: (i) where EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination, (ii) where UK GDPR applies, a transfer ofPersonal Data from the United Kingdom to any country that is not subject to an adequacy determination, or (iii) where FADP applies, a transfer of Personal Data from Switzerland to any country that is not subject to an adequacy determination.
1.10. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Abnormal.
1.11. “Specified Notice Period” is 48 hours.
1.12. “Subprocessor” means any third party authorized by Abnormal to Process any Personal Data.
1.13. “Subprocessor List” means the list of Abnormal’s Subprocessors as identified below.
1.14. “Trust Portal” means https://security.abnormalsecurity.com/.
2. Scope and Duration.
2.1. Roles of the Parties. This DPA applies to Abnormal as a Processor of Personal Data and to Customer as a Controller or Processor of Personal Data.
2.2. Scope of DPA. This DPA applies to Abnormal’s Processing of Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
2.3. Duration of DPA. This DPA commences on the Agreement Effective Date and terminates upon expiration or termination of the Agreement (or, if later, the date on which Abnormal has ceased all Processing of Personal Data).
2.4. Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses or other measures to which the Parties have agreed in Schedule 3 (Cross-Border Transfer Mechanisms) or Schedule 4 (Region-Specific Terms), (2) this DPA, and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA (including its Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.
3. Processing of Personal Data.
3.1. Customer Instructions.
(a). Abnormal will Process Personal Data as a Processor only: (i) in accordance with Customer Instructions, or (ii) to comply with Abnormal’s obligations under applicable laws, subject to any notice requirements under Data Protection Laws.
(b) “Customer Instructions” means: (i) Processing to provide the Service and as described in the Agreement (including this DPA and the applicable Privacy Data Sheet) and (ii) other reasonable documented instructions of Customer consistent with the terms of the Agreement.
(c) Details regarding the Processing of Personal Data by Abnormal are set forth in Schedule 1 (Subject Matter and Details of Processing) and the applicable Privacy Data Sheet.
(d) Abnormal will notify Customer if it receives an instruction that Abnormal reasonably determines infringes Data Protection Laws (but Abnormal has no obligation to actively monitor Customer’s compliance with Data Protection Laws). In such an instance, Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws.
3.2. Confidentiality.
(a) Abnormal will protect Personal Data in accordance with its confidentiality obligations as set forth in the Agreement.
(b) Abnormal will ensure personnel who Process Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.
3.3. Compliance with Laws.
(a) Abnormal and Customer will each comply with Data Protection Laws in their respective Processing of Personal Data.
(b) Customer will comply with Data Protection Laws in its issuing of Customer Instructions to Abnormal. Customer will ensure that it has established all necessary lawful bases under Data Protection Laws to enable Abnormal to lawfully Process Personal Data for the purposes contemplated by the Agreement (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
3.4. Changes to Laws. The Parties will work together in good faith to negotiate an amendment to this DPA as either Party reasonably considers necessary to address the requirements of Data Protection Laws from time to time.
4. Subprocessors.
4.1. Use of Subprocessors.
(a) Customer generally authorizes Abnormal to engage Subprocessors to Process Personal Data. Customer further agrees that Abnormal may engage its Affiliates as Subprocessors.
(b) Abnormal will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA and (ii) remain liable for compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Abnormal to breach any of its obligations under this DPA.
4.2. Subprocessor List. Abnormal will maintain an up-to-date list of its Subprocessors, including their functions and locations, as specified in the Subprocessor List set forth in Schedule 1 or the applicable Privacy Data Sheet.
4.3. Notice of New Subprocessors. Abnormal may update the Subprocessor List from time to time. At least 30 days before any new Subprocessor Processes any Personal Data, Abnormal will add such Subprocessor to the Subprocessor List and notify Customer through email or other means.
4.4. Objection to New Subprocessors.
(a) If, within 30 days after notice of a new Subprocessor, Customer notifies Abnormal in writing that Customer objects to Abnormal’s appointment of such new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith.
(b) If the Parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected Service for convenience and Abnormal will refund any prepaid, unused fees for the terminated portion of the Subscription Term.
5. Security.
5.1. Security Measures. Abnormal will implement and maintain reasonable and appropriate technical and organizational measures, procedures and practices, as appropriate to the nature of the Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Personal Data and protect against Security Incidents, in accordance with Abnormal’s Security Measures referenced in the Agreement and as further described in Schedule 2 (Technical and Organizational Measures). Abnormal will regularly monitor its compliance with its Security Measures and Schedule 2 (Technical and Organizational Measures).
5.2. Incident Notice and Response.
(a) Abnormal will implement and follow procedures to detect and respond to Security Incidents.
(b) Abnormal will: (i) notify Customer without undue delay and, in any event, not later than the Specified Notice Period, after becoming aware of a Security Incident affecting Customer and (ii) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Abnormal’s reasonable control.
(c) Upon Customer’s request and taking into account the nature of the applicable Processing, Abnormal will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws.
(d) Customer acknowledges that Abnormal’s notification of a Security Incident is not an acknowledgement by Abnormal of its fault or liability.
(e) Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
5.3. Customer Responsibilities.
(a) Customer is responsible for reviewing the information made available by Abnormal relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
(b) Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.
6. Data Protection Impact Assessment.
Upon Customer’s request and taking into account the nature of the applicable Processing, to the extent such information is available to Abnormal, Abnormal will assist Customer in fulfilling Customer’s obligations under Data Protection Laws to carry out a data protection impact or similar risk assessment related to Customer’s use of the Service, including, if required by Data Protection Laws, by assisting Customer in consultations with relevant government authorities.
7. Data Subject Requests.
7.1. Assisting Customer. Upon Customer’s request and taking into account the nature of the applicable Processing, Abnormal will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Service).
7.2. Data Subject Requests. If Abnormal receives a request from a Data Subject in relation to the Data Subject’s Personal Data, Abnormal will notify Customer and advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws), and Customer will be responsible for responding to any such request.
8. Data Return or Deletion.
8.1. During Subscription Term. During the Subscription Term, Customer may, through the features of the Service or such other means, access, return to itself or delete Personal Data.
8.2. Post Termination.
(a) Following termination or expiration of the Agreement, Abnormal will, in accordance with its obligations under the Agreement, delete all Personal Data from Abnormal’s systems.
(b) Deletion will be in accordance with industry-standard secure deletion practices. Abnormal will issue a certificate of deletion upon Customer’s request.
(c) Notwithstanding the foregoing, Abnormal may retain Personal Data: (i) as required by Data Protection Laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Abnormal will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Personal Data and (y) not further Process retained Personal Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.
9. Audits.
9.1. Abnormal Records Generally. Abnormal will keep records of its Processing in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer any records reasonably necessary to demonstrate compliance with Abnormal’s obligations under this DPA and Data Protection Laws.
9.2. Third-Party Compliance Program.
(a) Abnormal will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request at reasonable intervals (but not more than once annually) (subject to confidentiality obligations).
(b) Customer may share a copy of Audit Reports with relevant government authorities as required upon their request.
(c) Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by Audit Reports and the procedures of Section 9.3 (Customer Audit) below.
9.3. Customer Audit. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this exhibit by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 9.3 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 9.3 within a mutually agreeable timeframe.
10. Cross-Border Transfers/Region-Specific Terms.
10.1 Cross-Border Data Transfers.
(a) Abnormal (and its Affiliates) may Process and transfer Personal Data globally as necessary to provide the Service.
(b) If Abnormal engages in a Restricted Transfer, it will comply with Schedule 3 (Cross-Border Transfer Mechanisms).
10.2. Region-Specific Terms. To the extent that Abnormal Processes Personal Data protected by Data Protection Laws in one of the regions listed in Schedule 4 (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
SCHEDULE 1 – Subject Matter and Details of Processing
Customer may subscribe to the Abnormal Security Trust Portal (the “Trust Portal”) to receive email notifications with detailed information about certain updates to the processing operations of the Abnormal Service, including as published in the applicable Privacy Data Sheet(s). By clicking on the “Subscribe” link located in the upper right-hand corner of the Trust Portal, Customer will receive an email notification when a Trust Center Update in the Trust Portal is made.
A. LIST OF PARTIES
Data exporter(s):
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Data importer(s):
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
The Controller has authorised the use of the following Subprocessors: The Subprocessors located on the agreed list available at www.abnormalsecurity.com/trust, the Abnormal Trust Portal, and as published in the applicable Privacy Data Sheet. As of the effective date, the current list of Subprocessors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that customers submit when requesting support may be Processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Customer Relationship Management Software
SCHEDULE 2 – Technical and Organizational Measures
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal. Further up-to-date Service specific technical and organisational measures will be as set out in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.
1.1. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
1.2. “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
1.3. In addition:
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
2. EU Transfers. Where Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:
2.1. The EU SCCs are hereby incorporated by reference as follows:
(a) Module 2 (Controller to Processor) applies where Customer is a Controller of Personal Data and Provider is a Processor of Personal Data;
(b) Module 3 (Processor to Processor) applies where Customer is a Processor of Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Personal Data;
(c) Customer is the "data exporter" and Provider is the "data importer"; and
(d) by entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.
2.2. For each Module, where applicable the following applies:
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
2.3. Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.
3. Swiss Transfers. Where Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:
3.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
4. UK Transfers. Where Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:
4.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
(a) each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;
(b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Personal Data;
(c) in Table 1 of the UK Addendum, the parties’ key contact information is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;
(e) in Table 3 of the UK Addendum:
(i) the list of parties is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(ii) the description of transfer is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(iii) Annex II is located in Schedule 2 (Technical and Organizational Measures) to this DPA; and
(iv) the list of Subprocessors is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA.
(f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and
(g) in Part 2: Part 2 - Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of those Mandatory Clauses.
SCHEDULE 4: Region-Specific Terms
CALIFORNIA
1. Definitions. CCPA/CPRA and other capitalized terms not defined in this Schedule are defined in the DPA.
1.1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA/CPRA.
1.2. The definition of “Data Subject” includes “consumer” as defined under the CCPA/CPRA.
1.3. The definition of “Controller” includes “business” as defined under the CCPA/CPRA.
1.4. The definition of “Processor” includes “service provider” as defined under the CCPA/CPRA.
2. Obligations.
2.1. Customer is providing the Personal Data to Abnormal, acting as a service provider, under the Agreement for the limited and specific business purposes of providing the Service as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA or the applicable Privacy Data Sheet, and otherwise performing under the Agreement.
2.2. Abnormal will comply with its applicable obligations under the CCPA/CPRA and provide the same level of privacy protection to Personal Data as is required by the CCPA/CPRA.
2.3. Abnormal acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Abnormal use of Personal Data is consistent with Customer’s obligations under the CCPA/CPRA, (ii) receive from Abnormal notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA/CPRA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
2.4. Abnormal will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA/CPRA.
2.5. Absent Customer Instructions or the Customer’s prior written agreement, or generating Threat Intelligence Data, Abnormal will not retain, use or disclose Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4, or (ii) outside of the direct business relationship between Abnormal with Customer, except, in either case, where and to the extent permitted by the CCPA/CPRA.
2.6. Abnormal will not sell or share Personal Data received under the Agreement.
2.7. Abnormal will not combine Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA/CPRA.
Effective April 7, 2023 to April 7, 2023
DownloadTable of Contents
Abnormal Security
Data Protection Addendum
This Data Protection Addendum (“DPA”) supplements and is incorporated into the Agreement.
1. Definitions. The definitions of certain capitalized terms used in this DPA are set forth below. Others are defined in the body of the DPA. Capitalized terms not defined in this DPA are defined in the Agreement.
1.1. "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
1.2. “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and any binding regulations promulgated thereunder and the California Privacy Rights Act of 2020 (collectively, the “CCPA/CPRA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection (“FADP”), (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”) and (v) the UK Data Protection Act 2018; in each case, as updated, amended or replaced from time to time.
1.3. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.4. “EEA” means European Economic Area.
1.5.“Personal Data” means information about an identified or identifiable natural person or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Data Protection Laws.
1.6.“Privacy Data Sheet” means the applicable document, if and when made available on the Abnormal Trust Portal and incorporated by reference into this DPA, that describes the Processing activities in relation to the specific Service supplied to Customer under the Agreement.
1.7.“Processing” and inflections thereof refer to any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8.“Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
1.9. “Restricted Transfer” means: (i) where EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy determination, (ii) where UK GDPR applies, a transfer ofPersonal Data from the United Kingdom to any country that is not subject to an adequacy determination, or (iii) where FADP applies, a transfer of Personal Data from Switzerland to any country that is not subject to an adequacy determination.
1.10. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Abnormal.
1.11. “Specified Notice Period” is 48 hours.
1.12. “Subprocessor” means any third party authorized by Abnormal to Process any Personal Data.
1.13. “Subprocessor List” means the list of Abnormal’s Subprocessors as identified below.
1.14. “Trust Portal” means https://security.abnormalsecurity.com/.
2. Scope and Duration.
2.1. Roles of the Parties. This DPA applies to Abnormal as a Processor of Personal Data and to Customer as a Controller or Processor of Personal Data.
2.2. Scope of DPA. This DPA applies to Abnormal’s Processing of Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. This DPA is governed by the governing law of the Agreement unless otherwise required by Data Protection Laws.
2.3. Duration of DPA. This DPA commences on the Agreement Effective Date and terminates upon expiration or termination of the Agreement (or, if later, the date on which Abnormal has ceased all Processing of Personal Data).
2.4. Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses or other measures to which the Parties have agreed in Schedule 3 (Cross-Border Transfer Mechanisms) or Schedule 4 (Region-Specific Terms), (2) this DPA, and (3) the Agreement. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA (including its Schedules) will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Agreement.
3. Processing of Personal Data.
3.1. Customer Instructions.
(a) Abnormal will Process Personal Data as a Processor only: (i) in accordance with Customer Instructions, or (ii) to comply with Abnormal’s obligations under applicable laws, subject to any notice requirements under Data Protection Laws.
(b) “Customer Instructions” means: (i) Processing to provide the Service and as described in the Agreement (including this DPA and the applicable Privacy Data Sheet) and (ii) other reasonable documented instructions of Customer consistent with the terms of the Agreement.
(c) Details regarding the Processing of Personal Data by Abnormal are set forth in Schedule 1 (Subject Matter and Details of Processing) and the applicable Privacy Data Sheet.
(d) Abnormal will notify Customer if it receives an instruction that Abnormal reasonably determines infringes Data Protection Laws (but Abnormal has no obligation to actively monitor Customer’s compliance with Data Protection Laws). In such an instance, Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws.
3.2. Confidentiality.
(a) Abnormal will protect Personal Data in accordance with its confidentiality obligations as set forth in the Agreement.
(b) Abnormal will ensure personnel who Process Personal Data either enter into written confidentiality agreements or are subject to statutory obligations of confidentiality.
3.3. Compliance with Laws.
(a) Abnormal and Customer will each comply with Data Protection Laws in their respective Processing of Personal Data.
(b) Customer will comply with Data Protection Laws in its issuing of Customer Instructions to Abnormal. Customer will ensure that it has established all necessary lawful bases under Data Protection Laws to enable Abnormal to lawfully Process Personal Data for the purposes contemplated by the Agreement (including this DPA), including, as applicable, by obtaining all necessary consents from, and giving all necessary notices to, Data Subjects. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
3.4.Changes to Laws. The Parties will work together in good faith to negotiate an amendment to this DPA as either Party reasonably considers necessary to address the requirements of Data Protection Laws from time to time.
4. Subprocessors.
4.1. Use of Subprocessors.
(a) Customer generally authorizes Abnormal to engage Subprocessors to Process Personal Data. Customer further agrees that Abnormal may engage its Affiliates as Subprocessors.
(b) Abnormal will: (i) enter into a written agreement with each Subprocessor imposing data Processing and protection obligations substantially the same as those set out in this DPA and (ii) remain liable for compliance with the obligations of this DPA and for any acts or omissions of a Subprocessor that cause Abnormal to breach any of its obligations under this DPA.
4.2.Subprocessor List. Abnormal will maintain an up-to-date list of its Subprocessors, including their functions and locations, as specified in the Subprocessor List set forth in Schedule 1 or the applicable Privacy Data Sheet.
4.3.Notice of New Subprocessors. Abnormal may update the Subprocessor List from time to time. At least 30 days before any new Subprocessor Processes any Personal Data, Abnormal will add such Subprocessor to the Subprocessor List and notify Customer through email or other means.
4.4. Objection to New Subprocessors.
(a) If, within 30 days after notice of a new Subprocessor, Customer notifies Abnormal in writing that Customer objects to Abnormal’s appointment of such new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith.
(b) If the Parties are unable to reach a mutually agreeable resolution to Customer’s objection to a new Subprocessor, Customer, as its sole and exclusive remedy, may terminate the Order for the affected Service for convenience and Abnormal will refund any prepaid, unused fees for the terminated portion of the Subscription Term.
5. Security.
5.1.Security Measures. Abnormal will implement and maintain reasonable and appropriate technical and organizational measures, procedures and practices, as appropriate to the nature of the Personal Data, that are designed to protect the security, confidentiality, integrity and availability of Personal Data and protect against Security Incidents, in accordance with Abnormal’s Security Measures referenced in the Agreement and as further described in Schedule 2 (Technical and Organizational Measures). Abnormal will regularly monitor its compliance with its Security Measures and Schedule 2 (Technical and Organizational Measures).
5.2. Incident Notice and Response.
(a) Abnormal will implement and follow procedures to detect and respond to Security Incidents.
(b) Abnormal will: (i) notify Customer without undue delay and, in any event, not later than the Specified Notice Period, after becoming aware of a Security Incident affecting Customer and (ii) make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Abnormal’s reasonable control.
(c) Upon Customer’s request and taking into account the nature of the applicable Processing, Abnormal will assist Customer by providing, when available, information reasonably necessary for Customer to meet its Security Incident notification obligations under Data Protection Laws.
(d) Customer acknowledges that Abnormal’s notification of a Security Incident is not an acknowledgement by Abnormal of its fault or liability.
(e) Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
5.3. Customer Responsibilities.
(a) Customer is responsible for reviewing the information made available by Abnormal relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws.
(b) Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any obligations to give notices to government authorities, affected individuals or others relating to any Security Incidents.
6. Data Protection Impact Assessment. Upon Customer’s request and taking into account the nature of the applicable Processing, to the extent such information is available to Abnormal, Abnormal will assist Customer in fulfilling Customer’s obligations under Data Protection Laws to carry out a data protection impact or similar risk assessment related to Customer’s use of the Service, including, if required by Data Protection Laws, by assisting Customer in consultations with relevant government authorities.
7. Data Subject Requests.
7.1.Assisting Customer. Upon Customer’s request and taking into account the nature of the applicable Processing, Abnormal will assist Customer by appropriate technical and organizational measures, insofar as possible, in complying with Customer’s obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws, provided that Customer cannot reasonably fulfill such requests independently (including through use of the Service).
7.2.Data Subject Requests. If Abnormal receives a request from a Data Subject in relation to the Data Subject’s Personal Data, Abnormal will notify Customer and advise the Data Subject to submit the request to Customer (but not otherwise communicate with the Data Subject regarding the request except as may be required by Data Protection Laws), and Customer will be responsible for responding to any such request.
8. Data Return or Deletion.
8.1.During Subscription Term. During the Subscription Term, Customer may, through the features of the Service or such other means, access, return to itself or delete Personal Data.
8.2. Post Termination.
(a) Following termination or expiration of the Agreement, Abnormal will, in accordance with its obligations under the Agreement, delete all Personal Data from Abnormal’s systems.
(b) Deletion will be in accordance with industry-standard secure deletion practices. Abnormal will issue a certificate of deletion upon Customer’s request.
(c) Notwithstanding the foregoing, Abnormal may retain Personal Data: (i) as required by Data Protection Laws or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Abnormal will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Personal Data and (y) not further Process retained Personal Data except for such purpose(s) and duration specified in such applicable Data Protection Laws.
9. Audits.
9.1.Abnormal Records Generally. Abnormal will keep records of its Processing in compliance with Data Protection Laws and, upon Customer’s request, make available to Customer any records reasonably necessary to demonstrate compliance with Abnormal’s obligations under this DPA and Data Protection Laws.
9.2. Third-Party Compliance Program.
(a) Abnormal will describe its third-party audit and certification programs (if any) and make summary copies of its audit reports (each, an “Audit Report”) available to Customer upon Customer’s written request at reasonable intervals (but not more than once annually) (subject to confidentiality obligations).
(b) Customer may share a copy of Audit Reports with relevant government authorities as required upon their request.
(c) Customer agrees that any audit rights granted by Data Protection Laws will be satisfied by Audit Reports and the procedures of Section 9.3 (Customer Audit) below.
9.3. Customer Audit. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this exhibit by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 9.3 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 9.3 within a mutually agreeable timeframe.
10. Cross-Border Transfers/Region-Specific Terms.
10.1 Cross-Border Data Transfers.
(a) Abnormal (and its Affiliates) may Process and transfer Personal Data globally as necessary to provide the Service.
(b) If Abnormal engages in a Restricted Transfer, it will comply with Schedule 3 (Cross-Border Transfer Mechanisms).
10.2. Region-Specific Terms. To the extent that Abnormal Processes Personal Data protected by Data Protection Laws in one of the regions listed in Schedule 4 (Region-Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
SCHEDULE 1 – Subject Matter and Details of Processing
Customer may subscribe to the Abnormal Security Trust Portal (the “Trust Portal”) to receive email notifications with detailed information about certain updates to the processing operations of the Abnormal Service, including as published in the applicable Privacy Data Sheet(s). By clicking on the “Subscribe” link located in the upper right-hand corner of the Trust Portal, Customer will receive an email notification when a Trust Center Update in the Trust Portal is made.
A. LIST OF PARTIES
Data exporter(s):
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Data importer(s):
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
The Controller has authorised the use of the following Subprocessors: The Subprocessors located on the agreed list available at www.abnormalsecurity.com/trust, the Abnormal Trust Portal, and as published in the applicable Privacy Data Sheet. As of the effective date, the current list of Subprocessors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that customers submit when requesting support may be Processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of Processing (including a clear delimitation of responsibilities in case several Subprocessors are authorised): Customer Relationship Management Software
SCHEDULE 2 – Technical and Organizational Measures
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal. Further up-to-date Service specific technical and organisational measures will be as set out in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.
1.1. “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
1.2. “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.
1.3. In addition:
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
2. EU Transfers. Where Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:
2.1. The EU SCCs are hereby incorporated by reference as follows:
(a) Module 2 (Controller to Processor) applies where Customer is a Controller of Personal Data and Provider is a Processor of Personal Data;
(b) Module 3 (Processor to Processor) applies where Customer is a Processor of Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Personal Data;
(c) Customer is the "data exporter" and Provider is the "data importer"; and
(d) by entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.
2.2. For each Module, where applicable the following applies:
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
2.3. Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.
3. Swiss Transfers. Where Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:
3.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
4. UK Transfers. Where Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:
4.1. The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:
(a) each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;
(b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Personal Data;
(c) in Table 1 of the UK Addendum, the parties’ key contact information is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;
(e) in Table 3 of the UK Addendum:
(i) the list of parties is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(ii) the description of transfer is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;
(iii) Annex II is located in Schedule 2 (Technical and Organizational Measures) to this DPA; and
(iv) the list of Subprocessors is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA.
(f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and
(g) in Part 2: Part 2 - Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section 18 of those Mandatory Clauses.
SCHEDULE 4: Region-Specific Terms
CALIFORNIA
1. Definitions. CCPA/CPRA and other capitalized terms not defined in this Schedule are defined in the DPA.
1.1. “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA/CPRA.
1.2. The definition of “Data Subject” includes “consumer” as defined under the CCPA/CPRA.
1.3. The definition of “Controller” includes “business” as defined under the CCPA/CPRA.
1.4. The definition of “Processor” includes “service provider” as defined under the CCPA/CPRA.
2. Obligations.
2.1. Customer is providing the Personal Data to Abnormal, acting as a service provider, under the Agreement for the limited and specific business purposes of providing the Service as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA or the applicable Privacy Data Sheet, and otherwise performing under the Agreement.
2.2. Abnormal will comply with its applicable obligations under the CCPA/CPRA and provide the same level of privacy protection to Personal Data as is required by the CCPA/CPRA.
2.3. Abnormal acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Abnormal use of Personal Data is consistent with Customer’s obligations under the CCPA/CPRA, (ii) receive from Abnormal notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA/CPRA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
2.4. Abnormal will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA/CPRA.
2.5. Absent Customer Instructions or the Customer’s prior written agreement, or generating Threat Intelligence Data, Abnormal will not retain, use or disclose Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4, or (ii) outside of the direct business relationship between Abnormal with Customer, except, in either case, where and to the extent permitted by the CCPA/CPRA.
2.6. Abnormal will not sell or share Personal Data received under the Agreement.
2.7. Abnormal will not combine Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA/CPRA.
Abnormal Security Acceptable Use Policy
Effective August 1, 2022
DownloadTable of Contents
Abnormal Security Acceptable Use Policy
This Acceptable Use Policy (“AUP”) describes the prohibited uses of the Software as a Service offering (the "Service") provided by Abnormal Security Corporation (“Abnormal"). This AUP is in addition to any other terms and conditions under which Abnormal provides the Service to you. In addition to any other remedies available to Abnormal, if Abnormal determines in its sole discretion that you violate the AUP, we may suspend, limit, or terminate your use of the Service without prior notice or liability. This right applies, even if the breach is unintentional or unauthorized, if we believe that any such suspension, limitation, or termination is necessary to ensure compliance with laws, or to protect the rights, safety, privacy, security, or property (including the Service) of Abnormal or others.
Abnormal may modify this AUP at any time by posting an updated version of this document. Such updates will be effective upon posting. We therefore recommend that you visit the Abnormal website regularly to ensure that your activities conform to the most recent version. Your continued access to and use of the Service constitutes your agreement to be bound by such updates.
The prohibited uses listed below are not exhaustive. Prohibited uses and activities by you, the customer, your users or any third party include, without limitation:
- Violating any applicable laws or regulations (including without limitation data, privacy, and export control laws) or use the Service in a manner that gives rise to civil or criminal liability;
- Intentionally distributing malicious code, viruses, worms, defects, Trojan horses, corrupted files, hoaxes, or any other items of a destructive or deceptive manner;
- Infringing or misappropriating Abnormal’s or any third party’s intellectual property, proprietary or privacy rights;
- Reverse engineering, decompiling, or disassembling the Service or any software used in the provision of the Service;
- Interrupting, or attempting to interrupt, violate, obtain unauthorized access to, disrupt, damage, overburden, breach, or compromise the operation or security of the Service or any networks or systems;
- Using the Service for any reason other than as intended by the parties.
We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this AUP.
Abnormal Security Master Service Agreement - Transactions Entered into Prior to April 5, 2022
Effective April 11, 2022
DownloadTable of Contents
Last Updated November 3, 2021
ABNORMAL SECURITY MASTER SERVICE AGREEMENT
If you have a separate written agreement with Abnormal Security for use of the Service, then this Agreement and the following updates do not apply to you. Customers that entered into an Order Form with Abnormal Security, or an authorized Abnormal Security Partner, for a Subscription to the Service prior to April 5, 2022 shall have their use of the Service governed by the following Agreement. Upon the Customer's next renewal Subscription Term, the updated Agreement for the Subscription shall be the Cloud Terms of Service which will automatically apply as of the renewal Subscription Term unless Customer elects not to renew. In any event, continued use of the Service during the renewal Subscription Term will constitute Customer acceptance of the version of the Cloud Terms of Service in effect at the time the renewal Subscription Term begins.
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
1. DEFINITIONS
The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement.
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party; where “control” means the ownership of greater than fifty percent (51%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company.
“Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support.
“Documentation” means the printed or online materials Abnormal makes generally available that specify the Service’s functionality and capabilities, and all modifications, updates, and upgrades thereto.
“Order Form” means an ordering document to purchase a Subscription to the Service, setting forth details regarding the Subscription, including start and end dates for the Subscription Term, agreed Service quantities, and pricing.
“Partner” means a third-party authorized by Abnormal to resell a Subscription to the Service to Customer.
“Service” means Abnormal’s proprietary, software-as-a-service products, including the Documentation and all software applications, databases, modules, source code, development tools, libraries and utilities that Abnormal uses, creates, and/or maintains in order to provide the Service to Customer, including the modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available on a periodic basis.
“Service Level Agreement” means the Service Level Agreement attached hereto as Exhibit A.
“Subscription” has the meaning given to it in Section 2.1.
“Subscription Term” means the length of the Subscription set forth on the applicable Order Form.
“Support” means the technical support services set forth in Exhibit B.
“Threat Intelligence Data” means Customer de-identified information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware contained in a malicious email message.
“Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf.
2. ACCESS TO AND USE OF SERVICE
2.1 Right to Access and Use the Service. Subject to the terms of this Agreement, Abnormal grants Customer a royalty-free, nonexclusive, nontransferable, worldwide right and license during each Subscription Term to access and use the Service described in the applicable Order Form for the quantity and for the duration identified in the Order Form (“Subscription”). Any Customer Affiliate may use the Service purchased by Customer under this Agreement. Customer shall be responsible for its Users’ and Customer Affiliates’ use of the Service.
2.2 Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes (e.g., benchmarking); (ii) conduct penetration testing on the Service; (iii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available to any third party, except to a third party that manages Customer’s computing environment; or (iii) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of their components (each, a “Prohibited Use”).
3. ABNORMAL’S OBLIGATIONS
3.1 General. Abnormal will provide the Service in accordance with this Agreement, the Order Form(s), and applicable Documentation. Abnormal will host the Service on its cloud-based infrastructure.
3.2 Availability. Abnormal will make the Service available in accordance with the terms of the Service Level Agreement in Exhibit A, which sets forth Customer’s exclusive remedies for any interruptions in the availability of the Service.
3.3 Support. If Customer experiences any errors, bugs, or other issues in its use of the Service, then Abnormal will provide Support in accordance with Exhibit B. The fee for Support is included in the fee Customer pays for the Subscription.
4. TERM AND TERMINATION
4.1 Term. The term of this Agreement will commence on the Effective Date and will continue for so long as there are active Subscriptions, unless otherwise terminated as permitted by this Agreement (the “Term”).
4.2 Termination for Cause. Either Party may terminate this Agreement or any active Subscription for cause (i) upon 30 days written notice to the other Party of a material breach if such breach remains uncured at the expiration of the 30-day period, or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
4.3 Effect of Termination. If Customer terminates this Agreement or any active Subscription as permitted by Section 4.2 or Section 9.2, or if Abnormal terminates this Agreement or any active Subscription Term as permitted by with Section 11.1, then Abnormal will provide a pro rata refund of any prepaid fees allocable to the remaining Subscription Term(s).
4.4 Survival. The following provisions will survive any termination of this Agreement: Sections 4; 5; 6; 8; 11; 12; and 13.
5. FEES AND PAYMENT
5.1 Fees. Customer will pay the fees for the Subscription set forth on the applicable Order Form. Following execution of the Order Form, Abnormal will submit an invoice to Customer for the Subscription, and payment will be due 30 days from the date of an undisputed invoice unless otherwise set forth on the Order Form (“Due Date”). Except as otherwise set out in this Agreement and any applicable Order Form(s), all fees are non-refundable and non-cancellable. If Customer purchases the Service from a Partner, then all payment terms will be agreed separately between Customer and such Partner.
5.2 Overdue Charges. If any undisputed, invoiced amount is not received by Abnormal by the Due Date, then (i) those charges may accrue late interest at the rate of 3.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and (ii) Abnormal may condition future Subscriptions on receipt of payment for previous Subscriptions and/or payment terms shorter than those specified on the previous Order Form.
5.3 Taxes. The fees payable under this Agreement are exclusive of any sales taxes (unless included on the invoice), or similar governmental sales tax type assessments, excluding any income or franchise taxes on Abnormal (collectively, “Taxes”) with respect to the Service provided to Customer. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement and shall indemnify and/or reimburse Abnormal for all Taxes paid or payable by, demanded from, or assessed upon Abnormal.
6. CONFIDENTIALITY
6.1 Confidential Information. Except as explicitly excluded below, any information of a confidential or proprietary nature provided by a Party (“Disclosing Party”) to the other Party (“Receiving Party”) constitutes the Disclosing Party’s confidential and proprietary information (“Confidential Information”). Abnormal’s Confidential Information includes the Service and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data. Confidential Information does not include information which is (i) already known by the Receiving Party without an obligation of confidentiality other than pursuant to this Agreement; (ii) publicly known or becomes publicly known through no unauthorized act of the Receiving Party; (iii) rightfully received from a third party without a confidentiality obligation to the Disclosing Party; or (iv) independently developed by the Receiving Party without access to the Disclosing Party’s Confidential Information.
6.2 Confidentiality Obligations. Each Party will use the other Party’s Confidential Information only as necessary to perform its obligations under this Agreement, will not disclose the Confidential Information to any third party, and will protect the confidentiality of the Disclosing Party’s Confidential Information with the same standard of care as the Receiving Party uses or would use to protect its own Confidential Information, but in no event will the Receiving Party use less than a reasonable standard of care. Notwithstanding the foregoing, the Receiving Party may share the other Party’s Confidential Information with those of its employees, Affiliates, agents, subcontractors, and representatives who have a need to know such information and who are bound by confidentiality obligations at least as restrictive as those contained herein (each, a “Representative”). Each Party shall be responsible for any breach of confidentiality by any of its Representatives.
6.3 Additional Exclusions. A Receiving Party will not violate its confidentiality obligations if it discloses the Disclosing Party’s Confidential Information if required by applicable laws, including by court subpoena or similar instrument so long as the Receiving Party provides the Disclosing Party with written notice of the required disclosure so as to allow the Disclosing Party to contest or seek to limit the disclosure or obtain a protective order, unless such notice is prohibited by law. If no protective order or other remedy is obtained, the Receiving Party will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
7. DATA PROTECTION
7.1 Customer Data. In connection with its use of the Service, Customer will transfer a limited amount of Customer Data to Abnormal. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service to Customer, and to generate Threat Intelligence Data. Customer shall ensure that it has secured all necessary rights, consents, and permissions to transfer Customer Data to Abnormal for purposes of this Agreement.
7.2 Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards in order to protect Customer Data.
7.3 Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with the “Data Processing Addendum” (or “DPA”) located at: www.abnormalsecurity.com/dpa.
7.4 No Access. Except for Customer Data or as otherwise permitted by this Agreement, Abnormal does not collect, process, store, or otherwise have access to any information or data, including data related to Customer’s network, or users of Customer’s products or services.
8. PROPRIETARY RIGHTS
8.1 Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, and any feedback or suggestions Customer provides to Abnormal with respect to the Service. Except for the limited license granted to Customer in Section 2.1, Abnormal does not by means of this Agreement or otherwise transfer any rights in the Service to Customer, and Customer will take no action inconsistent with Abnormal’s intellectual property rights in the Service.
8.2 Customer Property. Customer owns and retains all right, title, and interest in and to the Customer Data and does not by means of this Agreement or otherwise transfer any rights in the Customer Data to Abnormal, except for the limited license set forth in Section 7.1.
9. REPRESENTATIONS AND WARRANTIES
9.1 Mutual Representations and Warranties. Each Party represents and warrants it has validly entered into this Agreement and has the legal power to do so.
9.2 Limited Warranty. Abnormal warrants that the Service will conform in all material respects with the Documentation. Abnormal shall, as Customer’s sole and exclusive remedy for a breach of this warranty, repair or replace the Service to conform in all material respects to the Documentation, and if Abnormal is unable to restore such conformance within 30 days after the date of written notice of such breach, Customer may terminate the license to the affected Service upon written notice and Abnormal shall promptly provide a pro-rata refund of the fees for the terminated Service.
9.3 Disclaimer. With the exception of the limited warranties set forth in this Section 9, the Service is provided “as is” to the fullest extent permitted by law. Abnormal and its licensors expressly disclaim all other warranties, express or implied, including warranties of performance, merchantability, fitness for any particular purposes, and non-infringement. Abnormal does not warrant that the Service (i) is error-free, (ii) will perform uninterrupted, or (iii) will meet Customer’s requirements.
10. INSURANCE
10.1 Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
10.2 Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
11. INDEMNIFICATION
11.1 By Abnormal. Abnormal will indemnify, defend, and hold harmless Customer, its affiliates, and their respective owners, directors, officers, and employees (collectively, “Customer Indemnitees”) from and against any claim, action, demand, suit or proceeding (each a “Claim”) made or brought by a third party against any of the Customer Indemnitees alleging that Customer’s use of the Service infringes or misappropriates any United States or European Union patent, trademark, copyright, or any other intellectual property of such third party. Abnormal will pay any settlement of such Claim, or any damages finally awarded against any Customer Indemnitees by a court of competent jurisdiction as a result of any such Claim. In connection with any Claim Customer will (i) give Abnormal prompt written notice of the Claim, (ii) give Abnormal sole control of the defense and settlement of the Claim (provided that Abnormal may not settle any Claim without the Customer Indemnitee’s written consent, which will not be unreasonably withheld), and (iii) provide to Abnormal all reasonable assistance, at Abnormal’s request and expense. If Customer’s right to use the Service is, or in Abnormal’s opinion is likely to be, enjoined as the result of a Claim, then Abnormal may, at its sole option and expense, procure for Customer the right to continue using the Service under the terms of this Agreement, or replace or modify the Service so that it is non-infringing and substantially equivalent in functionality to the claimed infringing or enjoined Service. If Abnormal determines that neither of the foregoing is commercially reasonable, then Abnormal may terminate this Agreement and refund to Customer any prepaid fees allocable to the remainder of the Subscription Term. Abnormal will have no indemnification obligations under this Section 11.1 to the extent that a Claim is based on or arises from: (a) use of the Service in a manner other than as expressly permitted in this Agreement; (b) any alteration or modification of the Service except as expressly authorized by Abnormal; or (c) the combination of the Service with any other software, product, or services (to the extent that the alleged infringement arises from such combination). This Section 11.1 sets forth Abnormal’s sole and exclusive liability, and Customer’s exclusive remedies, for any Claim of infringement or misappropriation of intellectual property.
11.2 By Customer. Customer will indemnify, defend, and hold harmless Abnormal, its affiliates, and their respective owners, directors, officers, and employees (collectively, “Abnormal Indemnitees”) from and against any Claim related to Customer or a User engaging in a Prohibited Use. Customer will pay any settlement of and any damages finally awarded against any Abnormal Indemnitee by a court of competent jurisdiction as a result of any such Claim. In connection with any Claim, Abnormal will (i) give Customer prompt written notice of the Claim, (ii) give Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle any Claim without Abnormal’s prior written consent which will not be unreasonably withheld), and (iii) provide to Customer all reasonable assistance, at Customer’s request and expense.
12. LIMITATIONS OF LIABILITY
12.1 NEITHER PARTY NOR ITS AFFILIATES NOR THE OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS OR REPRESENTATIVES OF ANY OF THEM WILL BE LIABLE TO OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, THAT MAY ARISE OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF THE OTHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OR COSTS OCCURRING AND WHETHER SUCH LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, PRODUCTS LIABILITY OR OTHERWISE.
12.2 EACH PARTY HERETO AGREES THAT WITH THE EXCEPTION OF: (I) THE CONFIDENTIALITY OBLIGATIONS UNDER SECTION 6, (II) COMPANY’S BREACH OF ITS SECURITY AND PRIVACY OBLIGATIONS UNDER SECTION 7, AND (III) THE INDEMNIFICATION OBLIGATIONS UNDER SECTION 11 (SECTION 12.2(I) THROUGH 12.2(III), THE “EXCLUDED CLAIMS”), AND ABSENT GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT OF THE OTHER PARTY, IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY, OR THEIR RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS AND REPRESENTATIVES, TO THE OTHER PARTY FOR ANY AND ALL DAMAGES, INJURIES, AND LOSSES ARISING OUT OF, BASED ON, RESULTING FROM, OR IN ANY WAY RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID (PLUS ANY AMOUNT PAYABLE) BY CUSTOMER FOR USE OF THE SERVICE UNDER THIS AGREEMENT IN THE 12 MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM GIVING RISE TO SUCH DAMAGES. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT WILL NOT ENLARGE OR EXTEND THE LIMITATION OF MONEY DAMAGES WHICH WILL BE THE CLAIMANT’S SOLE AND EXCLUSIVE REMEDY. WITH RESPECT TO EXCLUDED CLAIMS, THE AMOUNT OF SUCH LIMIT WILL NOT EXCEED THREE TIMES THE TOTAL AMOUNT PAID (PLUS ANY AMOUNT PAYABLE) BY CUSTOMER FOR USE OF THE SERVICE UNDER THIS AGREEMENT.
13. MISCELLANEOUS
This Agreement, including all applicable Order Forms, is the entire agreement between Customer and Abnormal and supersedes all prior agreements and understandings concerning the subject matter hereof and may not be amended or modified except by a writing signed by both Parties. Customer and Abnormal are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between Customer and Abnormal. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California. Any notice provided by one Party to the other under this Agreement will be in writing and sent by electronic mail to the email address listed on the signature page below. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither Party may assign this Agreement without the prior, written consent of the other Party, except that either Party may assign this Agreement without such consent to an affiliate, or in connection with an acquisition of the assigning Party or a sale of all or substantially all of its assets. Each Party represents that its signatory whose signature appears on the Order Form(s) is duly authorized by all necessary corporate or other appropriate action to execute this Agreement.
EXHIBIT A
SERVICE LEVEL AGREEMENT
EXHIBIT A
SERVICE LEVEL AGREEMENT
1. Definitions. For purposes of this Service Level Agreement, the following terms have the meaning given to each term below:
“Downtime” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Maintenance Downtime” means routine maintenance that occurs outside of normal working hours (Pacific Time) and continues for no more than four hours in any one instance, so long as Abnormal provides Customer at least 48 hours prior written notice (including by email) to Customer’s main technical contact on file with Abnormal.
“Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month.
“Service Credit” means the number of days by which Abnormal will extend the length of the Subscription Term, at no charge to Customer, according to the table in Section 2, below.
2. Service Level Warranty. During the Term, the Service will be operational and available to Customer at least 99.9% of the time in any calendar month (the “Service Level Warranty”). If the Monthly Uptime Percentage does not meet the Service Level Warranty in any calendar month, and if Customer meets its obligations under this Agreement, then Customer will be eligible to receive Service Credit as follows:
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
3. Customer Must Request Service Credit. To receive Service Credit, Customer must notify Abnormal in writing within 30 days from the time Customer becomes eligible to receive a Service Credit under the terms of this Agreement. Failure to comply with this requirement will forfeit Customer’s right to receive Service Credit.
4. Maximum Service Credit. The aggregate maximum amount of Service Credit for all Downtime that occurs in a single calendar month will not exceed 15 days. Service Credit may not be exchanged for or converted into monetary amounts.
5. Exclusions. The Service Level Warranty does not apply to Service unavailability due to Maintenance Downtime or any performance issues that (i) are caused by riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, earthquakes, or any other causes that are beyond Abnormal’s reasonable control so long as Abnormal uses commercially reasonable efforts to mitigate the effects of such force majeure, (ii) resulted from Customer’s equipment or third party equipment or service (e.g. Customer’s internet connection), or (iii) resulted from Customer’s violation of this Agreement.
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
1. Definitions. For purposes of this Service Level Agreement, the following terms have the meaning given to each term below:
“Error” means a failure of the Service to conform to the published Documentation, resulting in the inability to use, or material restriction in the use of, the Service.
“Escalation” means the process by which Abnormal will work continuously, and at multiple levels of its organization, to address an Error if not addressed within the specified Response Time set forth in Section 4, below.
“Start Time” means the time at which Abnormal first becomes aware of an Error during Abnormal’s regular business hours, following Customer’s initiation of a Support case in accordance with Section 3, below.
2. General. During a Subscription Term, Abnormal will provide the Support described in these Support Terms for Severity 1 Errors, 24 hours a day 7 days a week; and for Severity 2, Severity 3, and Severity 4 Errors, Abnormal will provide Support described in these Support Terms 8 hours a day, 5 days a week (9am – 5pm, Pacific Time, or in Customer’s local time zone if not Pacific Time).
3. Contacts. The Customer Support Contacts may initiate a Support case by emailing support@abnormalsecurity.com or calling 866-466-9321 or 415-326-1372.
4. Priority Levels and Timeframes. Abnormal will establish the Priority Level of an Error and the corresponding Support case in its sole discretion and will use its best efforts to adhere to the Response Times set forth below. If an Error is not addressed within the Response Time set forth below, Abnormal will commence an Escalation.
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
a. Conditions. Abnormal’s obligation to provide Support is conditioned upon the following: (i) Customer makes reasonable efforts to solve the Error after consulting with Abnormal; (ii) Customer provides Abnormal with sufficient information and resources to correct the Error, as well as any and all assistance reasonably requested by Abnormal; and (iii) Customer procures, installs, and maintains all equipment, telephone lines, communication interfaces and other hardware necessary to access and operate the Service.
b. Exclusions. Abnormal is not obligated to provide Support in the following situations: (i) the problem is caused by Customer’s gross negligence, hardware malfunction, or other causes beyond the reasonable control of Abnormal; or (ii) the problem is with third party software not licensed through or provided by Abnormal (e.g., Customer’s email system).
c. Termination. Abnormal reserves the right to conclude its performance of a particular Support case when, in its reasonable discretion, Abnormal determines that it has provided a satisfactory resolution or workaround to the Error.
Effective April 11, 2022 to April 11, 2022
DownloadTable of Contents
Last Updated November 3, 2021
ABNORMAL SECURITY MASTER SERVICE AGREEMENT
If you have a separate written agreement with Abnormal Security, or an authorized Abnormal Security Partner, for use of the Service, then this Agreement and the following updates do not apply to you. Customers that entered into an Order Form with Abnormal Security for a Subscription to the Service prior to April 5, 2022 shall have their use of the Service governed by the following Agreement. Upon the Customer's next renewal Subscription Term, the updated Agreement for the Subscription shall be the Cloud Terms of Service which will automatically apply as of the renewal Subscription Term unless Customer elects not to renew. In any event, continued use of the Service during the renewal Subscription Term will constitute Customer acceptance of the version of the Cloud Terms of Service in effect at the time the renewal Subscription Term begins.
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
1. DEFINITIONS
The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement.
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party; where “control” means the ownership of greater than fifty percent (51%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company.
“Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support.
“Documentation” means the printed or online materials Abnormal makes generally available that specify the Service’s functionality and capabilities, and all modifications, updates, and upgrades thereto.
“Order Form” means an ordering document to purchase a Subscription to the Service, setting forth details regarding the Subscription, including start and end dates for the Subscription Term, agreed Service quantities, and pricing.
“Partner” means a third-party authorized by Abnormal to resell a Subscription to the Service to Customer.
“Service” means Abnormal’s proprietary, software-as-a-service products, including the Documentation and all software applications, databases, modules, source code, development tools, libraries and utilities that Abnormal uses, creates, and/or maintains in order to provide the Service to Customer, including the modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available on a periodic basis.
“Service Level Agreement” means the Service Level Agreement attached hereto as Exhibit A.
“Subscription” has the meaning given to it in Section 2.1.
“Subscription Term” means the length of the Subscription set forth on the applicable Order Form.
“Support” means the technical support services set forth in Exhibit B.
“Threat Intelligence Data” means Customer de-identified information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware contained in a malicious email message.
“Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf.
2. ACCESS TO AND USE OF SERVICE
2.1 Right to Access and Use the Service. Subject to the terms of this Agreement, Abnormal grants Customer a royalty-free, nonexclusive, nontransferable, worldwide right and license during each Subscription Term to access and use the Service described in the applicable Order Form for the quantity and for the duration identified in the Order Form (“Subscription”). Any Customer Affiliate may use the Service purchased by Customer under this Agreement. Customer shall be responsible for its Users’ and Customer Affiliates’ use of the Service.
2.2 Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes (e.g., benchmarking); (ii) conduct penetration testing on the Service; (iii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available to any third party, except to a third party that manages Customer’s computing environment; or (iii) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of their components (each, a “Prohibited Use”).
3. ABNORMAL’S OBLIGATIONS
3.1 General. Abnormal will provide the Service in accordance with this Agreement, the Order Form(s), and applicable Documentation. Abnormal will host the Service on its cloud-based infrastructure.
3.2 Availability. Abnormal will make the Service available in accordance with the terms of the Service Level Agreement in Exhibit A, which sets forth Customer’s exclusive remedies for any interruptions in the availability of the Service.
3.3 Support. If Customer experiences any errors, bugs, or other issues in its use of the Service, then Abnormal will provide Support in accordance with Exhibit B. The fee for Support is included in the fee Customer pays for the Subscription.
4. TERM AND TERMINATION
4.1 Term. The term of this Agreement will commence on the Effective Date and will continue for so long as there are active Subscriptions, unless otherwise terminated as permitted by this Agreement (the “Term”).
4.2 Termination for Cause. Either Party may terminate this Agreement or any active Subscription for cause (i) upon 30 days written notice to the other Party of a material breach if such breach remains uncured at the expiration of the 30-day period, or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
4.3 Effect of Termination. If Customer terminates this Agreement or any active Subscription as permitted by Section 4.2 or Section 9.2, or if Abnormal terminates this Agreement or any active Subscription Term as permitted by with Section 11.1, then Abnormal will provide a pro rata refund of any prepaid fees allocable to the remaining Subscription Term(s).
4.4 Survival. The following provisions will survive any termination of this Agreement: Sections 4; 5; 6; 8; 11; 12; and 13.
5. FEES AND PAYMENT
5.1 Fees. Customer will pay the fees for the Subscription set forth on the applicable Order Form. Following execution of the Order Form, Abnormal will submit an invoice to Customer for the Subscription, and payment will be due 30 days from the date of an undisputed invoice unless otherwise set forth on the Order Form (“Due Date”). Except as otherwise set out in this Agreement and any applicable Order Form(s), all fees are non-refundable and non-cancellable. If Customer purchases the Service from a Partner, then all payment terms will be agreed separately between Customer and such Partner.
5.2 Overdue Charges. If any undisputed, invoiced amount is not received by Abnormal by the Due Date, then (i) those charges may accrue late interest at the rate of 3.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and (ii) Abnormal may condition future Subscriptions on receipt of payment for previous Subscriptions and/or payment terms shorter than those specified on the previous Order Form.
5.3 Taxes. The fees payable under this Agreement are exclusive of any sales taxes (unless included on the invoice), or similar governmental sales tax type assessments, excluding any income or franchise taxes on Abnormal (collectively, “Taxes”) with respect to the Service provided to Customer. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement and shall indemnify and/or reimburse Abnormal for all Taxes paid or payable by, demanded from, or assessed upon Abnormal.
6. CONFIDENTIALITY
6.1 Confidential Information. Except as explicitly excluded below, any information of a confidential or proprietary nature provided by a Party (“Disclosing Party”) to the other Party (“Receiving Party”) constitutes the Disclosing Party’s confidential and proprietary information (“Confidential Information”). Abnormal’s Confidential Information includes the Service and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data. Confidential Information does not include information which is (i) already known by the Receiving Party without an obligation of confidentiality other than pursuant to this Agreement; (ii) publicly known or becomes publicly known through no unauthorized act of the Receiving Party; (iii) rightfully received from a third party without a confidentiality obligation to the Disclosing Party; or (iv) independently developed by the Receiving Party without access to the Disclosing Party’s Confidential Information.
6.2 Confidentiality Obligations. Each Party will use the other Party’s Confidential Information only as necessary to perform its obligations under this Agreement, will not disclose the Confidential Information to any third party, and will protect the confidentiality of the Disclosing Party’s Confidential Information with the same standard of care as the Receiving Party uses or would use to protect its own Confidential Information, but in no event will the Receiving Party use less than a reasonable standard of care. Notwithstanding the foregoing, the Receiving Party may share the other Party’s Confidential Information with those of its employees, Affiliates, agents, subcontractors, and representatives who have a need to know such information and who are bound by confidentiality obligations at least as restrictive as those contained herein (each, a “Representative”). Each Party shall be responsible for any breach of confidentiality by any of its Representatives.
6.3 Additional Exclusions. A Receiving Party will not violate its confidentiality obligations if it discloses the Disclosing Party’s Confidential Information if required by applicable laws, including by court subpoena or similar instrument so long as the Receiving Party provides the Disclosing Party with written notice of the required disclosure so as to allow the Disclosing Party to contest or seek to limit the disclosure or obtain a protective order, unless such notice is prohibited by law. If no protective order or other remedy is obtained, the Receiving Party will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
7. DATA PROTECTION
7.1 Customer Data. In connection with its use of the Service, Customer will transfer a limited amount of Customer Data to Abnormal. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service to Customer, and to generate Threat Intelligence Data. Customer shall ensure that it has secured all necessary rights, consents, and permissions to transfer Customer Data to Abnormal for purposes of this Agreement.
7.2 Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards in order to protect Customer Data.
7.3 Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with the “Data Processing Addendum” (or “DPA”) located at: www.abnormalsecurity.com/dpa.
7.4 No Access. Except for Customer Data or as otherwise permitted by this Agreement, Abnormal does not collect, process, store, or otherwise have access to any information or data, including data related to Customer’s network, or users of Customer’s products or services.
8. PROPRIETARY RIGHTS
8.1 Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, and any feedback or suggestions Customer provides to Abnormal with respect to the Service. Except for the limited license granted to Customer in Section 2.1, Abnormal does not by means of this Agreement or otherwise transfer any rights in the Service to Customer, and Customer will take no action inconsistent with Abnormal’s intellectual property rights in the Service.
8.2 Customer Property. Customer owns and retains all right, title, and interest in and to the Customer Data and does not by means of this Agreement or otherwise transfer any rights in the Customer Data to Abnormal, except for the limited license set forth in Section 7.1.
9. REPRESENTATIONS AND WARRANTIES
9.1 Mutual Representations and Warranties. Each Party represents and warrants it has validly entered into this Agreement and has the legal power to do so.
9.2 Limited Warranty. Abnormal warrants that the Service will conform in all material respects with the Documentation. Abnormal shall, as Customer’s sole and exclusive remedy for a breach of this warranty, repair or replace the Service to conform in all material respects to the Documentation, and if Abnormal is unable to restore such conformance within 30 days after the date of written notice of such breach, Customer may terminate the license to the affected Service upon written notice and Abnormal shall promptly provide a pro-rata refund of the fees for the terminated Service.
9.3 Disclaimer. With the exception of the limited warranties set forth in this Section 9, the Service is provided “as is” to the fullest extent permitted by law. Abnormal and its licensors expressly disclaim all other warranties, express or implied, including warranties of performance, merchantability, fitness for any particular purposes, and non-infringement. Abnormal does not warrant that the Service (i) is error-free, (ii) will perform uninterrupted, or (iii) will meet Customer’s requirements.
10. INSURANCE
10.1 Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
10.2 Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
11. INDEMNIFICATION
11.1 By Abnormal. Abnormal will indemnify, defend, and hold harmless Customer, its affiliates, and their respective owners, directors, officers, and employees (collectively, “Customer Indemnitees”) from and against any claim, action, demand, suit or proceeding (each a “Claim”) made or brought by a third party against any of the Customer Indemnitees alleging that Customer’s use of the Service infringes or misappropriates any United States or European Union patent, trademark, copyright, or any other intellectual property of such third party. Abnormal will pay any settlement of such Claim, or any damages finally awarded against any Customer Indemnitees by a court of competent jurisdiction as a result of any such Claim. In connection with any Claim Customer will (i) give Abnormal prompt written notice of the Claim, (ii) give Abnormal sole control of the defense and settlement of the Claim (provided that Abnormal may not settle any Claim without the Customer Indemnitee’s written consent, which will not be unreasonably withheld), and (iii) provide to Abnormal all reasonable assistance, at Abnormal’s request and expense. If Customer’s right to use the Service is, or in Abnormal’s opinion is likely to be, enjoined as the result of a Claim, then Abnormal may, at its sole option and expense, procure for Customer the right to continue using the Service under the terms of this Agreement, or replace or modify the Service so that it is non-infringing and substantially equivalent in functionality to the claimed infringing or enjoined Service. If Abnormal determines that neither of the foregoing is commercially reasonable, then Abnormal may terminate this Agreement and refund to Customer any prepaid fees allocable to the remainder of the Subscription Term. Abnormal will have no indemnification obligations under this Section 11.1 to the extent that a Claim is based on or arises from: (a) use of the Service in a manner other than as expressly permitted in this Agreement; (b) any alteration or modification of the Service except as expressly authorized by Abnormal; or (c) the combination of the Service with any other software, product, or services (to the extent that the alleged infringement arises from such combination). This Section 11.1 sets forth Abnormal’s sole and exclusive liability, and Customer’s exclusive remedies, for any Claim of infringement or misappropriation of intellectual property.
11.2 By Customer. Customer will indemnify, defend, and hold harmless Abnormal, its affiliates, and their respective owners, directors, officers, and employees (collectively, “Abnormal Indemnitees”) from and against any Claim related to Customer or a User engaging in a Prohibited Use. Customer will pay any settlement of and any damages finally awarded against any Abnormal Indemnitee by a court of competent jurisdiction as a result of any such Claim. In connection with any Claim, Abnormal will (i) give Customer prompt written notice of the Claim, (ii) give Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle any Claim without Abnormal’s prior written consent which will not be unreasonably withheld), and (iii) provide to Customer all reasonable assistance, at Customer’s request and expense.
12. LIMITATIONS OF LIABILITY
12.1 NEITHER PARTY NOR ITS AFFILIATES NOR THE OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS OR REPRESENTATIVES OF ANY OF THEM WILL BE LIABLE TO OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, THAT MAY ARISE OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF THE OTHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OR COSTS OCCURRING AND WHETHER SUCH LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, PRODUCTS LIABILITY OR OTHERWISE.
12.2 EACH PARTY HERETO AGREES THAT WITH THE EXCEPTION OF: (I) THE CONFIDENTIALITY OBLIGATIONS UNDER SECTION 6, (II) COMPANY’S BREACH OF ITS SECURITY AND PRIVACY OBLIGATIONS UNDER SECTION 7, AND (III) THE INDEMNIFICATION OBLIGATIONS UNDER SECTION 11 (SECTION 12.2(I) THROUGH 12.2(III), THE “EXCLUDED CLAIMS”), AND ABSENT GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT OF THE OTHER PARTY, IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY, OR THEIR RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS AND REPRESENTATIVES, TO THE OTHER PARTY FOR ANY AND ALL DAMAGES, INJURIES, AND LOSSES ARISING OUT OF, BASED ON, RESULTING FROM, OR IN ANY WAY RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID (PLUS ANY AMOUNT PAYABLE) BY CUSTOMER FOR USE OF THE SERVICE UNDER THIS AGREEMENT IN THE 12 MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM GIVING RISE TO SUCH DAMAGES. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT WILL NOT ENLARGE OR EXTEND THE LIMITATION OF MONEY DAMAGES WHICH WILL BE THE CLAIMANT’S SOLE AND EXCLUSIVE REMEDY. WITH RESPECT TO EXCLUDED CLAIMS, THE AMOUNT OF SUCH LIMIT WILL NOT EXCEED THREE TIMES THE TOTAL AMOUNT PAID (PLUS ANY AMOUNT PAYABLE) BY CUSTOMER FOR USE OF THE SERVICE UNDER THIS AGREEMENT.
13. MISCELLANEOUS
This Agreement, including all applicable Order Forms, is the entire agreement between Customer and Abnormal and supersedes all prior agreements and understandings concerning the subject matter hereof and may not be amended or modified except by a writing signed by both Parties. Customer and Abnormal are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between Customer and Abnormal. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California. Any notice provided by one Party to the other under this Agreement will be in writing and sent by electronic mail to the email address listed on the signature page below. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither Party may assign this Agreement without the prior, written consent of the other Party, except that either Party may assign this Agreement without such consent to an affiliate, or in connection with an acquisition of the assigning Party or a sale of all or substantially all of its assets. Each Party represents that its signatory whose signature appears on the Order Form(s) is duly authorized by all necessary corporate or other appropriate action to execute this Agreement.
EXHIBIT A
SERVICE LEVEL AGREEMENT
EXHIBIT A
SERVICE LEVEL AGREEMENT
1. Definitions. For purposes of this Service Level Agreement, the following terms have the meaning given to each term below:
“Downtime” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Maintenance Downtime” means routine maintenance that occurs outside of normal working hours (Pacific Time) and continues for no more than four hours in any one instance, so long as Abnormal provides Customer at least 48 hours prior written notice (including by email) to Customer’s main technical contact on file with Abnormal.
“Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month.
“Service Credit” means the number of days by which Abnormal will extend the length of the Subscription Term, at no charge to Customer, according to the table in Section 2, below.
2. Service Level Warranty. During the Term, the Service will be operational and available to Customer at least 99.9% of the time in any calendar month (the “Service Level Warranty”). If the Monthly Uptime Percentage does not meet the Service Level Warranty in any calendar month, and if Customer meets its obligations under this Agreement, then Customer will be eligible to receive Service Credit as follows:
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
3. Customer Must Request Service Credit. To receive Service Credit, Customer must notify Abnormal in writing within 30 days from the time Customer becomes eligible to receive a Service Credit under the terms of this Agreement. Failure to comply with this requirement will forfeit Customer’s right to receive Service Credit.
4. Maximum Service Credit. The aggregate maximum amount of Service Credit for all Downtime that occurs in a single calendar month will not exceed 15 days. Service Credit may not be exchanged for or converted into monetary amounts.
5. Exclusions. The Service Level Warranty does not apply to Service unavailability due to Maintenance Downtime or any performance issues that (i) are caused by riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, earthquakes, or any other causes that are beyond Abnormal’s reasonable control so long as Abnormal uses commercially reasonable efforts to mitigate the effects of such force majeure, (ii) resulted from Customer’s equipment or third party equipment or service (e.g. Customer’s internet connection), or (iii) resulted from Customer’s violation of this Agreement.
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
1. Definitions. For purposes of this Service Level Agreement, the following terms have the meaning given to each term below:
“Error” means a failure of the Service to conform to the published Documentation, resulting in the inability to use, or material restriction in the use of, the Service.
“Escalation” means the process by which Abnormal will work continuously, and at multiple levels of its organization, to address an Error if not addressed within the specified Response Time set forth in Section 4, below.
“Start Time” means the time at which Abnormal first becomes aware of an Error during Abnormal’s regular business hours, following Customer’s initiation of a Support case in accordance with Section 3, below.
2. General. During a Subscription Term, Abnormal will provide the Support described in these Support Terms for Severity 1 Errors, 24 hours a day 7 days a week; and for Severity 2, Severity 3, and Severity 4 Errors, Abnormal will provide Support described in these Support Terms 8 hours a day, 5 days a week (9am – 5pm, Pacific Time, or in Customer’s local time zone if not Pacific Time).
3. Contacts. The Customer Support Contacts may initiate a Support case by emailing support@abnormalsecurity.com or calling 866-466-9321 or 415-326-1372.
4. Priority Levels and Timeframes. Abnormal will establish the Priority Level of an Error and the corresponding Support case in its sole discretion and will use its best efforts to adhere to the Response Times set forth below. If an Error is not addressed within the Response Time set forth below, Abnormal will commence an Escalation.
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
a. Conditions. Abnormal’s obligation to provide Support is conditioned upon the following: (i) Customer makes reasonable efforts to solve the Error after consulting with Abnormal; (ii) Customer provides Abnormal with sufficient information and resources to correct the Error, as well as any and all assistance reasonably requested by Abnormal; and (iii) Customer procures, installs, and maintains all equipment, telephone lines, communication interfaces and other hardware necessary to access and operate the Service.
b. Exclusions. Abnormal is not obligated to provide Support in the following situations: (i) the problem is caused by Customer’s gross negligence, hardware malfunction, or other causes beyond the reasonable control of Abnormal; or (ii) the problem is with third party software not licensed through or provided by Abnormal (e.g., Customer’s email system).
c. Termination. Abnormal reserves the right to conclude its performance of a particular Support case when, in its reasonable discretion, Abnormal determines that it has provided a satisfactory resolution or workaround to the Error.
Effective April 5, 2022 to April 11, 2022
DownloadTable of Contents
Last Updated November 3, 2021
ABNORMAL SECURITY MASTER SERVICE AGREEMENT
If you have a separate written agreement with Abnormal Security for use of the Service, then this Agreement and the following updates do not apply to you. Customers that entered into an Order Form with Abnormal Security for a Subscription to the Service prior to April 5, 2022 shall have their use of the Service governed by the following Agreement. Upon the Customer's next renewal Subscription Term, the updated Agreement for the Subscription shall be the Cloud Terms of Service which will automatically apply as of the renewal Subscription Term unless Customer elects not to renew. In any event, continued use of the Service during the renewal Subscription Term will constitute Customer acceptance of the version of the Cloud Terms of Service in effect at the time the renewal Subscription Term begins.
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
1. DEFINITIONS
The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement.
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party; where “control” means the ownership of greater than fifty percent (51%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company.
“Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support.
“Documentation” means the printed or online materials Abnormal makes generally available that specify the Service’s functionality and capabilities, and all modifications, updates, and upgrades thereto.
“Order Form” means an ordering document to purchase a Subscription to the Service, setting forth details regarding the Subscription, including start and end dates for the Subscription Term, agreed Service quantities, and pricing.
“Partner” means a third-party authorized by Abnormal to resell a Subscription to the Service to Customer.
“Service” means Abnormal’s proprietary, software-as-a-service products, including the Documentation and all software applications, databases, modules, source code, development tools, libraries and utilities that Abnormal uses, creates, and/or maintains in order to provide the Service to Customer, including the modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available on a periodic basis.
“Service Level Agreement” means the Service Level Agreement attached hereto as Exhibit A.
“Subscription” has the meaning given to it in Section 2.1.
“Subscription Term” means the length of the Subscription set forth on the applicable Order Form.
“Support” means the technical support services set forth in Exhibit B.
“Threat Intelligence Data” means Customer de-identified information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware contained in a malicious email message.
“Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf.
2. ACCESS TO AND USE OF SERVICE
2.1 Right to Access and Use the Service. Subject to the terms of this Agreement, Abnormal grants Customer a royalty-free, nonexclusive, nontransferable, worldwide right and license during each Subscription Term to access and use the Service described in the applicable Order Form for the quantity and for the duration identified in the Order Form (“Subscription”). Any Customer Affiliate may use the Service purchased by Customer under this Agreement. Customer shall be responsible for its Users’ and Customer Affiliates’ use of the Service.
2.2 Restrictions. Customer will not (and will use commercially reasonable efforts not to allow any third party to): (i) access or use the Service for any competitive purposes (e.g., benchmarking); (ii) conduct penetration testing on the Service; (iii) market, sublicense, resell, lease, loan, transfer, or otherwise commercially exploit or make the Service available to any third party, except to a third party that manages Customer’s computing environment; or (iii) modify, create derivative works of, decompile, reverse engineer, attempt to gain access to the source code of, or copy the Service, or any of their components (each, a “Prohibited Use”).
3. ABNORMAL’S OBLIGATIONS
3.1 General. Abnormal will provide the Service in accordance with this Agreement, the Order Form(s), and applicable Documentation. Abnormal will host the Service on its cloud-based infrastructure.
3.2 Availability. Abnormal will make the Service available in accordance with the terms of the Service Level Agreement in Exhibit A, which sets forth Customer’s exclusive remedies for any interruptions in the availability of the Service.
3.3 Support. If Customer experiences any errors, bugs, or other issues in its use of the Service, then Abnormal will provide Support in accordance with Exhibit B. The fee for Support is included in the fee Customer pays for the Subscription.
4. TERM AND TERMINATION
4.1 Term. The term of this Agreement will commence on the Effective Date and will continue for so long as there are active Subscriptions, unless otherwise terminated as permitted by this Agreement (the “Term”).
4.2 Termination for Cause. Either Party may terminate this Agreement or any active Subscription for cause (i) upon 30 days written notice to the other Party of a material breach if such breach remains uncured at the expiration of the 30-day period, or (ii) if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.
4.3 Effect of Termination. If Customer terminates this Agreement or any active Subscription as permitted by Section 4.2 or Section 9.2, or if Abnormal terminates this Agreement or any active Subscription Term as permitted by with Section 11.1, then Abnormal will provide a pro rata refund of any prepaid fees allocable to the remaining Subscription Term(s).
4.4 Survival. The following provisions will survive any termination of this Agreement: Sections 4; 5; 6; 8; 11; 12; and 13.
5. FEES AND PAYMENT
5.1 Fees. Customer will pay the fees for the Subscription set forth on the applicable Order Form. Following execution of the Order Form, Abnormal will submit an invoice to Customer for the Subscription, and payment will be due 30 days from the date of an undisputed invoice unless otherwise set forth on the Order Form (“Due Date”). Except as otherwise set out in this Agreement and any applicable Order Form(s), all fees are non-refundable and non-cancellable. If Customer purchases the Service from a Partner, then all payment terms will be agreed separately between Customer and such Partner.
5.2 Overdue Charges. If any undisputed, invoiced amount is not received by Abnormal by the Due Date, then (i) those charges may accrue late interest at the rate of 3.0% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, and (ii) Abnormal may condition future Subscriptions on receipt of payment for previous Subscriptions and/or payment terms shorter than those specified on the previous Order Form.
5.3 Taxes. The fees payable under this Agreement are exclusive of any sales taxes (unless included on the invoice), or similar governmental sales tax type assessments, excluding any income or franchise taxes on Abnormal (collectively, “Taxes”) with respect to the Service provided to Customer. Unless Customer provides Abnormal with a valid exemption certificate, Customer is solely responsible for paying all Taxes associated with or arising from this Agreement and shall indemnify and/or reimburse Abnormal for all Taxes paid or payable by, demanded from, or assessed upon Abnormal.
6. CONFIDENTIALITY
6.1 Confidential Information. Except as explicitly excluded below, any information of a confidential or proprietary nature provided by a Party (“Disclosing Party”) to the other Party (“Receiving Party”) constitutes the Disclosing Party’s confidential and proprietary information (“Confidential Information”). Abnormal’s Confidential Information includes the Service and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data. Confidential Information does not include information which is (i) already known by the Receiving Party without an obligation of confidentiality other than pursuant to this Agreement; (ii) publicly known or becomes publicly known through no unauthorized act of the Receiving Party; (iii) rightfully received from a third party without a confidentiality obligation to the Disclosing Party; or (iv) independently developed by the Receiving Party without access to the Disclosing Party’s Confidential Information.
6.2 Confidentiality Obligations. Each Party will use the other Party’s Confidential Information only as necessary to perform its obligations under this Agreement, will not disclose the Confidential Information to any third party, and will protect the confidentiality of the Disclosing Party’s Confidential Information with the same standard of care as the Receiving Party uses or would use to protect its own Confidential Information, but in no event will the Receiving Party use less than a reasonable standard of care. Notwithstanding the foregoing, the Receiving Party may share the other Party’s Confidential Information with those of its employees, Affiliates, agents, subcontractors, and representatives who have a need to know such information and who are bound by confidentiality obligations at least as restrictive as those contained herein (each, a “Representative”). Each Party shall be responsible for any breach of confidentiality by any of its Representatives.
6.3 Additional Exclusions. A Receiving Party will not violate its confidentiality obligations if it discloses the Disclosing Party’s Confidential Information if required by applicable laws, including by court subpoena or similar instrument so long as the Receiving Party provides the Disclosing Party with written notice of the required disclosure so as to allow the Disclosing Party to contest or seek to limit the disclosure or obtain a protective order, unless such notice is prohibited by law. If no protective order or other remedy is obtained, the Receiving Party will disclose only that portion of the Confidential Information that is legally required, and agrees to exercise reasonable efforts to ensure that confidential treatment will be accorded to such Confidential Information.
7. DATA PROTECTION
7.1 Customer Data. In connection with its use of the Service, Customer will transfer a limited amount of Customer Data to Abnormal. Customer grants Abnormal a license during each Subscription Term to use Customer Data to provide the Service to Customer, and to generate Threat Intelligence Data. Customer shall ensure that it has secured all necessary rights, consents, and permissions to transfer Customer Data to Abnormal for purposes of this Agreement.
7.2 Security. Abnormal maintains industry-standard physical, technical, and administrative safeguards in order to protect Customer Data.
7.3 Data Processing Addendum. Abnormal will process Customer Data in accordance with and each Party will comply with the “Data Processing Addendum” (or “DPA”) located at: www.abnormalsecurity.com/dpa.
7.4 No Access. Except for Customer Data or as otherwise permitted by this Agreement, Abnormal does not collect, process, store, or otherwise have access to any information or data, including data related to Customer’s network, or users of Customer’s products or services.
8. PROPRIETARY RIGHTS
8.1 Abnormal Property. Abnormal owns and retains all right, title, and interest in and to the Service, Threat Intelligence Data, and any feedback or suggestions Customer provides to Abnormal with respect to the Service. Except for the limited license granted to Customer in Section 2.1, Abnormal does not by means of this Agreement or otherwise transfer any rights in the Service to Customer, and Customer will take no action inconsistent with Abnormal’s intellectual property rights in the Service.
8.2 Customer Property. Customer owns and retains all right, title, and interest in and to the Customer Data and does not by means of this Agreement or otherwise transfer any rights in the Customer Data to Abnormal, except for the limited license set forth in Section 7.1.
9. REPRESENTATIONS AND WARRANTIES
9.1 Mutual Representations and Warranties. Each Party represents and warrants it has validly entered into this Agreement and has the legal power to do so.
9.2 Limited Warranty. Abnormal warrants that the Service will conform in all material respects with the Documentation. Abnormal shall, as Customer’s sole and exclusive remedy for a breach of this warranty, repair or replace the Service to conform in all material respects to the Documentation, and if Abnormal is unable to restore such conformance within 30 days after the date of written notice of such breach, Customer may terminate the license to the affected Service upon written notice and Abnormal shall promptly provide a pro-rata refund of the fees for the terminated Service.
9.3 Disclaimer. With the exception of the limited warranties set forth in this Section 9, the Service is provided “as is” to the fullest extent permitted by law. Abnormal and its licensors expressly disclaim all other warranties, express or implied, including warranties of performance, merchantability, fitness for any particular purposes, and non-infringement. Abnormal does not warrant that the Service (i) is error-free, (ii) will perform uninterrupted, or (iii) will meet Customer’s requirements.
10. INSURANCE
10.1 Abnormal will maintain in full force and effect during the term of this Agreement:
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
(b) Worker’s compensation insurance as required by applicable law, including employer’s liability coverage for injury, disease and death, with coverage limits of not less than $1,000,000 per accident and employee;
(c) Umbrella liability insurance on an occurrence form, for limits of not less than $3,000,000 per occurrence and in the aggregate; and
(d) Technology Errors & Omissions and Cyber-risk insurance on a claims-made form, for limits of not less than $10,000,000 annual aggregate covering liabilities for financial loss resulting or arising from acts, errors or omissions in the rendering of the Service, or from data damage, destruction, or corruption, including without limitation, unauthorized access, unauthorized use, virus transmission, denial of service, and violation of privacy from network security failures in connection with the Service.
10.2 Insurance carriers will be rated A-VII or better by A.M. Best Provider. Abnormal’s coverage will be considered primary without right of contribution of Customer’s insurance policies. In no event will the foregoing coverage limits affect or limit Abnormal’s contractual liability, including for indemnification obligations, under this Agreement.
11. INDEMNIFICATION
11.1 By Abnormal. Abnormal will indemnify, defend, and hold harmless Customer, its affiliates, and their respective owners, directors, officers, and employees (collectively, “Customer Indemnitees”) from and against any claim, action, demand, suit or proceeding (each a “Claim”) made or brought by a third party against any of the Customer Indemnitees alleging that Customer’s use of the Service infringes or misappropriates any United States or European Union patent, trademark, copyright, or any other intellectual property of such third party. Abnormal will pay any settlement of such Claim, or any damages finally awarded against any Customer Indemnitees by a court of competent jurisdiction as a result of any such Claim. In connection with any Claim Customer will (i) give Abnormal prompt written notice of the Claim, (ii) give Abnormal sole control of the defense and settlement of the Claim (provided that Abnormal may not settle any Claim without the Customer Indemnitee’s written consent, which will not be unreasonably withheld), and (iii) provide to Abnormal all reasonable assistance, at Abnormal’s request and expense. If Customer’s right to use the Service is, or in Abnormal’s opinion is likely to be, enjoined as the result of a Claim, then Abnormal may, at its sole option and expense, procure for Customer the right to continue using the Service under the terms of this Agreement, or replace or modify the Service so that it is non-infringing and substantially equivalent in functionality to the claimed infringing or enjoined Service. If Abnormal determines that neither of the foregoing is commercially reasonable, then Abnormal may terminate this Agreement and refund to Customer any prepaid fees allocable to the remainder of the Subscription Term. Abnormal will have no indemnification obligations under this Section 11.1 to the extent that a Claim is based on or arises from: (a) use of the Service in a manner other than as expressly permitted in this Agreement; (b) any alteration or modification of the Service except as expressly authorized by Abnormal; or (c) the combination of the Service with any other software, product, or services (to the extent that the alleged infringement arises from such combination). This Section 11.1 sets forth Abnormal’s sole and exclusive liability, and Customer’s exclusive remedies, for any Claim of infringement or misappropriation of intellectual property.
11.2 By Customer. Customer will indemnify, defend, and hold harmless Abnormal, its affiliates, and their respective owners, directors, officers, and employees (collectively, “Abnormal Indemnitees”) from and against any Claim related to Customer or a User engaging in a Prohibited Use. Customer will pay any settlement of and any damages finally awarded against any Abnormal Indemnitee by a court of competent jurisdiction as a result of any such Claim. In connection with any Claim, Abnormal will (i) give Customer prompt written notice of the Claim, (ii) give Customer sole control of the defense and settlement of the Claim (provided that Customer may not settle any Claim without Abnormal’s prior written consent which will not be unreasonably withheld), and (iii) provide to Customer all reasonable assistance, at Customer’s request and expense.
12. LIMITATIONS OF LIABILITY
12.1 NEITHER PARTY NOR ITS AFFILIATES NOR THE OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS OR REPRESENTATIVES OF ANY OF THEM WILL BE LIABLE TO OTHER PARTY FOR ANY INCIDENTAL, INDIRECT, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, THAT MAY ARISE OUT OF OR IN CONNECTION WITH THIS AGREEMENT, EVEN IF THE OTHER PARTY HAS BEEN NOTIFIED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES OR COSTS OCCURRING AND WHETHER SUCH LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, PRODUCTS LIABILITY OR OTHERWISE.
12.2 EACH PARTY HERETO AGREES THAT WITH THE EXCEPTION OF: (I) THE CONFIDENTIALITY OBLIGATIONS UNDER SECTION 6, (II) COMPANY’S BREACH OF ITS SECURITY AND PRIVACY OBLIGATIONS UNDER SECTION 7, AND (III) THE INDEMNIFICATION OBLIGATIONS UNDER SECTION 11 (SECTION 12.2(I) THROUGH 12.2(III), THE “EXCLUDED CLAIMS”), AND ABSENT GROSS NEGLIGENCE OR INTENTIONAL MISCONDUCT OF THE OTHER PARTY, IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY, OR THEIR RESPECTIVE AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, SHAREHOLDERS, AGENTS AND REPRESENTATIVES, TO THE OTHER PARTY FOR ANY AND ALL DAMAGES, INJURIES, AND LOSSES ARISING OUT OF, BASED ON, RESULTING FROM, OR IN ANY WAY RELATED TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT PAID (PLUS ANY AMOUNT PAYABLE) BY CUSTOMER FOR USE OF THE SERVICE UNDER THIS AGREEMENT IN THE 12 MONTH PERIOD IMMEDIATELY PRECEDING THE CLAIM GIVING RISE TO SUCH DAMAGES. THE EXISTENCE OF MULTIPLE CLAIMS OR SUITS UNDER OR RELATED TO THIS AGREEMENT WILL NOT ENLARGE OR EXTEND THE LIMITATION OF MONEY DAMAGES WHICH WILL BE THE CLAIMANT’S SOLE AND EXCLUSIVE REMEDY. WITH RESPECT TO EXCLUDED CLAIMS, THE AMOUNT OF SUCH LIMIT WILL NOT EXCEED THREE TIMES THE TOTAL AMOUNT PAID (PLUS ANY AMOUNT PAYABLE) BY CUSTOMER FOR USE OF THE SERVICE UNDER THIS AGREEMENT.
13. MISCELLANEOUS
This Agreement, including all applicable Order Forms, is the entire agreement between Customer and Abnormal and supersedes all prior agreements and understandings concerning the subject matter hereof and may not be amended or modified except by a writing signed by both Parties. Customer and Abnormal are independent contractors, and this Agreement will not establish any relationship of partnership, joint venture, or agency between Customer and Abnormal. Failure to exercise any right under this Agreement will not constitute a waiver. There are no third-party beneficiaries to this Agreement. This Agreement is governed by the laws of the State of California without reference to conflicts of law rules. For any dispute relating to this Agreement, the Parties consent to personal jurisdiction and the exclusive venue of the courts in San Francisco County, California. Any notice provided by one Party to the other under this Agreement will be in writing and sent by electronic mail to the email address listed on the signature page below. If any provision of this Agreement is found unenforceable, this Agreement will be construed as if it had not been included. Neither Party may assign this Agreement without the prior, written consent of the other Party, except that either Party may assign this Agreement without such consent to an affiliate, or in connection with an acquisition of the assigning Party or a sale of all or substantially all of its assets. Each Party represents that its signatory whose signature appears on the Order Form(s) is duly authorized by all necessary corporate or other appropriate action to execute this Agreement.
EXHIBIT A
SERVICE LEVEL AGREEMENT
EXHIBIT A
SERVICE LEVEL AGREEMENT
1. Definitions. For purposes of this Service Level Agreement, the following terms have the meaning given to each term below:
“Downtime” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Maintenance Downtime” means routine maintenance that occurs outside of normal working hours (Pacific Time) and continues for no more than four hours in any one instance, so long as Abnormal provides Customer at least 48 hours prior written notice (including by email) to Customer’s main technical contact on file with Abnormal.
“Monthly Uptime Percentage” means the total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month.
“Service Credit” means the number of days by which Abnormal will extend the length of the Subscription Term, at no charge to Customer, according to the table in Section 2, below.
2. Service Level Warranty. During the Term, the Service will be operational and available to Customer at least 99.9% of the time in any calendar month (the “Service Level Warranty”). If the Monthly Uptime Percentage does not meet the Service Level Warranty in any calendar month, and if Customer meets its obligations under this Agreement, then Customer will be eligible to receive Service Credit as follows:
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
3. Customer Must Request Service Credit. To receive Service Credit, Customer must notify Abnormal in writing within 30 days from the time Customer becomes eligible to receive a Service Credit under the terms of this Agreement. Failure to comply with this requirement will forfeit Customer’s right to receive Service Credit.
4. Maximum Service Credit. The aggregate maximum amount of Service Credit for all Downtime that occurs in a single calendar month will not exceed 15 days. Service Credit may not be exchanged for or converted into monetary amounts.
5. Exclusions. The Service Level Warranty does not apply to Service unavailability due to Maintenance Downtime or any performance issues that (i) are caused by riots, insurrection, fires, flood, storm, explosions, acts of God, war, terrorism, earthquakes, or any other causes that are beyond Abnormal’s reasonable control so long as Abnormal uses commercially reasonable efforts to mitigate the effects of such force majeure, (ii) resulted from Customer’s equipment or third party equipment or service (e.g. Customer’s internet connection), or (iii) resulted from Customer’s violation of this Agreement.
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
1. Definitions. For purposes of this Service Level Agreement, the following terms have the meaning given to each term below:
“Error” means a failure of the Service to conform to the published Documentation, resulting in the inability to use, or material restriction in the use of, the Service.
“Escalation” means the process by which Abnormal will work continuously, and at multiple levels of its organization, to address an Error if not addressed within the specified Response Time set forth in Section 4, below.
“Start Time” means the time at which Abnormal first becomes aware of an Error during Abnormal’s regular business hours, following Customer’s initiation of a Support case in accordance with Section 3, below.
2. General. During a Subscription Term, Abnormal will provide the Support described in these Support Terms for Severity 1 Errors, 24 hours a day 7 days a week; and for Severity 2, Severity 3, and Severity 4 Errors, Abnormal will provide Support described in these Support Terms 8 hours a day, 5 days a week (9am – 5pm, Pacific Time, or in Customer’s local time zone if not Pacific Time).
3. Contacts. The Customer Support Contacts may initiate a Support case by emailing support@abnormalsecurity.com or calling 866-466-9321 or 415-326-1372.
4. Priority Levels and Timeframes. Abnormal will establish the Priority Level of an Error and the corresponding Support case in its sole discretion and will use its best efforts to adhere to the Response Times set forth below. If an Error is not addressed within the Response Time set forth below, Abnormal will commence an Escalation.
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
a. Conditions. Abnormal’s obligation to provide Support is conditioned upon the following: (i) Customer makes reasonable efforts to solve the Error after consulting with Abnormal; (ii) Customer provides Abnormal with sufficient information and resources to correct the Error, as well as any and all assistance reasonably requested by Abnormal; and (iii) Customer procures, installs, and maintains all equipment, telephone lines, communication interfaces and other hardware necessary to access and operate the Service.
b. Exclusions. Abnormal is not obligated to provide Support in the following situations: (i) the problem is caused by Customer’s gross negligence, hardware malfunction, or other causes beyond the reasonable control of Abnormal; or (ii) the problem is with third party software not licensed through or provided by Abnormal (e.g., Customer’s email system).
c. Termination. Abnormal reserves the right to conclude its performance of a particular Support case when, in its reasonable discretion, Abnormal determines that it has provided a satisfactory resolution or workaround to the Error.
Abnormal Security Data Processing Addendum - Transactions April 6, 2023 and Prior
Effective April 7, 2023
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM - Transactions Prior to April 7, 2023
If you have a separate written data processing addendum with Abnormal Security related to your use of the Service, then this Addendum and the following updates do not apply. Customers that entered into an Order with Abnormal Security, or an authorized Abnormal Security Partner, for a Subscription to the Service prior to April 7, 2023 shall have the data processing addendum set forth below govern the processing of personal data by the Service. Upon the Customer's next renewal Subscription Term or a subscription to Abnormal Security's new products, the updated data processing addendum shall be the Abnormal Security Data Processing Addendum [LINK], which will automatically apply unless Customer elects not to renew. In any event, continued use of the Service during the renewal Subscription Term will constitute Customer acceptance of the Data Processing Addendum in effect at the time the renewal Subscription Term begins.
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this Section 1 or within the body of this Addendum have the respective meanings given to them in the Agreement.
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021, and attached to this Addendum as Exhibit 1 (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
2. Compliance with laws. Each Party will comply with the Data Protection Laws as applicable to it, including with respect to the Processing of Personal Data.
3. Customer obligations. Customer as Controller undertakes that all instructions for the Processing of Personal Data under the Agreement or this Addendum or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not in any way cause Abnormal to be in breach of any Data Protection Laws. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
4. Data Processing. Abnormal will Process the Personal Data for the sole purpose of providing the Service and Support to Customer. Abnormal will Process the Personal Data in accordance with Customer’s instructions as documented in the Agreement and this Addendum for the term of the Agreement. Abnormal will not access, use or otherwise Process such Personal Data, except as necessary to provide the Service and Support.
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
5. Requirements for GDPR Personal Data. This Section 5 shall only apply to Abnormal’s Processing of GDPR Personal Data as permitted by the Agreement. This Addendum, together with the Agreement, serves as the binding contract referred to in Article 28(3) of the GDPR and Section 59 of the UK GDPR that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller. In the provision of the Service and Support by Abnormal to Customer pursuant to the Agreement, Customer acts as Controller and Abnormal acts as Processor with respect to the Personal Data. Abnormal may process Personal Data in connection with its provision of the Service and Support in countries that have different data protection regulations than the GDPR and the UK GDPR (“Third Countries”). In such event, subject to the terms of this Addendum, the Standard Contractual Clauses in the form provided in Exhibit 1 and Exhibit 2 of this Addendum (as applicable) will govern the transfer of Personal Data to such Third Countries, including to Subprocessors in such Third Countries, unless the transfer of Personal Data occurs via an alternative means permitted by relevant Data Protection Laws.
6. Requirements for CCPA Personal Information. This Section 6 shall only apply to Abnormal’s Processing of CCPA Personal Information as permitted by the Agreement. For the purposes of the CCPA, Abnormal and Customer acknowledge and agree that Abnormal will act as a “service provider” (as defined in the CCPA) in its performance of its obligations under the Agreement. Abnormal shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purposes of providing the Service and Support, or as otherwise permitted by the CCPA. Abnormal acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Service and Support, generating Threat Intelligence Data, and performing its obligations under the Agreement. Processing CCPA Personal Information outside the scope of this Addendum or the Agreement will require prior written agreement between the Customer and Abnormal on additional instructions for Processing. Abnormal will not “sell” (as defined in the CCPA) any CCPA Personal Information.
7. Technical and organizational security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Abnormal will in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk presented by Processing, as further described on Annex II to Exhibit 1 of this Addendum.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
8. Data Subjects rights. Abnormal will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Abnormal will (i) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (ii) upon written request from Customer, provide Customer with information that Abnormal has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
9. Data Protection Impact Assessments. If Customer is required under the Data Protection Laws to conduct a data protection impact assessment, then upon written request from Customer, Abnormal will assist where reasonably possible in the fulfilment of the Customer’s obligation as related to its use of the Service and Support, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws Abnormal will provide reasonable assistance to Customer in the cooperation or prior consultation with the Data Protection Authorities in relation to any applicable data protection impact assessment.
10. Audit of Technical and Organizational Measures. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this Addendum by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. The Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 10 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 10 within a mutually agreeable timeframe.
11. Breach notification. If Abnormal becomes aware of a Personal Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, which is likely to cause a risk to the fundamental rights and freedoms of the Data Subjects, then Abnormal will notify Customer without undue delay after becoming aware of such Personal Data Breach and will cooperate with the Customer and take such commercially reasonable steps as agreed with Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach. Abnormal will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations in case of a Personal Data Breach pursuant to Data Protection laws, including Articles 33 and 34 of the GDPR and Sections 67 and 68 of the UK GDPR.
12. Subprocessing. Customer agrees that Abnormal may appoint either Abnormal affiliated companies or third party providers as sub-Processors under the Agreement and this Addendum (“Subprocessors”) and hereby authorizes Abnormal to engage such Subprocessors in the provision of the Service and Support. Abnormal will restrict the Processing activities performed by Subprocessors to only what is strictly necessary to provide the Service to Customer pursuant to the Agreement and this Addendum. Abnormal will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Addendum, and Abnormal will remain responsible for the Subprocessors’ compliance with the obligations under this Addendum.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
13. Return or Deletion of Personal Data. Abnormal will delete or return, in Customer’s discretion and upon Customer’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.
14. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. In the event of any conflict between the Addendum and the Standard Contractual Clauses in Exhibit 1 or 2, the Standard Contractual Clauses shall prevail.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
b. The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b.The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
c. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
d. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
e. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
a. GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
a. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
b. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
i. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
ii. refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
i. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
ii. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Ireland.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.
APPENDIX (GDPR SCCs)
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Customer Relationship Management Software
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6 . If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Effective August 31, 2022 to April 7, 2023
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this Section 1 or within the body of this Addendum have the respective meanings given to them in the Agreement.
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021, and attached to this Addendum as Exhibit 1 (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
2. Compliance with laws. Each Party will comply with the Data Protection Laws as applicable to it, including with respect to the Processing of Personal Data.
3. Customer obligations. Customer as Controller undertakes that all instructions for the Processing of Personal Data under the Agreement or this Addendum or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not in any way cause Abnormal to be in breach of any Data Protection Laws. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
4. Data Processing. Abnormal will Process the Personal Data for the sole purpose of providing the Service and Support to Customer. Abnormal will Process the Personal Data in accordance with Customer’s instructions as documented in the Agreement and this Addendum for the term of the Agreement. Abnormal will not access, use or otherwise Process such Personal Data, except as necessary to provide the Service and Support.
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
5. Requirements for GDPR Personal Data. This Section 5 shall only apply to Abnormal’s Processing of GDPR Personal Data as permitted by the Agreement. This Addendum, together with the Agreement, serves as the binding contract referred to in Article 28(3) of the GDPR and Section 59 of the UK GDPR that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller. In the provision of the Service and Support by Abnormal to Customer pursuant to the Agreement, Customer acts as Controller and Abnormal acts as Processor with respect to the Personal Data. Abnormal may process Personal Data in connection with its provision of the Service and Support in countries that have different data protection regulations than the GDPR and the UK GDPR (“Third Countries”). In such event, subject to the terms of this Addendum, the Standard Contractual Clauses in the form provided in Exhibit 1 and Exhibit 2 of this Addendum (as applicable) will govern the transfer of Personal Data to such Third Countries, including to Subprocessors in such Third Countries, unless the transfer of Personal Data occurs via an alternative means permitted by relevant Data Protection Laws.
6. Requirements for CCPA Personal Information. This Section 6 shall only apply to Abnormal’s Processing of CCPA Personal Information as permitted by the Agreement. For the purposes of the CCPA, Abnormal and Customer acknowledge and agree that Abnormal will act as a “service provider” (as defined in the CCPA) in its performance of its obligations under the Agreement. Abnormal shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purposes of providing the Service and Support, or as otherwise permitted by the CCPA. Abnormal acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Service and Support, generating Threat Intelligence Data, and performing its obligations under the Agreement. Processing CCPA Personal Information outside the scope of this Addendum or the Agreement will require prior written agreement between the Customer and Abnormal on additional instructions for Processing. Abnormal will not “sell” (as defined in the CCPA) any CCPA Personal Information.
7. Technical and organizational security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Abnormal will in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk presented by Processing, as further described on Annex II to Exhibit 1 of this Addendum.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
8. Data Subjects rights. Abnormal will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Abnormal will (i) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (ii) upon written request from Customer, provide Customer with information that Abnormal has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
9. Data Protection Impact Assessments. If Customer is required under the Data Protection Laws to conduct a data protection impact assessment, then upon written request from Customer, Abnormal will assist where reasonably possible in the fulfilment of the Customer’s obligation as related to its use of the Service and Support, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws Abnormal will provide reasonable assistance to Customer in the cooperation or prior consultation with the Data Protection Authorities in relation to any applicable data protection impact assessment.
10. Audit of Technical and Organizational Measures. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this Addendum by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. The Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 10 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 10 within a mutually agreeable timeframe.
11. Breach notification. If Abnormal becomes aware of a Personal Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, which is likely to cause a risk to the fundamental rights and freedoms of the Data Subjects, then Abnormal will notify Customer without undue delay after becoming aware of such Personal Data Breach and will cooperate with the Customer and take such commercially reasonable steps as agreed with Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach. Abnormal will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations in case of a Personal Data Breach pursuant to Data Protection laws, including Articles 33 and 34 of the GDPR and Sections 67 and 68 of the UK GDPR.
12. Subprocessing. Customer agrees that Abnormal may appoint either Abnormal affiliated companies or third party providers as sub-Processors under the Agreement and this Addendum (“Subprocessors”) and hereby authorizes Abnormal to engage such Subprocessors in the provision of the Service and Support. Abnormal will restrict the Processing activities performed by Subprocessors to only what is strictly necessary to provide the Service to Customer pursuant to the Agreement and this Addendum. Abnormal will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Addendum, and Abnormal will remain responsible for the Subprocessors’ compliance with the obligations under this Addendum.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
13. Return or Deletion of Personal Data. Abnormal will delete or return, in Customer’s discretion and upon Customer’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.
14. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. In the event of any conflict between the Addendum and the Standard Contractual Clauses in Exhibit 1 or 2, the Standard Contractual Clauses shall prevail.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
b. The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b.The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
c. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
d. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
e. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
a. GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
a. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
b. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
i. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
ii. refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
i. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
ii. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Ireland.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.
APPENDIX (GDPR SCCs)
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Customer Relationship Management Software
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6 . If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Effective August 3, 2022 to August 31, 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this Section 1 or within the body of this Addendum have the respective meanings given to them in the Agreement.
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
2. Compliance with laws. Each Party will comply with the Data Protection Laws as applicable to it, including with respect to the Processing of Personal Data.
3. Customer obligations. Customer as Controller undertakes that all instructions for the Processing of Personal Data under the Agreement or this Addendum or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not in any way cause Abnormal to be in breach of any Data Protection Laws. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
4. Data Processing. Abnormal will Process the Personal Data for the sole purpose of providing the Service and Support to Customer. Abnormal will Process the Personal Data in accordance with Customer’s instructions as documented in the Agreement and this Addendum for the term of the Agreement. Abnormal will not access, use or otherwise Process such Personal Data, except as necessary to provide the Service and Support.
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
5. Requirements for GDPR Personal Data. This Section 5 shall only apply to Abnormal’s Processing of GDPR Personal Data as permitted by the Agreement. This Addendum, together with the Agreement, serves as the binding contract referred to in Article 28(3) of the GDPR and Section 59 of the UK GDPR that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller. In the provision of the Service and Support by Abnormal to Customer pursuant to the Agreement, Customer acts as Controller and Abnormal acts as Processor with respect to the Personal Data. Abnormal may process Personal Data in connection with its provision of the Service and Support in countries that have different data protection regulations than the GDPR and the UK GDPR (“Third Countries”). In such event, subject to the terms of this Addendum, the Standard Contractual Clauses in the form provided in Exhibit 1 and Exhibit 2 of this Addendum (as applicable) will govern the transfer of Personal Data to such Third Countries, including to Subprocessors in such Third Countries, unless the transfer of Personal Data occurs via an alternative means permitted by relevant Data Protection Laws.
6. Requirements for CCPA Personal Information. This Section 6 shall only apply to Abnormal’s Processing of CCPA Personal Information as permitted by the Agreement. For the purposes of the CCPA, Abnormal and Customer acknowledge and agree that Abnormal will act as a “service provider” (as defined in the CCPA) in its performance of its obligations under the Agreement. Abnormal shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purposes of providing the Service and Support, or as otherwise permitted by the CCPA. Abnormal acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Service and Support, generating Threat Intelligence Data, and performing its obligations under the Agreement. Processing CCPA Personal Information outside the scope of this Addendum or the Agreement will require prior written agreement between the Customer and Abnormal on additional instructions for Processing. Abnormal will not “sell” (as defined in the CCPA) any CCPA Personal Information.
7. Technical and organizational security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Abnormal will in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk presented by Processing, as further described on Annex II to Exhibit 1 of this Addendum.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
8. Data Subjects rights. Abnormal will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Abnormal will (i) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (ii) upon written request from Customer, provide Customer with information that Abnormal has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
9. Data Protection Impact Assessments. If Customer is required under the Data Protection Laws to conduct a data protection impact assessment, then upon written request from Customer, Abnormal will assist where reasonably possible in the fulfilment of the Customer’s obligation as related to its use of the Service and Support, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws Abnormal will provide reasonable assistance to Customer in the cooperation or prior consultation with the Data Protection Authorities in relation to any applicable data protection impact assessment.
10. Audit of Technical and Organizational Measures. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this Addendum by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. The Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 10 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 10 within a mutually agreeable timeframe.
11. Breach notification. If Abnormal becomes aware of a Personal Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, which is likely to cause a risk to the fundamental rights and freedoms of the Data Subjects, then Abnormal will notify Customer without undue delay after becoming aware of such Personal Data Breach and will cooperate with the Customer and take such commercially reasonable steps as agreed with Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach. Abnormal will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations in case of a Personal Data Breach pursuant to Data Protection laws, including Articles 33 and 34 of the GDPR and Sections 67 and 68 of the UK GDPR.
12. Subprocessing. Customer agrees that Abnormal may appoint either Abnormal affiliated companies or third party providers as sub-Processors under the Agreement and this Addendum (“Subprocessors”) and hereby authorizes Abnormal to engage such Subprocessors in the provision of the Service and Support. Abnormal will restrict the Processing activities performed by Subprocessors to only what is strictly necessary to provide the Service to Customer pursuant to the Agreement and this Addendum. Abnormal will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Addendum, and Abnormal will remain responsible for the Subprocessors’ compliance with the obligations under this Addendum.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
13. Return or Deletion of Personal Data. Abnormal will delete or return, in Customer’s discretion and upon Customer’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.
14. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. In the event of any conflict between the Addendum and the Standard Contractual Clauses in Exhibit 1 or 2, the Standard Contractual Clauses shall prevail.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
b. The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b.The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
c. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
d. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
e. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
a. GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
a. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
b. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
i. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
ii. refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
i. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
ii. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Ireland.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.
APPENDIX (GDPR SCCs)
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States and Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6 . If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Effective June 13, 2022 to August 3, 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
1. Definitions. All capitalized terms used but not otherwise defined in this Section 1 or within the body of this Addendum have the respective meanings given to them in the Agreement.
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
2. Compliance with laws. Each Party will comply with the Data Protection Laws as applicable to it, including with respect to the Processing of Personal Data.
3. Customer obligations. Customer as Controller undertakes that all instructions for the Processing of Personal Data under the Agreement or this Addendum or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not in any way cause Abnormal to be in breach of any Data Protection Laws. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Abnormal including the means by which Customer acquired Personal Data.
4. Data Processing. Abnormal will Process the Personal Data for the sole purpose of providing the Service and Support to Customer. Abnormal will Process the Personal Data in accordance with Customer’s instructions as documented in the Agreement and this Addendum for the term of the Agreement. Abnormal will not access, use or otherwise Process such Personal Data, except as necessary to provide the Service and Support.
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
5. Requirements for GDPR Personal Data. This Section 5 shall only apply to Abnormal’s Processing of GDPR Personal Data as permitted by the Agreement. This Addendum, together with the Agreement, serves as the binding contract referred to in Article 28(3) of the GDPR and Section 59 of the UK GDPR that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller. In the provision of the Service and Support by Abnormal to Customer pursuant to the Agreement, Customer acts as Controller and Abnormal acts as Processor with respect to the Personal Data. Abnormal may process Personal Data in connection with its provision of the Service and Support in countries that have different data protection regulations than the GDPR and the UK GDPR (“Third Countries”). In such event, subject to the terms of this Addendum, the Standard Contractual Clauses in the form provided in Exhibit 1 and Exhibit 2 of this Addendum (as applicable) will govern the transfer of Personal Data to such Third Countries, including to Subprocessors in such Third Countries, unless the transfer of Personal Data occurs via an alternative means permitted by relevant Data Protection Laws.
6. Requirements for CCPA Personal Information. This Section 6 shall only apply to Abnormal’s Processing of CCPA Personal Information as permitted by the Agreement. For the purposes of the CCPA, Abnormal and Customer acknowledge and agree that Abnormal will act as a “service provider” (as defined in the CCPA) in its performance of its obligations under the Agreement. Abnormal shall not retain, use or disclose CCPA Personal Information for any purpose other than for the specific purposes of providing the Service and Support, or as otherwise permitted by the CCPA. Abnormal acknowledges and agrees that it shall not retain, use or disclose CCPA Personal Information for a commercial purpose other than providing the Service and Support, generating Threat Intelligence Data, and performing its obligations under the Agreement. Processing CCPA Personal Information outside the scope of this Addendum or the Agreement will require prior written agreement between the Customer and Abnormal on additional instructions for Processing. Abnormal will not “sell” (as defined in the CCPA) any CCPA Personal Information.
7. Technical and organizational security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Abnormal will in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security of the Personal Data appropriate to the risk presented by Processing, as further described on Annex II to Exhibit 1 of this Addendum.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
8. Data Subjects rights. Abnormal will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Abnormal will (i) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (ii) upon written request from Customer, provide Customer with information that Abnormal has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
9. Data Protection Impact Assessments. If Customer is required under the Data Protection Laws to conduct a data protection impact assessment, then upon written request from Customer, Abnormal will assist where reasonably possible in the fulfilment of the Customer’s obligation as related to its use of the Service and Support, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws Abnormal will provide reasonable assistance to Customer in the cooperation or prior consultation with the Data Protection Authorities in relation to any applicable data protection impact assessment.
10. Audit of Technical and Organizational Measures. Abnormal will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Abnormal’s compliance with its data protection obligations as specified in this Addendum by: (i) submitting a security assessment questionnaire to Abnormal; and (ii) if Customer is not satisfied with Abnormal’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Abnormal’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Abnormal’s normal business operations and subject to Abnormal’s agreement on scope and timing. The Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon non-disclosure agreement. Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Abnormal under this Section 10 will be deemed Abnormal Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Abnormal will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 10 within a mutually agreeable timeframe.
11. Breach notification. If Abnormal becomes aware of a Personal Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, which is likely to cause a risk to the fundamental rights and freedoms of the Data Subjects, then Abnormal will notify Customer without undue delay after becoming aware of such Personal Data Breach and will cooperate with the Customer and take such commercially reasonable steps as agreed with Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach. Abnormal will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations in case of a Personal Data Breach pursuant to Data Protection laws, including Articles 33 and 34 of the GDPR and Sections 67 and 68 of the UK GDPR.
12. Subprocessing. Customer agrees that Abnormal may appoint either Abnormal affiliated companies or third party providers as sub-Processors under the Agreement and this Addendum (“Subprocessors”) and hereby authorizes Abnormal to engage such Subprocessors in the provision of the Service and Support. Abnormal will restrict the Processing activities performed by Subprocessors to only what is strictly necessary to provide the Service to Customer pursuant to the Agreement and this Addendum. Abnormal will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Addendum, and Abnormal will remain responsible for the Subprocessors’ compliance with the obligations under this Addendum.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
13. Return or Deletion of Personal Data. Abnormal will delete or return, in Customer’s discretion and upon Customer’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.
14. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. In the event of any conflict between the Addendum and the Standard Contractual Clauses in Exhibit 1 or 2, the Standard Contractual Clauses shall prevail.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the