Contracts
- Abnormal Security Cloud Terms of Service
- Abnormal Security Support and Service Level Agreement Policy
- Abnormal Security Information Security Policy
- Abnormal Security Data Processing Addendum
- Abnormal Security Acceptable Use Policy
- Abnormal Security Master Service Agreement - Transactions Entered into Prior to April 5, 2022
- Abnormal Security Data Processing Addendum - Transactions April 6, 2023 and Prior
- Abnormal Security Reseller Terms
- Abnormal Security API Terms of Service
Abnormal Security Cloud Terms of Service
Effective September 21, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s obligations in or breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ or ‘Abnormal Legal Center’ pages (legal.abnormalsecurity.com) of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective May 19, 2022 to September 21, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ or ‘Abnormal Legal Center’ pages of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 30, 2022 to May 19, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated "Customer Support' page of the Abnormal website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 24, 2022 to March 30, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 23, 2022 to March 24, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration or other professional services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 21, 2022 to March 23, 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration or other professional services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Abnormal Security Support and Service Level Agreement Policy
Effective June 24, 2022
DownloadTable of Contents
ABNORMAL SECURITY SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Abnormal Security Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time. Capitalized terms not defined in this Policy shall have the meaning given to them in the Agreement.
I. Support
- Support Services. As part of providing the Service and as further described in the Documentation, Abnormal implements processes designed to perform robust testing and validation to minimize Errors.
- General Support Offering. Customer shall designate one primary contact who will have administrator privileges and may designate additional contacts (“Customer Contacts”). Abnormal shall provide English-speaking remote assistance to Customer Contacts for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Contacting Abnormal Support. Customer Contacts may contact Abnormal Support by: (a) submitting a Support request to the Abnormal webpage hosting the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Abnormal Community”) and designating the appropriate severity level according to Table 1 below, (b) submitting a Support request in the web interface as described in the Documentation, (c) submitting the Support request to support@abnormalsecurity.com if Customer Contacts cannot access the Abnormal Community, or (d) in the event Customer Contacts cannot access Abnormal Community or email, they may contact Abnormal Support by phone at the intake phone number identified in the Abnormal Community solely for purposes of having the Support request submitted on their behalf (each a “Support Case”). All Customer Contacts must be reasonably trained in the use and functionality of the Service and the Abnormal Documentation and shall use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity. Customer Contacts will assist Abnormal to resolve its Support Case by complying with the Customer obligations set forth in Table 1.
- Submission of Support Cases. Each Support Case shall; (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer Account that experienced the error; (c) include information sufficiently detailed to allow Abnormal Support to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) provide contact information for the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
- Other Support and Training. Abnormal also offers various support and training resources such as documentation, FAQs and user guides available on the Abnormal Community.
Table 1: Error Severity Level Definitions and Response Times | |||||||
---|---|---|---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | ||||
Severity Level 1 (Urgent Severity) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions quickly. | ||||
Severity Level 2 (High Severity) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error on a temporary basis without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions upon receipt. | ||||
Severity Level 3 (Normal Severity) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas, or (b) experiencing intermittent issues. The Customer can still access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | ||||
Severity Level 4 (Low Severity) | How-to Questions and Service issues with no Service degradation. | Twenty-Four (24) Business Hours | Monitor and respond as necessary. | ||||
RFE | Requests for enhancements to the Service. | 2 Business Days | N/A |
- Error Response. Upon receipt of a Support Case, Abnormal Support will attempt to determine the Error and assign the applicable Severity Level based on descriptions in Table 1. If Abnormal’s Severity Level designation is different from that assigned by Customer, Abnormal will promptly notify Customer in advance of such designation. If Customer notifies Abnormal of a reasonable basis for disagreeing with Abnormal’s designated Severity Level, the parties each will make a good faith effort to discuss, escalate internally, and mutually agree on the appropriate Severity Level. Abnormal shall use commercially reasonable efforts to meet the Initial Response Time Target for the applicable Severity Level, as measured during in-region Abnormal Support hours set forth in Table 2 below (such hour(s), “Business Hour(s)” with the total Business Hours in an in-region support day being “Business Day(s)”).
Table 2: Abnormal Support Hours | ||
---|---|---|
Global Support Business Hours | ||
Sev 1 | Sev 2-4 | Excluded Holidays Sev 2-4 |
24 x 7 x 365 | 6AM-6PM PT Mon-Fri | Recognized U.S. Federal Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credit Calculation | |
---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Effective April 4, 2022 to June 24, 2022
DownloadTable of Contents
ABNORMAL SECURITY SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Abnormal Security Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time. Capitalized terms not defined in this Policy shall have the meaning given to them in the Agreement.
I. Support
- Support Services. As part of providing the Service and as further described in the Documentation, Abnormal implements processes designed to perform robust testing and validation to minimize Errors.
- General Support Offering. Customer shall designate one primary contact who will have administrator privileges and may designate additional contacts (“Customer Contacts”). Abnormal shall provide English-speaking remote assistance to Customer Contacts for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Contacting Abnormal Support. Customer Contacts may contact Abnormal Support by: (a) submitting a Support request to the Abnormal webpage hosting the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Abnormal Community”) and designating the appropriate severity level according to Table 1 below, (b) submitting a Support request in the web interface as described in the Documentation, (c) submitting the Support request to support@abnormalsecurity.com if Customer Contacts cannot access the Abnormal Community, or (d) in the event Customer Contacts cannot access Abnormal Community or email, they may contact Abnormal Support by phone at the intake phone number identified in the Abnormal Community solely for purposes of having the Support request submitted on their behalf (each a “Support Case”). All Customer Contacts must be reasonably trained in the use and functionality of the Service and the Abnormal Documentation and shall use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity. Customer Contacts will assist Abnormal to resolve its Support Case by complying with the Customer obligations set forth in Table 1.
- Submission of Support Cases. Each Support Case shall; (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer Account that experienced the error; (c) include information sufficiently detailed to allow Abnormal Support to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) provide contact information for the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
- Other Support and Training. Abnormal also offers various support and training resources such as documentation, FAQs and user guides available on the Abnormal Community.
Table 1: Error Severity Level Definitions and Response Times | ||||
---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | |
Severity Level 1 (Urgent Severity) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions quickly. | |
Severity Level 2 (High Severity) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error on a temporary basis without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions upon receipt. | |
Severity Level 3 (Normal Severity) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas, or (b) experiencing intermittent issues. The Customer can still access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | |
Severity Level 4 (Low Severity) | How-to Questions and Service issues with no Service degradation. | Twenty-Four (24) Business Hours | Monitor and respond as necessary. | |
RFE | Requests for enhancements to the Service. | 2 Business Days | N/A |
- Error Response. Upon receipt of a Support Case, Abnormal Support will attempt to determine the Error and assign the applicable Severity Level based on descriptions in Table 1. If Abnormal’s Severity Level designation is different from that assigned by Customer, Abnormal will promptly notify Customer in advance of such designation. If Customer notifies Abnormal of a reasonable basis for disagreeing with Abnormal’s designated Severity Level, the parties each will make a good faith effort to discuss, escalate internally, and mutually agree on the appropriate Severity Level. Abnormal shall use commercially reasonable efforts to meet the Initial Response Time Target for the applicable Severity Level, as measured during in-region Abnormal Support hours set forth in Table 2 below (such hour(s), “Business Hour(s)” with the total Business Hours in an in-region support day being “Business Day(s)”).
Table 2: Abnormal Support Hours | ||
---|---|---|
Global Support Business Hours | ||
Sev 1 | Sev 2-4 | Excluded Holidays Sev 2-4 |
24 x 7 x 365 | 6AM-6PM PT Mon-Fri | Recognized U.S. Federal Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credit Calculation | |
---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Abnormal Security Information Security Policy
Effective April 12, 2022
DownloadTable of Contents
ABNORMAL SECURITY INFORMATION SECURITY POLICY
During the Term of the Agreement, Abnormal will maintain an Information Security Program (“Security Program”) in accordance with the requirements of this Information Security Policy (“Security Policy”). Terms not otherwise defined herein have the same meanings as set forth in the written subscription agreement under which Abnormal provides its Service as entered into by and between Customer and Abnormal ("Agreement"). In the event of a conflict between the terms of this Security Policy and the terms of the Agreement, the terms of this Security Policy will apply.
Elements of the Security Program.
Minimum Security Standards. The Security Program will use industry standard controls designed to protect the confidentiality, integrity, and availability of Customer Data against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss or destruction or damage. The Security Program will maintain administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of Abnormal business; (b) the type of information that Abnormal stores; and (c) the need for security and confidentiality of such information.
1. Security Policies and Procedures. Abnormal will maintain and implement security policies and procedures designed to ensure that the Service and its employees and contractors process Customer Data in accordance with this Security Policy. Abnormal will implement and enforce disciplinary measures against employees and contractors for failure to abide by its security policies and procedures.
2. Intrusion Prevention. Abnormal will take reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and stringent firewall rules.
3. Physical Access Controls. Abnormal will establish limits on physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and other areas where Customer Data is stored is limited to authorized individuals. Data centers leverage camera or video surveillance systems at critical internal and external entry points.
4. Logical Access Controls.
Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for all employees or contractors with access to Customer Data, including without limitation, by assigning each employee or contractor unique authentication credentials for accessing any system on which Customer Data is accessed and prohibiting employees or contractors from sharing their authentication credentials. Abnormal will restrict access to Customer Data to those employees or contractors who need access to Customer Data to perform Abnormal obligations under the Agreement.
Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help prevent unauthorized access to, and to detect unauthorized attempts to access, its networks, servers, and applications. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal will have policies in place that are designed to ensure that, upon termination of any employee or contractor, the terminated employee’s or contractor’s access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases revocation will occur no later than twenty-four (24) hours following such termination.
5. Environmental Access Controls. If Abnormal supplies data center services, Abnormal will implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
6. Disaster Recovery and Backup Controls. If Abnormal supplies data center services, Abnormal will: (a) back up its production file systems and databases according to a defined schedule; and (b) maintain a formal disaster recovery plan for the production data center and conduct regular testing of the effectiveness of such plan.
7. Business Continuity and Incident Response Plans. If Abnormal processes, stores, or transmits Customer Data, then Abnormal will take reasonable measures to maintain business continuity plans and incident response plans to manage and minimize the effects of unplanned operational disruptions (cyber, physical or natural) (“Incident Response Plans”). These plans will include procedures to be followed in the event of an actual or suspected Security Breach or business interruption and have a stated goal of resumption of routine service within 48 hours of such an incident. The Incident Response Plans will require Abnormal to undertake a root cause analysis of any actual or suspected Security Breach and to document remediation measures.
8. Security Breach Notification. Abnormal will notify Customer of any unauthorized access to Customer Data in accordance with the terms and conditions of the Agreement. In the event no such terms are specified in the Agreement, the following terms will apply:
Abnormal will notify Customer of any unauthorized, unlawful or accidental access to, or disclosure, transfer, destruction, loss or alteration of, Customer Data (each, a “Security Breach”) within two business days of Abnormal’s knowledge of the Security Breach, regardless of whether the Security Breach triggers any applicable breach notification law. Abnormal will notify Customer of a Security Breach by email to Abnormal’s primary contact within the Customer organization.
Notice to Customer will include: (a) a description of the nature of the Security Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Breach; (d) a description of the measures taken or proposed to address the Security Breach; and (e) a description of measures to mitigate the adverse effects of the Security Breach.
9. Storage and Transmission Security.
Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol.
Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices.
10. Secure Disposal.
Upon expiration or termination of the Agreement, Abnormal will return or delete Customer Data in accordance with the Agreement. If deletion is required, Customer Data will be securely deleted in accordance with industry leading methods (e.g., NIST SP 800-88), except that Customer Data stored electronically in Abnormal backup or email systems may be deleted over time in accordance with Abnormal records management practices.
If Abnormal stores Customer Data in Abnormal cloud computing services, Abnormal will retain Customer Data stored in its cloud computing services for the duration of any active the Subscription Term or until the expiration or termination of this Agreement. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation.
11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and determine if existing controls, policies, and procedures are adequate.
12. Subcontractors. Prior to engaging new third-party service providers or adding new technologies to its Service that will access or process Customer Data (collectively, for the purposes of this Security Policy, “Subcontractors”), Abnormal will conduct a risk assessment of each Subcontractor’s data security practices. Abnormal enters into written agreements with its Subcontractors with security obligations substantially similar to those contained in this Security Policy. Abnormal will be responsible for the acts or omissions of Subcontractors under the Agreement. This paragraph does not limit Abnormal’s obligations regarding Sub-processors as set out in the DPA.
13. Change and Configuration Management. Abnormal will implement and maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
14. Training and Background Checks. Abnormal will undertake the following measures that are designed to ensure that personnel who will have access to Customer Data are appropriately qualified.
14.1. Background Checks. Employees and contractors of Abnormal who will have access to Customer Data or systems that process Customer Data will undergo a civil and criminal background check, where permitted by applicable law. Upon written request, not more than once per 12-month period, Abnormal will certify its compliance to Customer with this Section.
14.2. Information Security Awareness Training. Abnormal will provide new hire security awareness training, and refresher security awareness training at least once a year thereafter, to all personnel who process or may have access to Customer Data. Abnormal will make available to Customer documentation to validate compliance with this security awareness training requirement for the current year. Abnormal security awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against data loss, misuse or breach through physical, logical and social engineering mechanisms.
14.3. Secure Code Training. Abnormal will provide annual training on secure coding principles and their application (Secure Code Training) to all personnel who develop or handle any Abnormal source code. Abnormal training will cover topics such as: (a) the Open Web Application Security Project (OWASP) list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.
15. Security Program Proof of Compliance.
Third Party Standards and Assessments. During the Term of the Agreement and at Abnormal’s expense, Abnormal will undertake the following third-party assessments of the networks, servers, applications and operations where Customer Data is processed, stored or transmitted.
15.1. Third-Party Security Audit.
Abnormal engages an industry-recognized third party auditor to conduct a SOC 2 Type 2 security audit on at least an annual basis in order to demonstrate its compliance with the security requirements of the Security Program.
The Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability and Confidentiality developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Abnormal will make available to Customer copies of Abnormal’s current SOC 2 report annually upon written request.
Where Abnormal is not permitted to audit the data processing facilities of its Subcontractors that store or process Customer Data (e.g., cloud data centers), Abnormal will seek assurances from such Subcontractors (e.g., in the form of an independent third party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations).
15.2. Penetration Tests.
If Abnormal processes, stores, or transmits Customer Data, then at least once every year, Abnormal will undertake a network penetration test by an independent third party. Abnormal will remediate all critical and high vulnerabilities that the penetration test identifies within 30 days of the date they were first identified and will remediate all identified medium level vulnerabilities within a reasonable time period.
Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data, which will be deemed Confidential Information under the Agreement.
15.3. Audit and Vendor Risk Assessment.
From time to time, during regular business hours and upon reasonable notice, Customer, its regulators and/or designated third-party auditor(s) (that are not considered competitors of Abnormal) may perform, and Abnormal will reasonably assist with, a Vendor Risk Assessment (VRA). The VRA shall consist of a review of Abnormal’s security related documentation regarding its compliance with this Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Abnormals’s compliance with this Security Policy, provided that Customer shall not exercise this right more than once per year, and Abnormal will make its security personnel available to answer such questions related to Abnormal’s compliance with this Security Policy and applicable regulations and laws. All reasonable costs and expenses actually incurred of such an audit shall be borne by the Customer. For the avoidance of doubt, Abnormal will pay all costs and expenses incurred in connection with Abnormal’s own regulatory compliance and financial reporting requirements. In the event of a Security Breach that requires reporting a supervisory authority or other governmental authority, Customer may conduct an audit or VRA on no less than three days’ notice, at Abnormal’s expense.
In addition to Customer’s audit rights, Abnormal agrees to reasonably cooperate and respond to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Abnormal Confidential Information.
In the event Abnormal is required by law, regulation, or legal process to disclose any Customer Data, Abnormal will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
17. Updates.
As Abnormal releases new products, services, functionality, and features, Abnormal may update this Security Policy to account for such products, services, functionality, and features.
Effective April 4, 2022 to April 12, 2022
DownloadTable of Contents
ABNORMAL SECURITY INFORMATION SECURITY POLICY
During the Term of the Agreement, Abnormal will maintain an Information Security Program (“Security Program”) in accordance with the requirements of this Information Security Policy (“Security Policy”). Terms not otherwise defined herein have the same meanings as set forth in the written subscription agreement under which Abnormal provides its Service as entered into by and between Customer and Abnormal ("Agreement"). In the event of a conflict between the terms of this Security Policy and the terms of the Agreement, the terms of this Security Policy will apply.
Elements of the Security Program.
Minimum Security Standards. The Security Program will use industry standard controls designed to protect the confidentiality, integrity, and availability of Customer Data against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss or destruction or damage. The Security Program will maintain administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of Abnormal business; (b) the type of information that Abnormal stores; and (c) the need for security and confidentiality of such information.
1. Security Policies and Procedures. Abnormal will maintain and implement security policies and procedures designed to ensure that the Service and its employees and contractors process Customer Data in accordance with this Security Policy. Abnormal will implement and enforce disciplinary measures against employees and contractors for failure to abide by its security policies and procedures.
2. Intrusion Prevention. Abnormal will take reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and stringent firewall rules.
3. Physical Access Controls. Abnormal will establish limits on physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and other areas where Customer Data is stored is limited to authorized individuals. Data centers leverage camera or video surveillance systems at critical internal and external entry points.
4. Logical Access Controls.
Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for all employees or contractors with access to Customer Data, including without limitation, by assigning each employee or contractor unique authentication credentials for accessing any system on which Customer Data is accessed and prohibiting employees or contractors from sharing their authentication credentials. Abnormal will restrict access to Customer Data to those employees or contractors who need access to Customer Data to perform Abnormal obligations under the Agreement.
Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help prevent unauthorized access to, and to detect unauthorized attempts to access, its networks, servers, and applications. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal will have policies in place that are designed to ensure that, upon termination of any employee or contractor, the terminated employee’s or contractor’s access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases revocation will occur no later than twenty-four (24) hours following such termination.
5. Environmental Access Controls. If Abnormal supplies data center services, Abnormal will implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
6. Disaster Recovery and Backup Controls. If Abnormal supplies data center services, Abnormal will: (a) back up its production file systems and databases according to a defined schedule; and (b) maintain a formal disaster recovery plan for the production data center and conduct regular testing of the effectiveness of such plan.
7. Business Continuity and Incident Response Plans. If Abnormal processes, stores, or transmits Customer Data, then Abnormal will take reasonable measures to maintain business continuity plans and incident response plans to manage and minimize the effects of unplanned operational disruptions (cyber, physical or natural) (“Incident Response Plans”). These plans will include procedures to be followed in the event of an actual or suspected Security Breach or business interruption and have a stated goal of resumption of routine service within 48 hours of such an incident. The Incident Response Plans will require Abnormal to undertake a root cause analysis of any actual or suspected Security Breach and to document remediation measures.
8. Security Breach Notification. Abnormal will notify Customer of any unauthorized access to Customer Data in accordance with the terms and conditions of the Agreement. In the event no such terms are specified in the Agreement, the following terms will apply:
Abnormal will notify Customer of any unauthorized, unlawful or accidental access to, or disclosure, transfer, destruction, loss or alteration of, Customer Data (each, a “Security Breach”) within two business days of Abnormal’s knowledge of the Security Breach, regardless of whether the Security Breach triggers any applicable breach notification law. Abnormal will notify Customer of a Security Breach by email to Abnormal’s primary contact within the Customer organization.
Notice to Customer will include: (a) a description of the nature of the Security Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Breach; (d) a description of the measures taken or proposed to address the Security Breach; and (e) a description of measures to mitigate the adverse effects of the Security Breach.
9. Storage and Transmission Security.
Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol.
Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices.
10. Secure Disposal.
Upon expiration or termination of the Agreement, Abnormal will return or delete Customer Data in accordance with the Agreement. If deletion is required, Customer Data will be securely deleted in accordance with industry leading methods (e.g., NIST SP 800-88), except that Customer Data stored electronically in Abnormal backup or email systems may be deleted over time in accordance with Abnormal records management practices.
If Abnormal stores Customer Data in Abnormal cloud computing services, Abnormal will retain Customer Data stored in its cloud computing services for the duration of any active the Subscription Term or until the expiration or termination of this Agreement. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation.
11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and determine if existing controls, policies, and procedures are adequate.
12. Subcontractors. Prior to engaging new third-party service providers or adding new technologies to its Service that will access or process Customer Data (collectively, for the purposes of this Security Policy, “Subcontractors”), Abnormal will conduct a risk assessment of each Subcontractor’s data security practices. Abnormal enters into written agreements with its Subcontractors with security obligations substantially similar to those contained in this Security Policy. Abnormal will be responsible for the acts or omissions of Subcontractors under the Agreement. This paragraph does not limit Abnormal’s obligations regarding Sub-processors as set out in the DPA.
13. Change and Configuration Management. Abnormal will implement and maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
14. Training and Background Checks. Abnormal will undertake the following measures that are designed to ensure that personnel who will have access to Customer Data are appropriately qualified.
14.1. Background Checks. Employees and contractors of Abnormal who will have access to Customer Data or systems that process Customer Data will undergo a civil and criminal background check, where permitted by applicable law, prior to accessing Customer Data or systems. Upon written request, not more than once per 12-month period, Abnormal will certify its compliance to Customer with this Section.
14.2. Information Security Awareness Training. Abnormal will provide new hire security awareness training, and refresher security awareness training at least once a year thereafter, to all personnel who process or may have access to Customer Data. Abnormal will make available to Customer documentation to validate compliance with this security awareness training requirement for the current year. Abnormal security awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against data loss, misuse or breach through physical, logical and social engineering mechanisms.
14.3. Secure Code Training. Abnormal will provide annual training on secure coding principles and their application (Secure Code Training) to all personnel who develop or handle any Abnormal source code. Abnormal training will cover topics such as: (a) the Open Web Application Security Project (OWASP) list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.
15. Security Program Proof of Compliance.
Third Party Standards and Assessments. During the Term of the Agreement and at Abnormal’s expense, Abnormal will undertake the following third-party assessments of the networks, servers, applications and operations where Customer Data is processed, stored or transmitted.
15.1. Third-Party Security Audit.
Abnormal engages an industry-recognized third party auditor to conduct a SOC 2 Type 2 security audit on at least an annual basis in order to demonstrate its compliance with the security requirements of the Security Program.
The Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability and Confidentiality developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Abnormal will make available to Customer copies of Abnormal’s current SOC 2 report annually upon written request.
Where Abnormal is not permitted to audit the data processing facilities of its Subcontractors that store or process Customer Data (e.g., cloud data centers), Abnormal will seek assurances from such Subcontractors (e.g., in the form of an independent third party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations).
15.2. Penetration Tests.
If Abnormal processes, stores, or transmits Customer Data, then at least once every year, Abnormal will undertake a network penetration test by an independent third party. Abnormal will remediate all critical and high vulnerabilities that the penetration test identifies within 30 days of the date they were first identified and will remediate all identified medium level vulnerabilities within a reasonable time period.
Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data, which will be deemed Confidential Information under the Agreement.
15.3. Audit and Vendor Risk Assessment.
From time to time, during regular business hours and upon reasonable notice, Customer, its regulators and/or designated third-party auditor(s) (that are not considered competitors of Abnormal) may perform, and Abnormal will reasonably assist with, a Vendor Risk Assessment (VRA). The VRA shall consist of a review of Abnormal’s security related documentation regarding its compliance with this Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Abnormals’s compliance with this Security Policy, provided that Customer shall not exercise this right more than once per year, and Abnormal will make its security personnel available to answer such questions related to Abnormal’s compliance with this Security Policy and applicable regulations and laws. All reasonable costs and expenses actually incurred of such an audit shall be borne by the Customer. For the avoidance of doubt, Abnormal will pay all costs and expenses incurred in connection with Abnormal’s own regulatory compliance and financial reporting requirements. In the event of a Security Breach that requires reporting a supervisory authority or other governmental authority, Customer may conduct an audit or VRA on no less than three days’ notice, at Abnormal’s expense.
In addition to Customer’s audit rights, Abnormal agrees to reasonably cooperate and respond to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Abnormal Confidential Information.
In the event Abnormal is required by law, regulation, or legal process to disclose any Customer Data, Abnormal will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
17. Updates.
As Abnormal releases new products, services, functionality, and features, Abnormal may update this Security Policy to account for such products, services, functionality, and features.
Abnormal Security Data Processing Addendum
Effective September 7, 2023
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy that is reviewed and approved on a regular cadence.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on Abnormal premises.
- The Service processes Customer Data on an in-memory basis via API.
- Customer Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by a secured key management service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Backups are encrypted and access is limited based upon least privilege.
- Data and programs are backed up regularly and tested to ensure recoverability.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- Employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the appropriate management and is based on least privilege and business need. A multi-factor secure remote access is required for all access to the production systems.
- All print services are disabled by default on all production servers
- All Abnormal employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Segmentation of network environment using logical networking controls.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet and protected by Web Application Firewalls (WAFs).
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective April 20, 2023 to September 7, 2023
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective April 7, 2023 to April 20, 2023
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective April 7, 2023 to April 7, 2023
DownloadTable of Contents
1. Definitions. The definitions of certain capitalized terms used in this DPA are set forth below. Others are defined in the body of the DPA. Capitalized terms not defined in this DPA are defined in the Agreement.
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
Abnormal Security Acceptable Use Policy
Effective August 1, 2022
DownloadTable of Contents
Abnormal Security Acceptable Use Policy
This Acceptable Use Policy (“AUP”) describes the prohibited uses of the Software as a Service offering (the "Service") provided by Abnormal Security Corporation (“Abnormal"). This AUP is in addition to any other terms and conditions under which Abnormal provides the Service to you. In addition to any other remedies available to Abnormal, if Abnormal determines in its sole discretion that you violate the AUP, we may suspend, limit, or terminate your use of the Service without prior notice or liability. This right applies, even if the breach is unintentional or unauthorized, if we believe that any such suspension, limitation, or termination is necessary to ensure compliance with laws, or to protect the rights, safety, privacy, security, or property (including the Service) of Abnormal or others.
Abnormal may modify this AUP at any time by posting an updated version of this document. Such updates will be effective upon posting. We therefore recommend that you visit the Abnormal website regularly to ensure that your activities conform to the most recent version. Your continued access to and use of the Service constitutes your agreement to be bound by such updates.
The prohibited uses listed below are not exhaustive. Prohibited uses and activities by you, the customer, your users or any third party include, without limitation:
- Violating any applicable laws or regulations (including without limitation data, privacy, and export control laws) or use the Service in a manner that gives rise to civil or criminal liability;
- Intentionally distributing malicious code, viruses, worms, defects, Trojan horses, corrupted files, hoaxes, or any other items of a destructive or deceptive manner;
- Infringing or misappropriating Abnormal’s or any third party’s intellectual property, proprietary or privacy rights;
- Reverse engineering, decompiling, or disassembling the Service or any software used in the provision of the Service;
- Interrupting, or attempting to interrupt, violate, obtain unauthorized access to, disrupt, damage, overburden, breach, or compromise the operation or security of the Service or any networks or systems;
- Using the Service for any reason other than as intended by the parties.
We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this AUP.
Abnormal Security Master Service Agreement - Transactions Entered into Prior to April 5, 2022
Effective April 11, 2022
DownloadTable of Contents
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
EXHIBIT A
SERVICE LEVEL AGREEMENT
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
Effective April 11, 2022 to April 11, 2022
DownloadTable of Contents
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
EXHIBIT A
SERVICE LEVEL AGREEMENT
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
Effective April 5, 2022 to April 11, 2022
DownloadTable of Contents
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
EXHIBIT A
SERVICE LEVEL AGREEMENT
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
Abnormal Security Data Processing Addendum - Transactions April 6, 2023 and Prior
Effective April 7, 2023
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM - Transactions Prior to April 7, 2023
If you have a separate written data processing addendum with Abnormal Security related to your use of the Service, then this Addendum and the following updates do not apply. Customers that entered into an Order with Abnormal Security, or an authorized Abnormal Security Partner, for a Subscription to the Service prior to April 7, 2023 shall have the data processing addendum set forth below govern the processing of personal data by the Service. Upon the Customer's next renewal Subscription Term or a subscription to Abnormal Security's new products, the updated data processing addendum shall be the Abnormal Security Data Processing Addendum [LINK], which will automatically apply unless Customer elects not to renew. In any event, continued use of the Service during the renewal Subscription Term will constitute Customer acceptance of the Data Processing Addendum in effect at the time the renewal Subscription Term begins.
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021, and attached to this Addendum as Exhibit 1 (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Customer Relationship Management Software
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective August 31, 2022 to April 7, 2023
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021, and attached to this Addendum as Exhibit 1 (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Customer Relationship Management Software
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective August 3, 2022 to August 31, 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4