ANNEX I

  1. LIST OF PARTIES (MODULE TWO: Transfer controller to processor)

Data exporter(s): Customer

Customer, as Controller, may elect to transfer data to Absolute in connection with the receipt of Products and Services identified in the applicable Order Form. Customer’s name, contact information and signature are set forth in the applicable Order Form or in the Customer’s account for the Products and Services.

Data importer(s): Absolute

Absolute, as Processor, processes data received from Customer in connection with the provision of Products and Services identified in the applicable Order Form.

Address: Suite 1400, Four Bentall Centre, 1055 Dunsmuir Street, Vancouver, B.C. Canada, V7X 1K8

Contact: [email protected]

 

  1. DESCRIPTION OF TRANSFER (MODULE TWO: Transfer controller to processor)

 

Categories of Data Subjects whose personal data is transferred in connection with the Products and Services:

#

Category

1

Customer’s users of end point devices

2

Customer’s administrative personnel responsible for maintenance of Customer’s account via the Hosted Service

 

Categories of Personal Data transferred in connection with the Absolute Services:

#

Category

1

As applicable, end point device information, including computer make and model, computer serial number, system bios version, computer name, OS information, HDD serial number, HDD model, HDD firmware revision, battery device ID, computer UUID, gateway strings, RAM serial number, MAC address, NIC adapter name, IP address, device location, and device usage information. 

 

Hosted Service account information, including name, contact information and login credentials.

 

Categories of sensitive data transferred in connection with the Products and Services:

#

Category

1

None.

 

Frequency and Nature of the Processing:

The data is transferred on a continuous basis. The personal data transferred will be subject to the following processing operations.

  • to provide the Products and Services, including storage of data for the Products and Services;
  • to resolve technical or administrative issues, billing and invoicing, and otherwise comply with its own legal obligations; and
  • to optimize and improve the Products and Services and other business purposes as described in the DPA.

Purpose(s) of the Data Transfer and Further Processing

The purpose of the data transfer is to provide the Products and Services.

 

Retention Period.

Different data retention periods apply depending on the applicable service. When determining the specific retention period, Absolute considers various factors, such as the type of service provided to the Customer, the nature and length of our relationship with the Customer, and mandatory retention periods provided by law and the statute of limitations.

 

Transfers to (sub-) processors

The descriptions set forth above in this Section B apply to data transferred to Subprocessors.

 

  1. COMPETENT SUPERVISORY AUTHORITY (MODULE TWO: Transfer controller to processor)

The competent supervisory authority as defined by Customer.

 

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Domain

 

Practices

Organization of Information Security

  • Absolute has a team dedicated to Information Security
  • The Information Security program is supported by the Absolute executive team
  • Absolute publishes a management approved information security policy

Human Resources Security

  • Performs pre-hiring background check on personnel
  • Performs regular information security training

Physical and Environmental Security

  • Only authorized users are permitted physical access to customer data processing centers
  • Uses datacenter and hosting providers with physical and environmental controls

Communications and Operations Management

  • Encrypt customer data in transit and at rest
  • Implement network protections including firewalls, VPNs, IDS, and where possible IPS

Access Control

  • Least principal access to networks and systems
  • Require MFA for remote access

Information Security Incident Management

  • Implement a formalized Security and Privacy Incident Response program

Security Operations

  • Annual penetration testing
  • Ongoing vulnerability management
  • Controls to detect and prevent malware
  • Generate and monitoring event log information

Business Continuity Management

  • Maintains BCP and DR plans to support continued operations
  • Tests plans at least annually

Third-party Supplier Management

  • Maintain a third-party supplier program to review and assess and monitor the security and privacy controls of third-party vendors.

System Development

  • Provide secure coding training to developers
  • Implement security testing as a component of the SDLC
  • Segregated development, testing, and production environments

 

 

 

 

Financial Services