ANNEX I

A. LIST OF PARTIES (MODULE TWO: TRANSFER CONTROLLER TO PROCESSOR) 

Data exporter(s): Customer  

Customer, as Controller, may elect to transfer data to Absolute in connection with the receipt of Products and Services identified in the applicable Order Form. Customer’s name, contact information and signature are set forth in the applicable Order Form or in the Customer’s account for the Products and Services. 

Data importer(s): Absolute 

Absolute, as Processor, processes data received from Customer in connection with the provision of Products and Services identified in the applicable Order Form.  

Address: Suite 1400, Four Bentall Centre, 1055 Dunsmuir Street, Vancouver, B.C. Canada, V7X 1K8 

Contact: [email protected] 

B. DESCRIPTION OF TRANSFER (MODULE TWO: TRANSFER CONTROLLER TO PROCESSOR) 

Categories of Data Subjects whose personal data is transferred in connection with the Products and Services: 

# 

Category 

1 

Customer’s users of end point devices or, as applicable, servers 

2 

Customer’s administrative personnel responsible for maintenance and support of Customer’s account with Absolute 

Categories of Personal Data transferred in connection with the Products and Services: 

# 

Category 

1 

Customer’s users of end point devices or, as applicable, servers 

2 

Customer’s administrative personnel responsible for maintenance and support of Customer’s account with Absolute 

Categories of Personal Data transferred in connection with the Products and Services: 

# 

Category 

1 

For Secure Endpoint Products and Services: As applicable, endpoint device information, including computer make and model, computer serial number, system bios version, computer name, OS information, HDD serial number, HDD model, HDD firmware revision, battery device ID, computer UUID, gateway strings, RAM serial number, MAC address, NIC adapter name, IP address, device location, installed application information, encryption and anti-virus information, file status information, custom device or file data or metadata that has been defined and enabled by Customer, and device usage information. Further details can be found in the applicable Documentation for the Products and Services.  

2 

For Secure Access Products and Services: As applicable, network, performance and usage information from endpoint devices, including computer name, computer make and model, computer serial number, OS information, IMEI, gateway strings, MAC address, NIC adapter name, IP address, logged-in username, phone number, adapter serial number, application names and usage information, correlated with device location. Further details can be found in the applicable Documentation for the Products and Services. 

3 

Account information, including name, contact information and login credentials. 

Categories of sensitive data transferred in connection with the Products and Services: 

# 

Category 

1 

None. 

Frequency and Nature of the Processing: 

The data is transferred on a continuous basis. The personal data transferred will be subject to the following processing operations. 

  

Purpose(s) of the Data Transfer and Further Processing 

The purpose of the data transfer is to provide the Products and Services. 

Retention Period. 

Different data retention periods apply depending on the applicable service. When determining the specific retention period, Absolute considers various factors, such as the type of service provided to the Customer, the nature and length of our relationship with the Customer, and mandatory retention periods provided by law and the statute of limitations. 

Transfers to (sub-) processors 

The descriptions set forth above in this Section B apply to data transferred to Subprocessors. 

COMPETENT SUPERVISORY AUTHORITY (MODULE TWO: TRANSFER CONTROLLER TO PROCESSOR) 

The competent supervisory authority as defined by Customer. 

  

ANNEX II 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

Domain 

Practices 

Organization of Information Security 

  • Absolute has a team dedicated to Information Security 
  • The Information Security program is supported by the Absolute executive team  
  • Absolute has an information security policy that is reviewed annually and approved by management 

Human Resources Security 

  • Performs pre-hiring background check on personnel 
  • Performs annual information security training 

Physical and Environmental Security 

  • Only authorized users are permitted physical access to customer data processing centers 
  • Uses datacenter and hosting providers with physical and environmental controls 

Communications and Operations Management 

  • Encrypts customer data in transit and at rest 
  • Implements network protections including firewalls, VPNs, IDS, and where possible IPS 

Access Control 

  • Least principal access to networks and systems 
  • Requires MFA for remote access 

Information Security Incident Management 

  • Implements a formalized Security and Privacy Incident Response program 

Security Operations 

  • Annual penetration testing 
  • Ongoing vulnerability management 
  • Controls to detect and prevent malware 
  • Generates and monitors event log information 

Disaster Recovery 

  • Maintains DR plan to support continued operations 
  • Tests plan at least annually 

Third-party Supplier Management 

  • Maintains a third-party supplier program to review and assess and monitor the security and privacy controls of third-party vendors 

System Development 

  • Provides secure coding training to developers 
  • Implements security testing as a component of the SDLC 
  • Segregated development, testing, and production environments 

 

 

 

 

Financial Services