Data Processing Addendum | Legal

This Data Processing Addendum (“DPA”) amends and forms part of the Master Subscription Agreement or other agreement (the “Agreement”) between Customer and Absolute governing Absolute’s provision of the Products and Services to Customer. In the event of a conflict between the terms of this DPA and the Agreement, the terms of this DPA will control.

1. Definitions. Capitalized terms used but not defined in this DPA will have the meanings given to those terms in the Agreement.

1.1. “Business”, “Business Purpose”, “collect”, “collected”, “collection”, “Consumer”, “Deidentified Information”, “Personal Information”, “sale”, “selling”, “share", and “Service Provider” have the meaning given to them in the CCPA; and “sell” will be interpreted accordingly;

1.2. “Controller”, “Data Subject”, “Personal Data”, “processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR, and “process”, “processes” and “processed” will be interpreted accordingly;

1.3. “Customer Personal Data” means any Customer Data that constitutes Personal Information or Personal Data that is collected or processed by Absolute as a Service Provider or Processor (as applicable) on behalf of Customer to provide the Products and Services, as further described in Annex I of this DPA;

1.4. “Data Protection Law” means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”), General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), the Swiss New Federal Act on Data Protection (“nFADP”), the UK General Data Protection Regulation, and the UK Data Protection Act 2018, each as applicable, and as may be amended or replaced from time to time;

1.5. “Data Subject Rights” means Consumers’ or Data Subjects’ rights to information, access, rectification, deletion, erasure, restriction, portability, objection, opt out of sale, not to be discriminated against for exercising certain rights, and not to be subject to automated individual decision-making, in accordance with and each to the extent required by Data Protection Law;

1.6. “Europe” means the EEA and Switzerland;

1.7. “International Data Transfer” means any transfer of Customer Personal Data from Europe or the United Kingdom to a country outside of Europe and the United Kingdom;

1.8. “Personal Data Breach” means any breach of Absolute’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by Absolute or its Subprocessors;

1.9. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61) as applicable and may be amended or replaced from time to time.

1.10. “Subprocessor” means a Service Provider or Processor engaged by Absolute to process Customer Personal Data;

1.11. “Third-Party Controller” means a Business or Controller for which Customer is a Service Provider or Processor; and

1.12. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

2. Role of the Parties and Scope of Processing

2.1. Scope. This DPA and each of the provisions and obligations herein apply to the extent Absolute processes Customer Personal Data as a Service Provider or Processor (as applicable).

2.2. Role of the Parties. For the purposes of the Agreement and this DPA, Customer is a Business or Controller and appoints Absolute as a Service Provider or Processor on behalf of Customer. Each Party will collect, retain, use, disclose, and process Customer Personal Data under or in connection with the Products and Services in accordance with applicable Data Protection Law. If Customer is a Processor on behalf of a Third-Party Controller, then Customer is the single point of contact for Absolute; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2.3. Customer Responsibilities. Customer is responsible for compliance with applicable requirements to provide notice to Data Subjects of the use of Absolute as a Processor. The subject matter, nature and purpose of the processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I.

2.4. Absolute Responsibilities. Absolute will process Customer Personal Data to provide the Products and Services in accordance with Customer’s documented lawful instructions, which are deemed given, for the following purposes: (i) processing in accordance with this DPA, the Agreement, and any applicable statement of work; (ii) processing initiated by Authorized Users in their use of the Products and Services; (iii) processing to anonymize Customer Personal Data and use it for Absolute’s own purposes; and (iv) processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of this DPA, the Agreement, and any applicable statement of work. Unless prohibited by applicable law, Absolute will inform Customer if it becomes aware that, or in its opinion, Customer’s instructions violate Data Protection Law. For example, if Absolute receives a subpoena or court order from a law enforcement agency, it will inform Customer of the request unless legally prohibited from doing so.

2.5. Cooperation with Customer Requests. Absolute will, taking into account the nature of the processing and the information available to Absolute, reasonably assist Customer to (a) respond to requests to exercise Data Subject Rights; (b) conduct data protection impact assessments and prior consultations with Supervisory Authorities; and (c) notify an impacted Data Subject of a Personal Data Breach when required by law. Customer will be responsible for any reasonable costs arising from Absolute’s assistance.

3. Security and Audits

3.1. Security Measures. Absolute will implement technical and organizational measures, appropriate to the risk, to protect Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure, as set out in the Absolute Security Standards referenced in Annex II. Absolute may modify the Absolute Security Standards from time to time, but will continue to provide at least the same level of security as is described in the Absolute Security Standards. Absolute will ensure that all personnel authorized to process Customer Personal Data are subject to an obligation of confidentiality.

3.2. Personal Data Breach Response. Absolute will notify Customer without undue delay after becoming aware of a Personal Data Breach. Absolute will make commercially reasonable efforts to identify the cause of the Personal Data Breach and take those steps as Absolute deems necessary and reasonable in order to remediate the cause of the Personal Data Breach to the extent the remediation is within Absolute’s reasonable control. This provision will not apply to Personal Data Breaches that are caused by Customer or Customer’s users.

3.3. Audit. As required by Data Protection Law, Absolute will provide Customer with a summary of Absolute’s audit reports, including any information reasonably necessary to demonstrate Absolute’s compliance with the obligations of this DPA; provided, that Absolute may redact any confidential or commercially sensitive information in such reports. If the GDPR applies to the Processing, Absolute will allow for and contribute to audits, including inspections, requested no more than once per year by the Customer only if Absolute’s audit reports do not demonstrate Absolute’s compliance with Data Protection Law. Such audits are conducted at Customer’s sole expense, and performed by an independent auditor as agreed by Company and Absolute. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption to Absolute’s business.

4. Subprocessing

4.1. Authorized Subprocessors. Customer acknowledges and agrees that Absolute may engage Subprocessors. A list of Absolute’s current Subprocessors is available at www.absolute.com/company/legal/absolute-sub-processors. Absolute will enter into a written agreement with Subprocessors which imposes on the Subprocessors materially the same obligations as those imposed on Absolute under this DPA.

4.2. Changes to Subprocessors. Customer acknowledges and agrees that Absolute will notify Customer of any intended addition or replacement of Subprocessors through updating its list of Subprocessors referred to in Section 4.1. Customer may object to the addition or replacement of a Subprocessor within thirty (30) days following Absolute’s update of its list of Subprocessors. If Customer’s objection is based on reasonable grounds relating to a potential or actual violation of Data Protection Law, then Customer and Absolute will work together in good faith to address Customer’s objection.

5. Data Transfers

5.1. International Data Transfers. Customer agrees that Absolute may perform International Data Transfers: (a) to any country deemed adequate by the EU Commission or the UK government, as applicable, including Canada; (b) on the basis of appropriate safeguards in accordance with Data Protection Law; or (c) pursuant to the Standard Contractual Clauses referred to in Section 5.2 or Section 5.3. If Absolute’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of its control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Absolute will work together in good faith to reasonably resolve such non-compliance.

5.2. Data Transfers from Europe. By signing this DPA, Customer and Absolute agree to the terms of MODULE TWO of the Standard Contractual Clauses (Controller-to-Processor) and, to the extent Customer is a Processor on behalf of a Third-Party Controller, MODULE THREE of the Standard Contractual Clauses (Processor-to-Subprocessor), which are hereby incorporated into this DPA by reference. The Parties hereby agree that where the Standard Contractual Clauses apply, they shall be completed as follows: the “data exporter” is Customer; the “data importer” is Absolute; the optional Clause 7 is kept; in Clause 9(a), Option 1 is struck and Option 2 is kept and the time period therein is thirty (30) days; in Clause 11, the optional language is struck; in Clause 17 and 18, the Governing law and the competent courts are those of Ireland; and Annex I and II to the Standard Contractual Clauses are Annex I and II to this DPA, respectively. With respect to International Data Transfers from Switzerland, the Standard Contractual Clauses shall apply, provided that: Data Subjects who have their habitual residence in Switzerland may bring claims under the Standard Contractual Clauses before the courts of Switzerland; references to the GDPR shall be understood as references to the nFADP insofar as the data transfers are subject to the nFADP; and the competent Supervisory Authority shall be the Federal Data Protection and Information Commissioner (FDPIC) insofar as the data transfer is governed by the nFADP.

5.3. Data Transfers from the UK. By signing this DPA, Customer and Absolute conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Absolute, their details are set forth in this DPA, and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 5.2; (iii) in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are Annex I and II to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

6. California Consumer Privacy Act

6.1. Consideration. Absolute acknowledges that the exchange of Customer Personal Data between Customer and Absolute does not form part of any monetary or valuable consideration exchanged between Customer and Absolute with respect to the Agreement or this DPA.

6.2. Use of Customer Personal Data. Except as otherwise expressly permitted by applicable law, Absolute shall not: (i) sell or share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than for the business purposes specified in the Agreement or this DPA, or as otherwise permitted by applicable Data Protection Laws; (iii) retain, use, or disclose Customer Personal Data for a commercial purpose other than the business purposes specified in the Agreement, unless expressly permitted by applicable Data Protection Laws; (iv) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Absolute, unless expressly permitted by applicable Data Protection Laws; or (v) combine Customer Personal Data with Personal Information that it receives from, or on behalf of, sources other than Customer, except as provided under applicable Data Protection Laws. Notwithstanding any provision to the contrary of the Agreement or this DPA, the terms of this Section 6.2 will not apply to Absolute’s processing of Customer Personal Data that is exempt from Data Protection Law, including under Cal Civ. Code § 1798.145(a).

6.3. Compliance Assurance. Customer has the right to take reasonable and appropriate steps to ensure that Absolute uses Customer Personal Data consistent with Customer’s obligations under applicable Data Protection Laws.

6.4. Compliance Remediation. Absolute shall promptly notify Customer if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Upon receiving notice from Absolute in accordance with this subsection, Customer may direct Absolute to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

7. Termination and Return or Deletion of Customer Personal Data

7.1. This DPA is terminated upon the termination of the Agreement. Customer may obtain the return of Customer Personal Data using the features or functionality accessible in Customer’s account for the applicable Products, or if no such features or functionality are available, Customer may request the return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Absolute will delete or anonymize all remaining copies of Customer Personal Data following termination of the Agreement.

8. Limitation of Liability

8.1. Each party’s liability arising out of or related to this DPA, including the Standard Contractual Clauses, if applicable, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement.

9. Invalidity and Severability

9.1. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): Customer

Name: Customer (as defined above)‍

Address: As set forth in the applicable Order Form or in the Customer’s account for the Products and Services

Contact person’s name, position and contact details: As set forth in the applicable Order Form or in the Customer’s account for the Products and Services

Activities relevant to the data transferred under these Clauses: Customer may elect to transfer Personal Data to Absolute in connection with the receipt of Products and Services identified in the applicable Order Form.

Signature and date: By using the Products and Services to transfer Customer Personal Data to Absolute, the data exporter will be deemed to have signed this Annex I.

Role: Controller or Processor on behalf of Third-Party Controller,

Data importer(s): Absolute

Name: Absolute (as defined above)

Address: Suite 980 Howe Street, Suite 1400, Vancouver, BC V6Z 0C8

Contact person’s name, position and contact details: privacy@absolute.com

Activities relevant to the data transferred under these Clauses: Absolute Processes Customer Personal Data received from Customer in connection with the provision of Products and Services identified in the applicable Order Form.

Signature and date: By transferring Customer Personal Data on Customer’s instructions, Absolute will be deemed to have signed this Annex I.

Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred in connection with the Products and Services:

#	Category
1	Customer’s users of end point devices or, as applicable, servers
2	Customer’s administrative personnel responsible for maintenance and support of Customer’s account with Absolute

‍

Categories of Personal Data transferred in connection with the Products and Services:

#	Category
1	For Secure Endpoint Products and Services: As applicable, endpoint device information, including computer make and model, computer serial number, system bios version, computer name, OS information, HDD serial number, HDD model, HDD firmware revision, battery device ID, computer UUID, gateway strings, RAM serial number, MAC address, NIC adapter name, IP address, device location, installed application information, encryption and anti-virus information, file status information, custom device or file data or metadata that has been defined and enabled by Customer, and device usage information. Further details can be found in the applicable Documentation for the Products and Services.
2	For Secure Access Products and Services: As applicable, network, performance and usage information from endpoint devices, including computer name, computer make and model, computer serial number, OS information, IMEI, gateway strings, MAC address, NIC adapter name, IP address, logged-in username, phone number, adapter serial number, application names and usage information, correlated with device location. Further details can be found in the applicable Documentation for the Products and Services.
3	For Syxsense Products and Services: As applicable, CPU/Processor information, network adapter information, MAC address information, BIOS/UEFI information, operating system information, installed application information, antivirus/security information, IP addresses, system accounts, user profiles, power management settings, user account security settings, system access control lists, user profile information, and login sessions. Further details can be found in the applicable Documentation for the Products and Services.
4	Account information, including name, contact information and login credentials.

Categories of sensitive data transferred in connection with the Products and Services:

#	Category
1	None.

‍

Frequency and Nature of the Processing:

The data is transferred on a continuous basis. The Personal Data transferred will be subject to the following processing operations.

to provide the Products and Services, including storage of data for the Products and Services;
to resolve technical or administrative issues, provide routine maintenance and technical support, billing and invoicing, and otherwise comply with Absolute’s own legal obligations; and
to optimize and improve the Products and Services, including quality control checks, product development, research leading to new product offerings, and other business purposes as described in the DPA.

Purpose(s) of the Data Transfer and Further Processing

The purpose of the data transfer is to provide the Products and Services, including the Hosted Service, Software, the Professional Services, Support Services, and any other deliverables or services provided to Customer pursuant to an Order Form, each as defined and further described in the Agreement.

Retention Period.

Different data retention periods apply depending on the applicable service. When determining the specific retention period, Absolute considers various factors, such as the type of service provided to the Customer, the nature and length of our relationship with the Customer, and mandatory retention periods provided by law and the statute of limitations.

Transfers to (sub-) processors

The descriptions set forth above in this Section B apply to data transferred to Subprocessors.

C. COMPETENT SUPERVISORY AUTHORITY

‍‍The competent Supervisory Authority for Processing of Personal Data relating to Data Subjects located in the EEA is defined by Customer.
The competent Supervisory Authority for Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
The competent Supervisory Authority for Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Domain	Practices
Organization of Information Security	Absolute has a team dedicated to Information Security The Information Security program is supported by the Absolute executive team Absolute has an information security policy that is reviewed annually and approved by management
Human Resources Security	Performs pre-hiring background check on personnel Performs annual information security training
Physical and Environmental Security	Only authorized users are permitted physical access to customer data processing centers Uses data center and hosting providers with physical and environmental controls
Communications and Operations Management	Encrypts customer data in transit and at rest Implements network protections including firewalls, VPNs, IDS, and where possible IPS
Access Control	Least principal access to networks and systems Requires MFA for remote access
Information Security Incident Management	Implements a formalized Security and Privacy Incident Response program
Security Operations	Annual penetration testing Ongoing vulnerability management Controls to detect and prevent malware Generates and monitors event log information
Disaster Recovery	Maintains DR plan to support continued operations Tests plan at least annually
Third-party Supplier Management	Maintains a third-party supplier program to review and assess and monitor the security and privacy controls of third-party vendors
System Development	Provides secure coding training to developers Implements security testing as a component of the SDLC Segregated development, testing, and production environments