Data Processing Addendum

Revision Date: 18 December 2022

If this Data Processing Addendum (“Addendum”) is expressly incorporated by reference into the Main Agreement (as defined in clause 2) between Sophos Limited, a company registered in England and Wales number 2096520, with its registered office at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP, UK (“Supplier”) and a customer of Supplier (“Customer”), this Addendum forms part of the Main Agreement and is effective between the Supplier and the Customer.

Capitalized terms used in this Addendum are defined as set forth in clause 2 below. If you wish to view this Addendum in another language, visit any of the following pages: Spanish, French, Italian, Brazilian Portuguese, German, Chinese Traditional, Chinese Simplified and Japanese. In the event of a conflict, the English version of the Addendum shall control.

1. PREAMBLE

  • 1.1. The parties have entered into the Main Agreement regarding the provision by the Supplier to the Customer of certain products and/or services (collectively, “Products”).
  • 1.2. If the Main Agreement is an MSP agreement in similar form to the MSP agreement located at https://www.sophos.com/en-us/legal/sophos-msp-partner-terms-and-conditions (“MSP Agreement”), the Customer is a managed service provider (“MSP”). If the Main Agreement is an OEM agreement under which the Customer is authorised to distribute, sublicense, or make available to third parties Supplier Products in combination with the Customer’s products as part of a bundled unit (“OEM Agreement”), the Customer is an original equipment manufacturer (“OEM”). Otherwise, the Customer is an end user (“End User”).
  • 1.3. The provision of the Products may include the collection, use, and other processing of Controller Personal Data by the Supplier on behalf of Customer. This Addendum sets forth the obligations of the parties with respect to such Processing and supplements the terms and conditions of the Main Agreement.
  • 1.4. Notwithstanding any other term of the Agreement or this Addendum, the parties agree that the Controller Personal Data shall not include contact information, payment or billing information, or other Personal Data about business contacts and Customer administrators, including name, email address and contact information, which Supplier collects and Processes on its own behalf in order to manage its customer relationships, communicate with current, former and prospective customers and business partners, and otherwise administer its business relationships (“CRM Data”).
    • 1.4.1. Supplier is a Controller for CRM Data and will Process CRM data in accordance with its obligations under Applicable Data Protection Law and the Supplier Group Privacy Notice.
    • 1.4.2. Except with respect to Section 1.4.1, the obligations of Supplier pursuant to this Addendum shall not apply to CRM Data.
  • 1.5. The Main Agreement, this Addendum and the documents expressly referenced in the Main Agreement and this Addendum shall constitute the entire agreement between the parties in relation to personal data collected, processed and used by the Supplier on behalf of the Customer in connection with the Main Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.

2. DEFINITIONS

  • 2.1.In this Addendum, the following terms shall have the following meanings:

    “Applicable Data Protection Laws” means, to the extent applicable: (a) EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or "GDPR"); (b) the e-Privacy Directive (EU Directive 2002/58/EC); (c) the CCPA; and (d) any and all applicable national data protection legislation, including legislation made under or pursuant to (a) or (b); in each case as may be amended or superseded from time to time.

    “Beneficiary” has the meaning given to it in the MSP Agreement.

    “CCPA” means the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020), codified at Cal. Civ. Code §§ 1798.100 - 1798.199.100 and the California Consumer Privacy Act Regulations issued thereto, Cal. Code Regs. tit. 11, div. 6, ch. 1, each as amended;

    “Clauses” shall have the meaning ascribed to it in the SCCs.

    “Controller” means either: (a) the Customer, if the Customer is an End User; (b) the Beneficiary, if the Customer is an MSP; or (c) the End Customer, if the Customer is an OEM.

    “Controller Personal Data” means the Personal Data which Supplier Processes on behalf of Controller pursuant to the Services.

    “Controller to Processor Clauses” means the Module Two Clauses to the SCCs.“CRM Data” means contact information, payment or billing information, or other Personal Data about business contacts and Customer administrators, including name, email address and contact information, which Supplier collects and Processes on its own behalf in order to manage its customer relationships, communicate with current, former and prospective customers and business partners, and otherwise administer its business relationships.

    “Data Subject” means the individual to whom the Sophos Personal Data relates.

    “Data Subject Requests” means any requests from Data Subjects exercising rights pursuant to Applicable Data Protection Laws including their rights of access, deletion and correction.

    “EEA” means the European Economic Area, including (a) the Member States of the European Economic Area (“EEA”), and (b) the United Kingdom.

    “End Customer” has the meaning given to it in the OEM Agreement.

    "Europe" (and "European") means (a) the Member States of the European Economic Area (“EEA”), and (b) the United Kingdom.

    “Hosted Products” mean the Products listed in Exhibit 3.

    “ICO” means The Information Commissioner’s Office established in the United Kingdom

    “Main Agreement” means, collectively, the written agreement(s), including and exhibits, addenda and amendments thereto, pursuant to which Supplier provides certain Services to Customer.

    “Personal Data” means any information that identifies, could be used to identify or is otherwise linked or reasonably linkable with a particular individual or household, as well as any information defined as “personal data,” “personal information” or equivalent term under applicable Data Protection Laws and Regulations.

    “Personal Data Breach” means a breach of security (other than those caused by the Customer or its users) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data processed by the Supplier under this Addendum.

    “Processor” means a person or entity that Processes Personal Data on behalf and under the instructions of the Controller, including any entity acting as a “service provider” pursuant to the CCPA.

    “Restricted Transfer” means a transfer of Controller Personal Data by Customer to Supplier, where such transfer would be prohibited by Applicable Data Protection Laws in the absence of the applicable Standard Contractual Clauses and where applicable the UK Addendum.

    “Sensitive Data” means “special categories of personal data,” “sensitive personal data,” “sensitive data,” and equivalent term as defined under Applicable Data Protection Laws.

    “Services” means any and all products provided and/or services performed by Supplier pursuant to the Main Agreement.

    “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by the European Commission implementing decision (EU) 2021/914 of 4 June 2021.

    “Subprocessor” means any person or entity (excluding any employee of Supplier) or entity appointed by or on behalf of Supplier that processes Controller Personal Data.

    “Supervisory Authority” means the competent regulatory authority with regard to applicable Data Protection Laws and Regulations, including where applicable a supervisory authority as defined under the GDPR.

    “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the ICO, as amended or replaced from time to time by a competent Supervisory Authority under the relevant data protection laws of the UK.

  • 2.2. In this Addendum, the lower case terms "controller", "processor", "data subject", "personal data" and "processing" (and derivatives thereof) shall have the meanings given in Applicable Data Protection Law.

3. SCOPE

  • 3.1. The subject matter and duration of the Supplier's processing of Controller Personal Data, including the nature and purpose of the processing, the types of Controller Personal Data to be processed, and the categories of data subjects, shall be as described in: (a) this Addendum; (b) the Main Agreement; (c) any instructions in Exhibit 1 (Data Processing Instructions); and (d) the Customer’s instructions issued in accordance with clause 4 below.
  • 3.2. The Customer is responsible for ensuring (a) that the Controller has a lawful basis for the processing of Controller Personal Data that will be carried out by the Supplier on Customer’s behalf, and (b) that the Controller has obtained all necessary consents from data subjects that may be required for the processing of Controller Personal Data by the Customer and the Supplier (including but without limitation, in relation to Sensitive Data); and (c) that it is otherwise compliant with, and will ensure its instructions to the Supplier for the processing of Controller Personal Data comply in all respects with, Applicable Data Protection Laws.
  • 3.3. The parties agree that Supplier is a Processor or Subprocessor for Controller Personal Data, and Customer is either (a) the Controller where Customer is an End User, or (b) a Processor ((for a third party controller) where Customer is an MSP or OEM.

4. CUSTOMER INSTRUCTIONS

  • 4.1. Customer instructs Supplier to process the Controller Personal Data as reasonably necessary to provide and perform the Services and as otherwise set forth herein and in the Main Agreement. The Supplier shall process the Controller Personal Data in accordance with the Customer's documented processing instructions, as forth herein, except (a) where otherwise agreed in writing between the Supplier and the Customer; or (b) where required by law to which the Supplier is subject (in which event, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits the provision of such information).
  • 4.2. If the Supplier becomes aware that the Customer's processing instructions infringe Applicable Data Protection Laws (without imposing any obligation on the Supplier to actively monitor the Customer's compliance), it will promptly notify the Customer of same and suspend processing of the Controller Personal Data.
  • 4.3. Without limiting the forgoing, to the extent the California Consumer Privacy Act (“CCPA”) applies to the Controller Personal Data, Supplier further agrees that:
    • 4.3.1. Supplier will not use, disclose or otherwise process Controller Personal Data except for the specific purpose of performing the Services, in accordance with the terms of this Addendum and the Main Agreement, and as otherwise required by applicable laws. Notwithstanding the foregoing:
      • a. Supplier may engage Subprocessors to process Controller Personal Data, subject to the terms of Section 7;
      • b. Supplier will not process Controller Personal Data outside of the direct business relationship between Customer and Supplier or for Supplier’s own commercial purposes; notwithstanding the foregoing, the Parties agree that to the extent the CCPA applies, Supplier will only Process the Controller Personal Data for the specific business purposes set forth in the Main Agreement and this Addendum or for another purpose expressly authorized pursuant the CCPA regulations.
      • c. Supplier will not “share” or “sell” (as those terms are defined under the CCPA) any Controller Personal Data;
      • d. Supplier will (and will procure that each Subprocessor will) comply with its obligations pursuant to the CCPA and will provide the same level of privacy protection as is required by the CCPA; and
      • e. If Supplier believes it will be unable to comply with the terms of this Addendum or Applicable Data Protection Laws, Supplier will promptly notify Customer and grant Customer the right to take reasonable and appropriate steps to ensure that the Controller Personal Data is processed in a manner that is consistent with the Controller’s obligations under the CCPA.
      • f. Supplier will not retain Controller Personal Data upon the expiration or termination of the Main Agreement, except as set forth in Section 8;

5. DUTIES OF THE SUPPLIER

  • 5.1. All Supplier personnel who process the Controller Personal Data shall be adequately trained with respect to their data protection, security and confidentiality obligations, and shall be subject to written or statutory obligations to maintain confidentiality.
  • 5.2. The Supplier will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to protect the Controller Personal Data against a Personal Data Breach. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons so as to ensure a level of security that is appropriate to the risk. In particular, the measures taken by the Supplier shall include those described in Exhibit 2 of this Addendum. The Supplier may change or amend the technical and organisational measures described in Exhibit 2 without the prior written consent of the Customer provided that the Supplier maintains at least an equivalent level of protection. Upon request by the Customer, the Supplier will provide an updated description of the technical and organisational measures in the form as presented in Exhibit 2.
  • 5.3. The Supplier shall follow the requirements specified in clause 7 below for engaging any Subprocessor to process Controller Personal Data.
  • 5.4. The Supplier shall follow the requirements specified in clause 8 below for assisting the Customer to respond to enquiries from third parties, including any requests from data subjects to exercise their rights under Applicable Data Protection Laws.
  • 5.5. Upon confirming the occurrence of any Personal Data Breach, the Supplier shall inform the Customer without undue delay and shall provide all such timely information and cooperation as the Customer may reasonably require in order for the Customer (and, if the Customer is an MSP or OEM, its Controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.
    The Supplier shall further take measures and actions as are reasonably necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep the Customer informed of developments in connection with the Personal Data Breach.
  • 5.6. The Supplier shall provide the Customer (or, if the Customer is an MSP or OEM, its Controller) with reasonable and timely assistance as the Customer (or, as applicable, the Controller) may require in order to conduct a data protection impact assessment or other assessment required to be conducted by Applicable Data Protection Laws and, if necessary, consult with its relevant data protection authority. Such assistance shall be provided at the Customer's expense.
  • 5.7. The Supplier shall, unless otherwise required by applicable law, delete the Controller’s Controller Personal Data within a reasonable period of time following termination or expiry of this Addendum, unless prohibited by applicable law. Upon request, Supplier will confirm to Customer that such Controller Personal Data has been deleted in accordance with this Addendum. If Supplier is required by applicable laws to retain any Controller Personal Data, the Supplier shall takes steps to ensure the continued confidentiality and security of the Controller Personal Data for so long as it is maintained.

6. AUDIT RIGHTS OF THE CUSTOMER

  • 6.1. The Customer acknowledges that the Supplier is regularly audited against SSAE 18 SOC 2 standards by independent third party auditors. Upon reasonable request, the Supplier shall supply a copy of its SOC 2 audit report to the Customer, which reports shall be subject to the confidentiality provisions of the Main Agreement as the Supplier’s confidential information. The Supplier shall also respond to reasonable written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once per year.
  • 6.2. If in Customer’s reasonable opinion, the materials provided under clause 6.1 are insufficient to demonstrate Supplier’s compliance with this Addendum, Customer may request in writing and subject to clause 6.2 (a) - (d) herein, that Supplier make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum (including the Standard Contractual Clauses to the extent applicable) and allow for and contribute to audits, including inspections, by Customer or Customer’s independent, third-party auditor that is not a competitor of Supplier of the Processing activities that are covered by this Addendum.
    • a. Prior to requesting a review or audit pursuant to this clause 6.2, Customer will take into account the relevant Supplier third-party certifications and audits described under clause 6.1;
    • b. Customer will give Processor reasonable notice, at least 60 days in advance, of a request to conduct an audit or inspection under this clause 6.2, and will take (and ensure that each of its auditors takes) reasonable measures to avoid and prevent any damage or injury and minimize any disruption from such audit or inspection;
    • c. An audit or inspection will be conducted no more than once annually, except where required by a Supervisory Authority or Applicable Data Protection Laws; and
    • d. Customer shall bear the full costs of any such audit and shall reimburse Supplier for reasonable costs and expenses incurred by Supplier pursuant to such audits, including any time expended by the Supplier, its Affiliates or its Subprocessors for any such audit or inspection at Supplier’s then-current professional services rates, which shall be made available to Customer upon request.

7. SUBPROCESSORS

  • 7.1. The Customer consents to the use of Supplier’s existing Subprocessors as at the date of this Addendum, which are listed at https://www.sophos.com/en-us/legal (“Subprocessor List”), as well as the Supplier Affiliates. The Customer expressly consents to Supplier’s engagement of additional third party Subprocessors (each a “New Subprocessor”) subject to the terms set forth in this clause 7. The Supplier will provide Customer with thirty (30) days’ notice prior to the addition of any New Subprocessor, which notice may be given by posting details of such addition to the Subprocessor List.
  • 7.2. If the Customer does not object in writing to the Supplier’s appointment of a New Subprocessor (on reasonable grounds relating to the protection of Controller Personal Data) within 30 days of the Supplier adding that New Subprocessor to the Subprocessor List, the Customer agrees that it will be deemed to have consented to that New Subprocessor. If the Customer provides such a written objection to the Supplier, the Supplier will notify the Customer in writing within 30 days that either: (a) the Supplier will not use the New Subprocessor to process the Controller Personal Data; or (b) the Supplier is unable or unwilling to do so. If the notification in paragraph (b) is given, the Customer may, within 30 days of such notification, elect to terminate this Addendum and the Main Agreement as to the affected processing upon written notice to the Supplier and Supplier shall for Customers located within the European Economic Area and UK only, authorize a pro rata refund or credit of any prepaid fees for the period remaining after the termination. However, if no such notice of termination is provided within that timeframe, the Customer will be deemed to have consented to the New Subprocessor. The Supplier will impose data protection terms on New Subprocessors that impose equivalent protections for the Controller Personal Data as provided for by this Addendum. The Supplier will remain fully liable for the performance of each Subprocessor’s obligations.

8. INQUIRIES OF THIRD PARTIES

  • 8.1. The Supplier shall notify the Customer of any privacy request, correspondence, enquiry or complaint it receives from a data subject, regulator or other third party in connection with the processing of the Controller Personal Data providing full details of the same but shall not directly respond to the data subject, except where otherwise required by law.
  • 8.2. To the extent necessary, the Supplier will provide reasonable and timely assistance to the Customer (or, if the Customer is an MSP or OEM, the Controller), at the Customer's expense, to enable the Customer (or if the Customer is an MSP or OEM, the Controller) to respond to: (a) a request from a data subject to exercise its rights under Applicable Data Protection Law (including where applicable, its rights of access, correction, objection, erasure and data portability, as and (b) a request received from a regulator or other third party in connection with the processing of the Controller Personal Data.

9. INTERNATIONAL DATA TRANSFERS

  • 9.1. Certain Products may enable the Customer to select where to host the Controller Personal Data for such Products, including in data centres that may be located outside of the jurisdiction in which the data originates. Those locations may include (a) the European Economic Area, (b) the United Kingdom, (c) the United States of America; or another location as specified in the Main Agreement (“Central Storage Location”). This selection takes place at the point of Product installation, account creation, or first use of the relevant Product. Once selected, the Central Storage Location cannot be varied at a later date.
  • 9.2. The Customer herby acknowledges and expressly consents, regardless of the selected Central Storage Location (if relevant), to Restricted Transfers, subject to compliance with the obligations set out in this clause 9.
  • 9.3. With respect to any Restricted Transfers:
    • 9.3.1. The SCCs and the UK Addendum are expressly incorporated hereto and form a part of this Addendum;
    • 9.3.1. Subject to Section 9.3.3 and Exhibit 4 hereto, Customer and Supplier hereby enter into and agree to: (i) the SCCs, which shall apply to the extent of a Restricted Transfer of Controller Personal Data to Supplier; and (ii) the UK Addendum, which shall apply to, and modify and supplement the SCCs with respect to any Restricted Transfer of Controller Personal Data that is subject to the Data Protection Laws and Regulations of the United Kingdom; and
    • 9.3.3. Module 2 of the SCCs shall apply, subject to the terms of Exhibit 4 hereto.
  • 9.4. The Appendix to the SCC’s shall be completed as set out in Exhibit 4 below.

10. DURATION

  • 10.1. This Addendum commences upon (a) execution by both parties of the Main Agreement or (b) the date on which the Main Agreement becomes effective, if later and continues until the earlier of: (i) the expiry of the Customer’s entitlement to use and receive the Products, as noted in the Main Agreement or on any associated license entitlement; and (ii) the termination of the Main Agreement.

11. OTHER REGULATIONS

  • 11.1. Modifications of and amendments to this Addendum require the written form. This also applies to changes and modifications to this clause 11.1.
  • 11.2. In no event shall the Supplier's liability to the Customer in connection with any issue arising out of, or in connection with, this Addendum exceed the Supplier's limitations on liability set out in the Main Agreement. The Supplier's limitations on liability as set out in the Main Agreement shall apply in aggregate across both the Main Agreement and this Addendum, such that a single limitation on liability regime shall apply across both the Main Agreement and this Addendum.
  • 11.3. This Addendum shall (excluding the SCCs) be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of laws principles. To the extent permitted by applicable law, the courts of England shall have exclusive jurisdiction to determine any dispute or claim that may arise out of, under, or in connection with this Addendum.
  • 11.4. To the extent of any conflict with the terms of this Data Processing Addendum and the terms of any SCC’s entered into by the parties, the terms of the applicable SCC’s (including any Annexes thereto), shall take precedence.

12. CHANGES IN LAW

  • 12.1. If any amendment to this Addendum is required as a result of a change in Applicable Data Protection Laws, then either party may provide written notice to the other party of that change in law. The parties will discuss and negotiate in good faith any necessary variations to this Addendum to address such changes. The parties will not unreasonably withhold consent or approval to amend this Addendum pursuant to this Section 12 or otherwise.
  • 12.2. In the event the Standard Contractual Clauses or the UK Addendum are replaced, updated or superseded with a new version (“New Clauses”), Customer agrees that Supplier may, upon prior written notice to Customer, update this Addendum as necessary to incorporate such New Clauses, as an amendment to or replacement of the prior Standard Contractual Clauses or UK Addendum.

Exhibit 1

DESCRIPTION OF PROCESSING

This Exhibit 1 describes the processing that the Supplier will perform on behalf of the Customer.

(a) Subject matter, nature and purpose of the processing operations

The Controller Personal Data will be subject to the following basic processing activities (please specify):

  • Providing the Products purchased by the Customer under and pursuant to the Main Agreement
  • Providing account management and customer technical support services

The Supplier provides Products that are designed to detect, prevent, and manage, or assist the Supplier to detect, prevent, and manage security threats within or against systems, networks, devices, files, and other data made available by the Customer. The content of any information held in these systems, networks, devices, files and other data is determined solely by the Customer and not by the Supplier.

(b) Duration of the processing operations:

The Controller Personal Data will be processed for the following duration (please specify):

  • The duration specified in the Main Agreement (or for the term of the Main Agreement, if not otherwise specified).

(c) Data subjects

The Controller Personal Data concern the following categories of data subjects (please specify):

  • Personnel and end users of Customers
  • Other Data Subjects whose Personal Data is processed on behalf of Customer related to the Sophos Products

(d) Types of personal data

The Controller Personal Data concern the following categories of data (please specify):

  • Usernames and other identifiers
  • Network and network activity information
  • Other information that may be transmitted or processed in connection with the Sophos Products

(e) Special categories of data (if appropriate)

The Controller Personal Data concern the following special categories of data (please specify):

  • Unless otherwise specified, the Supplier’s Products are not designed to process special categories of data. 

Exhibit 2

TECHNICAL AND ORGANISATIONAL MEASURES

Certain of these measures may only be relevant or applicable to Hosted Products.

  1. Physical Access Control.

    (a) Sophos has a physical access control policy;
    (b) All staff carry ID / access badges; 
    (c) Entrances to facilities are protected by access badges or keys; 
    (d) Facilities are divided into (i) public access areas (such as reception areas), (ii) general staff access areas, and (iii) restricted access areas which may only be accessed by those personnel with an express business need;
    (e) Access badges and keys control access to restricted areas within each facility according to an individual’s authorised access levels;
    (f) Access levels for individuals are approved by senior staff members and are verified on a quarterly basis;
    (g) Reception and/or security staff are present at entrances to larger sites; 
    (h) Facilities are protected by alarms;
    (i) Visitors are pre-registered and visitor logs are maintained.

  2. System Access Control. 

    (a) Sophos has a logical access control policy;
    (b) The network is protected by firewalls at each Internet connection;
    (c) The internal network is segmented by firewalls based on application sensitivity; 
    (d) IDS and other threat detection and blocking controls run on all firewalls;
    (e) Filtering of network traffic is based on rules that apply the principle of “least access”;
    (f) Access rights are only granted to authorised personnel to the extent and for the duration necessary in order to perform their job roles and are reviewed quarterly;
    (g) Access to all systems and applications is controlled by a secure log-on procedure;
    (h) Individuals have unique user IDs and passwords for their own use;
    (i) Passwords are strength tested and changes are enforced to weak passwords; 
    (j) Screens and sessions automatically lock after a period of inactivity;
    (k) Sophos malware protection products are installed as standard;
    (l) Regular vulnerability scans are conducted on IP addresses and systems;
    (m) Systems are patched on a regular cycle with a prioritisation system for fast-tracking urgent patches.

  3. Data Access Control.

    (a) Sophos has a logical access control policy;
    (b) Access rights are only granted to authorised personnel to the extent and for the duration necessary in order to perform their job roles and are reviewed quarterly;
    (c) Access to all systems and applications is controlled by a secure log-on procedure;
    (d) Individuals have unique user IDs and passwords for their own use;
    (e) Passwords are strength tested and changes are enforced to weak passwords; 
    (f) Screens and sessions automatically lock after a period of inactivity;
    (g) Laptops are encrypted using Sophos encryption products;
    (h) Senders are directed to consider file encryption prior to sending any external email.

  4. Input Control. 

    (a) Access to all systems and applications is controlled by a secure log-on procedure;
    (b) Individuals have unique user IDs and passwords for their own use;
    (c) The Sophos Central Products use transfer layer encryption to protect data in transit;
    (d) Communication between the client software and the backend Sophos system is performed over HTTPS to secure the data in transit, establishing trust communication via certificates and server validation.

  5. Subcontractor Control.

    (a) Subcontractors with access to data undertake an IT security vetting procedure prior to onboarding and as required thereafter;
    (b) Contracts contain an appropriate confidentiality and data protection obligations based on the subcontractor’s duties.

  6. Availability Control. 

    (a) Sophos protects its premises from fire, flood and other environmental hazards;
    (b) Back-up generators are available to maintain power supplies in the event of power outages;
    (c) Data centres and server rooms use climate controls and monitoring;
    (d) The Sophos Central system is load balanced and has failover between three sites, each running two instances of the software, any one of which is capable of providing the full service.

  7. Segregation Control.

    (a) Sophos maintains and applies a quality control process for the deployment of new customer products;
    (b) Testing and production environments are separate;
    (c) New software, systems and developments are tested prior to release to the production environment.

  8. Organisational Control.

    (a) Sophos has a dedicated IT security team;
    (b) The Risk and Compliance team manage internal risk reporting and controls, which include reporting on key risks to management;
    (c) An incident response process identifies and remedies risks and vulnerabilities on a timely basis;
    (d) Each new employee undertakes data protection and IT security training;
    (e) The IT Security department conducts quarterly security awareness campaigns.

 

Exhibit 3

HOSTED PRODUCTS

(a) Sophos Central
(b) Sophos Cloud Optix
(c) Central Device Encryption 
(d) Central Endpoint Protection
(e) Central Endpoint Intercept X 
(f) Central Endpoint Intercept X Advanced
(g) Central Mobile Advanced 
(h) Central Mobile Standard 
(i) Central Phish Threat 
(j) Central Intercept X Advanced for Server
(k) Central Server Protection
(l) Central Mobile Security 
(m) Central Web Gateway Advanced 
(n) Central Web Gateway Standard 
(o) Central Email Standard 
(p) Central Email Advanced 
(q) Central Wireless Standard 
(r) Any other Sophos product that is administered and operated via Sophos Central

Exhibit 4

ADDITIONAL TERMS FOR RESTRICTED TRANSFERS

This Exhibit includes additional terms applicable to Restricted Transfers by or on behalf of Customer to Supplier, pursuant to the Addendum, as well as the information necessary to complete the Appendices (Annexes I – III) to the applicable SCCs.

By agreeing to the Addendum, the Parties agree to and thereby execute the SCCs in all relevant parts, subject to Section 9 of the Addendum and the terms of this Exhibit.

  1. Capitalized terms used but not defined in this Exhibit or otherwise in the Addendum, shall have the meanings ascribed to them under the SCCs and the UK Addendum as applicable.
  2. Module 2 of the SCCs shall apply, subject to the terms of this Exhibit and the Appendix to the SCCs shall be completed with reference to Attachment A hereto.
  3. For the purposes of the SCCs (Module 2):
    • 3.1. Clause 7: the optional docking clause shall not apply;
    • 3.2. Clause 9(a): Option 2 (General Authorization) shall apply and the data importer shall notify the data exporter in writing at least 30 days in advance of any intended changes.
    • 3.3. Clause 11: the optional language shall not apply.
    • 3.4. For purposes of Clause 13(a), the competent supervisory authority shall apply as follows:
      • 3.4.1. Where the data exporter is established in an EU Member State, the supervisory authority will be the competent supervisory authority for the jurisdiction in which the data exporter is established;
      • 3.4.2. Where the data exporter is established in the United Kingdom or the Restricted Transfer is subject to the Data Protection Laws and Regulations of the United Kingdom, the competent supervisory authority shall be the UK Information Commissioner’s Office;
      • 3.4.3. Where the data exporter is established in Switzerland or the Restricted Transfer is subject to the Data Protection Laws and Regulations of Switzerland, the Swiss Federal Data Protection and Information Commissioner shall act as the competent supervisory authority; and
      • 3.4.4. Where the data exporter is not established in an EU Member State, the United Kingdom or Switzerland, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2), the supervisory authority will be the competent supervisory authority for the jurisdiction in which the data exporter’s representative is established, namely the Data Protection Commissioner of Ireland.
  4. For purposes of Clause 17 and Clause 18(b), respectively, the SCC’s shall be governed by the laws of the Republic of Ireland disputes will be resolved before the courts of Ireland, except that: (i) where the data exporter is established in Switzerland or the Restricted Transfer is subject to the Data Protection Laws and Regulations of Switzerland, the SCC’s shall be governed by the laws of, and disputes will be resolved before the courts of, Switzerland; and (ii) where the data exporter is established in the United Kingdom or the Restricted Transfer is subject to the Data Protection Laws and Regulations of the United Kingdom, the SCC’s shall be governed by the laws of, and disputes will be resolved before the courts of, the United Kingdom.
  5. Additional Terms for Switzerland. Where the data exporter is established in Switzerland or the Restricted Transfer is subject to the Data Protection Laws and Regulations of Switzerland: (i) references in the SCCs to “European Union”, “Union” or “member state” shall mean Switzerland; (ii) references to the GDPR shall also include the reference to the equivalent provisions of the Swiss Federal Act on Data Protection (as amended or replaced); and (iii) the SCCs also apply to the transfer of information relating to an identified or identifiable legal entity to the extent such information is protected as Personal Data under the applicable Data Protection Laws and Regulations of Switzerland.
  6. Additional Terms for the United Kingdom. Where the data exporter is established in the United Kingdom or the Restricted Transfer is subject to the Data Protection Laws and Regulations of the United Kingdom:
    • 6.1. The SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK Addendum; and
    • 6.2.For the purposes of Part One, Tables 1 and Table 2 are completed with reference Attachments A and B (as applicable) of this Exhibit, Table 3 is completed with reference to the information in this Exhibit, and for purposes of Table 4 the data importer may end the UK Addendum as set out in Section 19 of the UK Addendum.

 

Attachment A to Exhibit 4

APPENDIX TO THE SCCS (MODULE 2): CONTROLLER-TO-PROCESSOR RESTRICTED TRANSFERS

ANNEX I

A. LIST OF PARTIES

1. Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Name

As provided to Supplier under the Main Agreement

Address

As provided to Supplier under the Main Agreement

Other information needed to identify the Organisation

As provided to Supplier under the Main Agreement

Contact person’s Name:
Position:
Contact details:

As provided to Supplier under the Main Agreement

Activities relevant to the data transferred under these SCCs

As set out in clause 3 to the Addendum above

Role

 Controller

Data Exporter Signature and Date: The SCCs (Module 2), together with this Appendix and the Annexes herein, are executed as part of the  Addendum.  

2. Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection.]

Name

Sophos Limited (for and on behalf of its EU and Swiss subsidiaries)

Address

The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK

Other information needed to identify the Organisation

Registration number 2096520

Contact person’s Name:
Position:
Contact details:

Privacy Counsel
dataprotection@sophos.com

Activities relevant to the data transferred under these SCCs

In accordance with the Agreement

Data Importer Signature and Date: The SCCs (Module 2), together with this Appendix and the Annexes herein, are executed as part of the  Addendum.  

B. DESCRIPTION OF TRANSFER

1.1. Categories of data subjects whose personal data is transferred.

  • As set forth in Exhibit 1, Part A.

1.2. Categories of personal data transferred.

  • As set forth in Exhibit 1, Part A.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuous.

Nature of the processing

  • Providing the Services procured by Sophos under and pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

  • Supplier will process Controller Personal Data as necessary to perform the Services pursuant to the Agreement and as instructed by Sophos in its use of the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • Subject to Section 10 of the Addendum, Supplier will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • Supplier is authorised the to use the Sub-processors as notified by Supplier to Sophos at the time of execution of the Agreement or the Addendum.

C. COMPETENT SUPERVISORY AUTHORITY

  • As set out in Section 3.4 of Exhibit 4 to the Addendum.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

As set forth in Exhibit 2 to the  Addendum.

ANNEX III – LIST OF SUB-PROCESSORS

Not applicable (The parties have agreed to Option 2 (General Authorization) with respect to Clause 9 (a) of the SCCs).

 

Archived Versions