Data Processing Addendum

NOTE: If you wish to view this Data Processing Addendum in another language, visit any of the following pages: Spanish, French, Italian, Brazilian Portuguese, German and Japanese. In the event of a conflict, the English version of the Addendum shall control.

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part and is expressly incorporated into the agreement entered into between Sophos and Customer for the provision by Sophos to Customer of certain products and/or services (“Main Agreement”). Unless otherwise defined, all capitalised terms shall have the meanings given in Section 1 below.

1. DEFINITIONS

  • 1.1 In this DPA, the following terms shall have the following meanings:

    Affiliate” means, with respect to each party, an entity that controls, is controlled by, or is under common control with such party. For the purposes of this definition, “control” means the beneficial ownership of more than fifty percent (50%) of the voting power or equity in an entity or the contractual or legal right to direct the management of such entity;

    Applicable Data Protection Laws” means, all laws and regulations applicable to the Processing of Controller Personal Data under the Main Agreement, including, where relevant, the GDPR, the UK Data Protection Law and CCPA

    Beneficiary” has the meaning given to it in the MSP Agreement.

    CCPA” means the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020), codified at Cal. Civ. Code §§ 1798.100 - 1798.199.100 and the California Consumer Privacy Act Regulations issued thereto, Cal. Code Regs. tit. 11, div. 6, ch. 1, each as amended;

    Controller” means either: (a) the Customer, if the Customer is an End User; (b) the Beneficiary, if the Customer is an MSP; or (c) the End Customer, if the Customer is an OEM;

    Controller Personal Data” means the Personal Data which Sophos processes on behalf of Controller as part of providing the Services;

    Customer” means: (1) the managed service provider or the managed security service provider (each referred to as “MSP”) if the Main Agreement is between Sophos and a MSP ("MSP Agreement”), (2) the original equipment manufacturer (“OEM”) if the Main Agreement is with an OEM authorised to distribute, sublicense, or make available to third parties Sophos products in combination with its products as part of a bundled unit (“OEM Agreement”); (3) the end user (“End User”), if the Main Agreement is directly with the customer;

    Data Subject” means the individual to whom the Controller Personal Data relates;

    Data Subject Requests” means any requests from Data Subjects exercising rights pursuant to Applicable Data Protection Laws;

    EEA” means the European Economic Area, including the member states of the European Union;

    End Customer” has the meaning given to it in the OEM Agreement;

    EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by the European Commission implementing decision (EU) 2021/914 of 4 June 2021;

    GDPR” means the General Data Protection Regulation (EU) 2016/679, as amended from time to time;

    “Personal Data” means “personal data” or “personal information”, as these terms are defined under Applicable Data Protection Laws, and includes any information relating to an identified or identifiable individual or household;

    Personal Data Breach” means a breach of security (other than caused by the Customer or its users) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data;

    Processor” means a person or entity that Processes Personal Data on behalf and under the instructions of a controller, including any entity acting as a “service provider” pursuant to the CCPA;

    Restricted Transfer” means a transfer of Personal Data to a Third Country where such transfer would be prohibited under European Data Protection Law in the absence of appropriate transfer mechanisms, such as binding corporate rules, or Standard Contractual Clauses;

    Services” means any products provided and/or services performed by Sophos pursuant to the Main Agreement;

    Sophos” means Sophos Limited, a company registered in England and Wales, number 2096520 with registered offices at The Pentagon, Abingdon, OX14 3YP, United Kingdom;

    “Standard Contractual Clauses” or “SCCs” means: (i) where the GDPR applies to a Restricted Transfer, the EU SCCs; (ii) where the UK Data Protection Law applies to a Restricted Transfer, the UK Addendum; and (iii) where the Swiss DPA applies to a Restricted Transfer, the Swiss SCCs;

    Sub-Processor” means any entity appointed by Sophos to carry out data processing activities related to Controller Personal Data;

    Supervisory Authority” means the competent regulatory authority with regard to Applicable Data Protection Laws, including where applicable, a supervisory authority as defined under the GDPR;

    Swiss DPA” means the Swiss Federal Data Protection Act of 25 September 2020, as amended from time to time;

    Swiss SCCs” means the applicable standard data protection clauses for the transfer of Personal Data to Third Countries issued, approved or otherwise recognised by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”);

    Third Country” means a country outside the EEA, the United Kingdom (“UK”) or Switzerland that has not been designated by the European Commission or equivalent body or person in Switzerland or the UK as ensuring an adequate level of protection pursuant to data protection laws of the EEA, the UK or Switzerland (“European Data Protection Law”);

    UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the United Kingdom Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022;

    UK Data Protection Law” means the United Kingdom's Data Protection Act 2018 and the GDPR as retained into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 both as amended from time to time.

  • 1.2. In this DPA, the lower-case terms "controller", "processor", "data subject", "personal data" and "processing" (and derivatives thereof) shall have the meanings given in Applicable Data Protection Law.
  • 1.3. Capitalised terms not otherwise defined in this DPA shall have the meaning attributed to them in the Main Agreement.

2. SCOPE

  • 2.1. This DPA applies where Sophos processes Controller Personal Data on behalf of Customer as part of providing the Services. The subject matter and duration of Sophos' processing of Controller Personal Data, the nature and purpose of the processing, the types of Controller Personal Data to be processed, and the categories of data subjects, shall be as described in: (a) this DPA; (b) the Main Agreement; (c) Exhibit 1 (Data Processing Details); and (d) the Customer’s instructions issued in accordance with Section 4 below.
  • 2.2. The Customer is responsible for ensuring that the Controller (a) has a lawful basis for the processing of Controller Personal Data that will be carried out by Sophos on Customer’s behalf, and (b) has obtained all necessary consents from data subjects that may be required for the processing of Controller Personal Data by the Customer and Sophos; and (c) is otherwise compliant with, and will ensure its instructions to Sophos for the processing of Controller Personal Data comply in all respects with, Applicable Data Protection Laws.
  • 2.3. The parties agree that with relation to Controller Personal Data, Sophos is a Processor or sub-processor, and Customer is either (a) the Controller where Customer is an End User, or (b) a Processor, for the Beneficiary or the End Customer, where Customer is an MSP or OEM, respectively.

3. CUSTOMER INSTRUCTIONS

  • 3.1. Customer instructs Sophos to process the Controller Personal Data as reasonably necessary to provide and perform the Services and as otherwise set out in this DPA and the Main Agreement (“Customer Instructions”). Sophos shall process the Controller Personal Data in accordance with the Customer Instructions, except (a) where otherwise agreed in writing between Sophos and the Customer; or (b) as required by any law to which Sophos is subject (in which case, Sophos shall inform the Customer of that legal requirement before any processing, unless that law prohibits the provision of such information on important grounds of public interest). When Customer acts as a Processor with respect to Controller Personal Data, Customer shall ensure that the Customer Instructions have been authorised by the relevant Controller and do not conflict with any instructions issued by that Controller.
  • 3.2. If Sophos becomes aware that the Customer Instructions infringe Applicable Data Protection Laws , it will promptly inform the Customer of same and suspend processing of the Controller Personal Data.
  • 3.3. Without limiting the forgoing, to the extent that the CCPA applies to the Controller Personal Data, Sophos further agrees that:
    • a. Sophos will not use, disclose or otherwise process Controller Personal Data except for the specific business purpose of performing the Services, in accordance with the terms of this DPA and the Main Agreement, and as otherwise authorized by applicable laws;
    • b. Sophos may engage Sub-Processors to process Controller Personal Data, subject to the terms of Section 7 and such engagement shall not be deemed a sale of Controller Personal Data;
    • c. Sophos will not process Controller Personal Data outside of the direct business relationship between Customer and Sophos or for Sophos’s own commercial purposes;
    • d. Sophos will not “share” or “sell” (as those terms are defined under the CCPA) any Controller Personal Data;
    • e. Sophos will comply with its obligations pursuant to the CCPA and will provide the same level of privacy protection as is required by the CCPA;
    • f. If Sophos believes it will be unable to comply with the terms of the CCPA, Sophos will promptly notify Customer and grant Customer the right to take reasonable and appropriate steps to ensure that the Controller Personal Data is processed in a manner that is consistent with the Controller’s obligations under the CCPA;
    • g. Sophos will not retain Controller Personal Data upon the expiration or termination of the Main Agreement, except as set out in Section 4.6.
  • 3.4. Sophos certifies it understands and will comply with the obligations set out in Section 3.3.

4. SOPHOS OBLIGATIONS

  • 4.1. Cooperation. Taking into account the nature of the processing of Controller Personal Data, Sophos will, provide the Customer (or, if the Customer is an MSP or OEM, the Controller) with reasonable assistance as necessary to: (i) respond to requests from data subjects exercising their rights under Applicable Data Protection Laws (including notifying Customer when in receipt of any such requests, provided that it shall not respond itself unless it has been authorised to do so by the Customer), (ii) conduct data protection impact assessments or other assessment required to be conducted by Applicable Data Protection Laws; and (iii) consult and cooperate with Supervisory Authorities as required under applicable Data Protection Laws. Sophos reserves the right to charge for such assistance if the cost of assisting exceeds a nominal amount.
  • 4.2. Third party Requests. Unless prohibited by law, Sophos shall notify the Customer of any privacy request, correspondence, enquiry or complaint it receives from a Supervisory Authority judicial authority or law enforcement agency in connection with the processing of the Controller Personal Data (“Third-Party Request”), providing full details of the same. Sophos shall not directly respond to the Third-Party Request, except (1) on Customer’s written instructions or, (2) as mandated by applicable laws.
  • 4.3. Confidentiality. All Sophos personnel who process the Controller Personal Data shall be adequately trained with respect to their data protection, security and confidentiality obligations, and shall be subject to written or statutory obligations of confidentiality.
  • 4.4. Security. Sophos will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to protect the Controller Personal Data against a Personal Data Breach. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons so as to ensure a level of security that is appropriate to the risk. In particular, the measures taken by Sophos shall include those described in Exhibit 2 of this DPA.
  • 4.5. Personal Data Breach. Upon confirming the occurrence of any Personal Data Breach, Sophos shall inform the Customer without undue delay and shall provide all such timely information and cooperation as the Customer may reasonably require in order for the Customer (and, if the Customer is an MSP or OEM, its Controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Sophos shall further take measures and actions as are reasonably necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep the Customer informed of developments in connection with the Personal Data Breach.
  • 4.6. End of Services. At the end of the provision of the Services or upon written request from Customer, Sophos shall delete Controller Personal Data within a reasonable time following the end of the Services or the request, unless otherwise required by applicable law, or required to comply with judicial or compliance requirement. If Sophos is required to retain any Controller Personal Data, Sophos shall take steps to ensure the continued confidentiality and security of the Controller Personal Data for so long as it is retained.

5. AUDIT RIGHTS OF THE CUSTOMER

  • 5.1. The Customer acknowledges that Sophos is regularly audited against SSAE 18 SOC 2 standards by independent third-party auditors. Upon reasonable request, Sophos shall supply a copy of its SOC 2 audit report to the Customer, which reports shall be subject to the confidentiality provisions of the Main Agreement as Sophos’ confidential information. Sophos shall also respond to reasonable written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once per year.
  • 5.2. If in Customer’s reasonable opinion, the materials provided under Section 5.1 are insufficient to demonstrate Sophos’ compliance with this DPA, then Customer may request in writing that Sophos makes available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, by Customer or Customer’s independent third-party auditor, subject always to the following provisions:
    • h. prior to requesting a review or audit pursuant to this Section 5.2, Customer will take into account the relevant Sophos third-party certifications and audits described under Section 5.1;
    • i. Customer will give Sophos reasonable notice, at least 30 days in advance, of a request to conduct an audit or inspection under this Section 5.2, by providing the proposed scope, duration and start date of the audit;
    • j. where a third-party auditor conducts the audit, such third-party auditor must be a reputable and well-established professional or firm, be subject to appropriate confidentiality obligations, and not be a competitor of the Supplier;
    • a. Customer will (and shall ensure that its auditors will) conduct such audit or inspection during Sophos’ normal business hours with minimal disruption to business activities;
    • b. an audit or inspection will be conducted no more than once annually, except where required by a Supervisory Authority or Applicable Data Protection Laws;
    • c. Customer (or its auditors, as the case may be) will have no access to other Sophos’ customers (and their information);
    • d. except where the audit or inspection discloses a failure on the part of Sophos to comply with its material obligations under this DPA, Customer shall reimburse Sophos for reasonable costs and expenses incurred by Sophos including any charges for the time expended by Sophos, its personnel and its professional advisors;
    • e. Customer shall provide to Sophos a copy of any audit report generated in connection with an audit carried out under this Section 5.2, unless prohibited by applicable law;
    • f. Information learned from the audit or inspection must be considered Sophos’ confidential information.

6. SUB-PROCESSORS

  • 6.1. Sophos is generally authorised to use the Sub-Processors which are listed at https://www.sophos.com/en-us/legal/sub-processor (“Sub-Processor List”), as well as Sophos Affiliates. Sophos may engage additional Sub-Processors (each a “New Sub-Processor”) subject to the terms set forth in this Section 6.
  • 6.2. Sophos will notify Customer of any intended addition of New Sub-Processors by posting details of such addition to the Sub-Processor List and by emailing Customer.
  • 6.3. If the Customer does not object in writing to Sophos’s appointment of a New Sub-Processor (on reasonable grounds relating to the protection of Controller Personal Data) within 30 days of such notification, the Customer will be deemed to have consented to that New Sub-Processor. If the Customer objects, the parties shall use reasonable endeavours to agree alternative arrangements within the following thirty (30) days. If the parties are unable to agree within said timeframe, the Customer may elect to terminate the part of the Services affected by the New Sub-Processor upon providing thirty (30) days written notice to Sophos and Sophos shall authorize a pro rata refund or credit of any prepaid fees for the period remaining after the termination.
  • 6.4. Sophos will impose data protection requirements on Sub-Processors that are substantially equivalent to the requirements provided for by this DPA. Sophos will remain fully liable for the performance of each Sub-Processor’s obligations.
  • 6.5. Where the engagement of Sub-Processors requires a Restricted Transfer of Controller Personal Data, Sophos will implement and maintain appropriate transfer mechanisms to ensure compliance with Applicable Data Protection Laws.

7. INTERNATIONAL DATA TRANSFERS

  • 7.1. Certain products enable the Customer to select where to host the Controller Personal Data for such products, including in data centres that may be located outside of the jurisdiction in which the data originates. Those locations may include (a) the European Economic Area, (b) the United Kingdom, (c) the United States of America; or another location as may be specified in the Main Agreement (“Central Storage Location”). For these products, the selection is made by the Customer at the point of product installation, account creation, or first use of the relevant product. Once selected by the Customer, the Central Storage Location cannot be varied at a later date.
  • 7.2. The Customer hereby agrees that, regardless of the selected Central Storage Location (if relevant), Sophos may transfer Controller Personal Data internationally, subject to compliance with applicable Data Protection Law and the provisions of this DPA. Where the transfer is a Restricted Transfer, Sophos will implement and maintain appropriate transfer mechanisms, such as Standard Contractual Clauses, to ensure compliance with European Data Protection Laws.
  • 7.3. To the extent that any Restricted Transfers take place from the Customer to Sophos:
    • 7.3.1. The Standard Contractual Clauses are expressly incorporated herein by reference and form a part of this DPA; and
    • 7.3.2. For the purposes of the Standard Contractual Clauses:
      • 7.3.2.1. With respect to the Controller Personal Data, Customer is the data exporter and Sophos is the data importer and a Processor.
      • 7.3.2.2. Where Customer is the Controller, Module 2 of the Standard Contractual Clauses shall apply, subject to the terms of Exhibit 4. Where Customer is a Processor acting on behalf of the Controller, Module 3 of the Standard Contractual Clauses shall apply, subject to the terms of Exhibit 4.
      • 7.3.2.3. The partes’ signature and dating of the Main Agreement is deemed to be signature and dating of the Standard Contractual Clauses.

8. DURATION

  • 8.1. This DPA commences upon (a) execution by both parties of the Main Agreement or (b) the date on which the Main Agreement becomes effective, if later, and continues until the earlier of: (i) the expiry of the Customer’s entitlement to use and receive the Serivices, as noted in the Main Agreement or on any associated license entitlement; and (ii) the termination of the Main Agreement.

9. OTHER REGULATIONS

  • 9.1. Any amendment of this DPA is valid only if in writing and signed by or on behalf of each party.
  • 9.2. In no event shall Sophos' liability to the Customer in connection with any issue arising out of, or in connection with, this DPA exceed Sophos' limitations on liability set out in the Main Agreement. Sophos' limitations on liability as set out in the Main Agreement shall apply in aggregate across both the Main Agreement and this DPA, such that a single limitation on liability regime shall apply across both the Main Agreement and this DPA.
  • 9.3. This DPA (excluding the SCCs) shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of laws principles. To the extent permitted by applicable law, the courts of England shall have exclusive jurisdiction to determine any dispute or claim that may arise out of, under, or in connection with this DPA.
  • 9.4. The Main Agreement, this DPA and the documents expressly referenced in the Main Agreement and this DPA shall constitute the entire agreement between the parties in relation to Personal Data collected, processed and used by Sophos in connection with the Main Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
  • 9.5. To the extent of any conflict with the terms of this DPA and the terms of any SCCs entered into by the parties, the terms of the applicable SCCs (including any Annexes thereto), shall take precedence.

10. CHANGES IN LAW

  • 10.1. If any amendment to this DPA is required as a result of a change in Applicable Data Protection Laws, then either party may provide written notice to the other party of such change. The parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes. The parties will not unreasonably withhold consent or approval to amend this DPA pursuant to this Section 10 or otherwise.

LIST OF EXHIBITS

Exhibit 1: DETAILS OF PROCESSING

Exhibit 2: TECHNICAL AND ORGANISATIONAL MEASURES

Exhibit 3: ADDITIONAL TERMS FOR RESTRICTED TRANSFERS

Attachment (to Exhibit 3): Appendix to The SCCs (Module 2/Module3): Controller-To-Processor/ Processor-To-Processor
 

Exhibit 1

DESCRIPTION OF PROCESSING

This Exhibit 1 describes the processing that Sophos will perform as a processor on behalf of the Customer.

(a) Subject matter of the processing

Sophos provides Services that are designed to detect, prevent, and manage, or assist Sophos to detect, prevent, and manage security threats within or against systems, networks, devices, files, and other data made available by the Customer. The content of any information held in these systems, networks, devices, files and other data is determined solely by the Customer.

(b) Nature and purpose of the processing operations

  • Providing the Services under and pursuant to the Agreement.
  • The Controller Personal Data will be subject to the following basic processing activities: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data in the course of providing the Services, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(c) Duration of the processing operations:

The Controller Personal Data will be processed for the duration of the Main Agreement and in accordance with the provisions of this DPA.

(d) Data subjects

The Controller Personal Data concern the following categories of data subjects:

  • Personnel and end users of Controller
  • Other Data Subjects whose Personal Data is processed on behalf of Controller related to the Services

(e) Types of personal data

The Controller Personal Data concern the following categories of data:

  • Usernames and other identifiers
  • Network and network activity information
  • Other information that may be transmitted or processed in connection with the Services

(f) Special categories of data (if appropriate)

The Controller Personal Data concern the following special categories of data:

The content of any information held in Sophos systems, networks, devices, files and other data is determined solely by the Customer. Unless otherwise specified, Sophos’ Services are not designed to process special categories of data.

Exhibit 2

TECHNICAL AND ORGANISATIONAL MEASURES

This information security overview applies to Sophos corporate controls for safeguarding Controller Personal Data.

Security Practices and Policies

Sophos agrees to implement physical, technical, administrative or organizational safeguards that relate to the protection of such Controller Personal Data against accidental or unlawful destruction, loss, access to or alteration of Controller Data in Sophos’ possession or control. Sophos shall maintain policies and standards for the protection of Controller Personal Data that originate from industry standard frameworks and establish uniform security and privacy standards for Sophos’ operations.

Organizational Security

It is the responsibility of the individuals across the organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, the function of information security provides:

  1. Strategy and compliance with policies/standards and regulations, awareness and education, risk assessments and management, contract security requirements management, application and infrastructure consulting, assurance testing and drives the security direction of the company;
  2. Security testing, design and implementation of security solutions to enable security controls adoption across the environment;
  3. Security operations of implemented security solutions, the environment and assets, and management of incident response activities;

Personnel Security

As part of the employment process and subject to local law, employees undergo a screening process at hire. Sophos’ annual compliance training includes a requirement for employees to complete an online course covering information security and data protection. The security awareness program may also provide materials specific to certain job functions.

Physical and Environmental Security

Sophos takes precautions to ensure that all systems hosting Controller Personal Data are maintained in a physically secure environment to prevent unauthorized physical access, and that access restrictions at physical locations containing Controller Personal Data, such as buildings, computer facilities, and records storage facilities, are designed and implemented to permit access only to authorized individuals, and to detect any unauthorized access that may occur, including without limitation badge access controls, access restrictions to sensitive areas, facility alarms as well as visitor registration and logs.

Communications and Operations Management

Sophos manages changes to its infrastructure, systems and applications through a formal change management program designed to ensure the integrity and security of Controller Personal Data. Controls include testing, business impact analysis and management approval where appropriate. Incident response procedures exist for security and data protection incidents which may include incident analysis, containment, response, remediation, reporting and the return to normal operations.

To protect against cybersecurity attacks, additional controls may be implemented based on risk. Such controls may include, but are not limited to, information security policies and standards, restricted access, multifactor authentication, designated development and test environments, malware detection; email and web traffic scanning; managed detection and response, logging and alerting on key events, information handling procedures based on data type as well as system and application vulnerability scanning.

Access Controls

Sophos maintains appropriate security measures and procedures to ensure that access to all systems hosting Controller Personal Data shall be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Controller Personal Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events.

Subcontractor Controls

Sophos shall be responsible for ensuring that its subcontractors who process Controller Personal Data maintain data security programs which are at least as stringent as Sophos’ own programs with respect to the applicable service to which such subcontractor has been engaged, and in accordance with generally accepted industry standards and practices. Sophos shall maintain a risk management program focused on the identification, evaluation, and validation of a vendor’s security controls.

System Development and Maintenance

Publicly released third party vulnerabilities are reviewed for applicability in the Sophos environment. Based on risk to Sophos’ business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications as well as the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.

Compliance

The information security, legal, privacy and compliance departments work to identify regional laws and regulations applicable to Sophos. These requirements cover areas such as, intellectual property of the company and our customers, software licenses, protection of employee and customer personal data, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements. Mechanisms such as the information security program, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.

Exhibit 3

ADDITIONAL TERMS FOR RESTRICTED TRANSFERS

This Exhibit 3 includes additional terms applicable to Restricted Transfers, as well as the information necessary to complete the Appendices (Annexes I – III) to the applicable Standard Contractual Clauses.

  1. Where Customer is a Controller with respect to the Controller Personal Data, Module 2 of the Standard Contractual Clauses shall apply, subject to the terms of this Exhibit 3.
  2. Where Customer is a Processor acting on behalf of a Controller with respect to the Controller Personal Data, Module 3 of the SCCs shall apply, subject to the terms of this Exhibit 3.
  3. For the purposes of the EU SCCs:
    • 3.1. Clause 7: the optional docking clause shall not apply;
    • 3.2. Clause 9(a): option 2 (General Authorisation) shall apply and the data importer shall notify the data exporter in writing at least 30 days in advance of any intended changes.
    • 3.3. Clause 11: the optional language shall not apply.
    • 3.4. Clause 17: the EU SCCs shall be governed by the laws of the Republic of Ireland;
    • 3.5. Clause 18: disputes will be resolved before the courts of the Republic of Ireland;
    • 3.6. The Appendix to the EU SCCs shall be populated with the information in the Attachment to this Exhibit 3.
  4. For the purposes of the UK Addendum, the following shall apply:
    • 4.1. The details of the Parties relevant for Table 1 is as set out in Annex I of the Attachment to this Exhibit 3;
    • 4.2. For the purposes of Table 2, the UK Addendum shall be appended to the EU SCCs with the same options and timescales noted above;
    • 4.3. The appendix information listed in Table 3 shall be populated with the information in Annex I and Annex II of the Attachment to this Exhibit 3.
  5. For the purposes of the Swiss SCCs, the EU SCCs shall apply as follows:
    • 5.1. Any references in the EU SCCs to GDPR shall be interpreted as references to the Swiss DPA;
    • 5.2. References to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be;
    • 5.3. References to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDPIC and the competent courts in Switzerland;
    • 5.4. The relevant Annexes of the Swiss SCCs shall be populated with the information in the Attachment to this Exhibit 3.
       

Attachment to Exhibit 3

APPENDIX TO THE SCCS

MODULE 2 or MODULE 3 (as applicable)

ANNEX I

A. LIST OF PARTIES

  1. Data exporter(s)

    NameAs provided to Sophos under the Main Agreement
    AddressAs provided to Sophos under the Main Agreement
    Other information needed to identify the OrganisationAs provided to Sophos under the Main Agreement

    Contact person’s Name:

    Position:

    Contact details:

    		As provided to Sophos under the Main Agreement
    Activities relevant to the data transferred under these SCCsThe purchase of Products as set out in the Main Agreement
    RoleController (when Customer is the End User) or Processor (when Customer is an MSP or OEM)

    Data Exporter Signature and Date: Date and signature as set out in the Main Agreement

  2. Data importer(s)

    NameSophos Limited
    AddressThe Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
    Other information needed to identify the OrganisationAs defined in the Main Agreement.

    Contact person’s Name:

    Position:

    Contact details:

    Privacy Counsel

    dataprotection@sophos.com

    Activities relevant to the data transferred under these SCCsThe provision of Products as set out in the Main Agreement
    RoleProcessor

    Data Importer Signature and Date: Date and signature as set out in the Main Agreement

B. DESCRIPTION OF TRANSFER

  • 1.1. Categories of data subjects whose personal data is transferred.
    As set out in Exhibit 1.
  • 1.2. Categories of personal data transferred.
    As set forth out Exhibit 1.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

As set out in Exhibit 1. If any sensitive data is transferred, see Exhibit 2 for any applied restrictions.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

  • Continuous.

Nature of the processing

  • As set out in Exhibit 1.

Purpose(s) of the data transfer and further processing

  • As set out in Exhibit 1.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • As set out in Exhibit 1.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • As set out in Exhibit 1.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is the supervisory authority of the Member State where the data exporter is established or as otherwise determined in accordance with GDPR.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

As set out in Exhibit 2 to the DPA.

ANNEX III – LIST OF SUB-PROCESSORS

Not applicable as the parties have agreed on general authorization to the use of Sub-Processors