DATA PROCESSING AGREEMENT

Last Updated: April 30, 2024

Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as "this DPA") constitutes a part of the End User License Agreement that you enter into with Sangfor when using a Sangfor Product, and applies to the processing of data during your use of the Product. You authorize Sangfor to process related data for the purpose of using the related Product. By confirming acceptance of this DPA, you acknowledge that you have granted the authorization to Sangfor. Terms not defined in this DPA shall have the meanings ascribed to them in the End User License Agreement.

1. Authorized Processing of Data

1.1 Purpose

To provide you with quality Products based on your requirements for network and assets security maintenance and internal organizational management, Sangfor needs to strive to develop Product features, and maintain the secure and stable operation of the Product during your use. For this purpose, you must authorize Sangfor to process certain necessary data. Sangfor processes related data according to your authorization, this DPA, and the written instructions in other related agreements. In particular, the Product configurations and other operations performed by you or your authorized IT administrator or other personnel are deemed as a form of written instructions.

1.2 Valid Authorization

1.2.1 You shall ensure that you have the full authority to grant the authorization specified herein to Sangfor, and that the sources and content of all User Data you authorize Sangfor to process are legal, true, and valid. Sangfor will provide the required Product to you based on the reasonable reliance upon you after you execute this DPA by checking the box confirming acceptance of this DPA, and will fulfill the obligation to protect the User Data in strict accordance with applicable laws and regulations as well as this DPA.

1.2.2 In particular, the User shall obtain the explicit consent of the Personal Information subjects involved in the User Data that Sangfor is authorized to process, except the Personal Information of the User who operates and uses the Product, for which the User has granted the authorization to Sangfor when executing this DPA by checking the box confirming acceptance of this DPA, in a manner that complies with the laws and regulations regarding the protection of Personal Information, and then authorize Sangfor to process such Personal Information. In particular, if you are an Authenticated User, you shall ensure that you have obtained the full consent of the related individuals of the Entity User before sharing their Personal Information with Sangfor.

1.3 Statement on Authorized Processing

1.3.1 Basis of Authorized Processing

Sangfor will process User Data only within the scope of authorization granted by you in accordance with the End User License Agreement, purchase and sales contract, non-disclosure agreement, and other Product-related documents signed with you. If Sangfor needs to process the User Data beyond the purpose or type of your authorization, Sangfor will reach an agreement with you by updating this DPA or otherwise.

1.3.2 Storage of User Data

1.3.2.1 The data that Sangfor is authorized to process within the territory of the People's Republic of China (hereinafter referred to as "China") will be stored on servers within the territory of China, and will be retained for a period specified by applicable laws or agreed upon with the User (which shall meet the requirement for providing the Products or services to the User). If Sangfor needs to transfer related data that we are authorized to process within the territory of China to an overseas entity for the purpose of conducting cross-border business, Sangfor will separately seek your consent by updating this DPA or through the notification or contact information specified in the End User License Agreement, and protect the data security in accordance with applicable laws, regulations, and the requirements of the competent regulatory authorities.

1.3.2.2 Unless otherwise provided by laws and regulations, after you cancel your Product account, Sangfor will cease the provision of related Product features or services to you, and retain the User Data for the minimum retention period required by laws and regulations or a longer period agreed upon with you. Upon expiration of the statutory or agreed retention period, Sangfor will no longer store the User Data or will desensitize the User Data.

2. Sub-processing

2.1 You agree that Sangfor may authorize all or part of the processing activities to our affiliates or third-party partners within the scope of authorization hereunder. Sangfor will separately enter into relevant agreements with the authorized affiliates or third parties, to ensure that they provide at least the same level of protection for User Data as that provided for in this DPA.

2.2 Sangfor will, upon written request, make available to you a list of the affiliates or third parties authorized with the processing of the User Data involved in the use of the current Product. In the event of any newly authorized affiliate or third party, Sangfor will immediately seek your consent by updating this DPA or the relevant data description. By clicking Agree, Confirm, or any other button with the similar meaning, or by continuing to use the Product, you are deemed to have granted your consent thereto.

3. User Data Management

3.1 Management of Local User Data: You shall manage the locally stored User Data, and be responsible for ensuring that the data management complies with applicable laws, regulations, and policies, and meets your requirements for the Product features and related services.

3.2 Management of User Data Sangfor Is Authorized to Process: Sangfor has the authority to process data that you authorize Sangfor to process within the scope of authorization, and you still have the rights to access, correct, delete, withdraw authorization for, and obtain a copy of, the data. You understand and accept that, if you want to independently manage the data that you have authorized Sangfor to process, you may need to follow certain procedures (such as identity authentication), or it may take a reasonable time period for you to achieve the management purpose, and this will not affect the validity of the data processing activities previously carried out by Sangfor based on your authorization. Based on the foregoing purpose of authorized processing of data, your exercise of the above data management right may lead to Sangfor's inability to continuously provide the related Product features or services to you, and Sangfor shall not be liable for the inconvenience caused to your use of Products or services or your loss arising from your exercise of the data management right.

3.3 Data Backup: You shall back up the data relating to your use of the related Product based on your own requirements. Though Sangfor will retain logs and other necessary data in the process of providing Product features or related services to you, Sangfor will only retain such data in accordance with applicable local laws and regulations or your authorization and based on the principle of data minimization, and shall not assume any responsibility for the User Data backup or the result thereof. If you need assistance from Sangfor in exporting or querying or retrieving related data, subject to applicable laws, Sangfor has the right to require you to bear the cost for data processing and maintenance, unless you have reached a special agreement with Sangfor on data backup or related processing.

3.4 Data Export or Deletion Settings: The Products that Sangfor provides to you process data according to your use requirements and the specific Product configurations, and display the processing result through the management console or the large screen page. You can export and back up the data collected and processed by Sangfor Products to a local device or other designated location or directory based on your own requirements, or apply to Sangfor for a customized interface for connection to a third-party product, system or platform so as to transmit the data. In such case, you shall ensure that the space for receiving data can meet the data transmission requirements, and shall confirm that the local backup space or the third-party product or service can guarantee the security of the received data. You may also set data deletion mechanisms based on the size of your storage space available and other actual situations. Sangfor would like to point out that, as a network operator, you are obliged to comply with the requirements of cybersecurity laws and regulations on retaining necessary network logs and effectively guaranteeing the operational security of the data and information systems, and to effectively control the permissions of the personnel who perform data-related operations; and you shall bear the cost for exporting or deleting the data processed by means of Sangfor Products based on your own requirements and all responsibilities and consequences that may arise therefrom.

3.5 Personal Information Protection

3.5.1 You understand and agree that, the legitimate rights and interests in the Personal Information of Chinese citizens, as well as the computers or electronic data and other assets owned by individuals are protected by law, so you shall warrant that any processing of the Personal Information or assets of related individuals involved in your use of a Product or service provided by Sangfor does not infringe the legitimate personal and property rights and interests of the individual subjects.

3.5.2 Requests from Personal Information Subjects: You shall make available an effective feedback channel to the Personal Information subjects involved in the processing activities. When a Personal Information subject gives dissent to the processing of their Personal Information, you shall ensure to promptly and properly handle it, so as to effectively protect their legitimate rights and interests in Personal Information. If Sangfor or our authorized third party receives a request for the exercise of the right or other data-related requests from a Personal Information subject, Sangfor will immediately transfer the request to you and will use our best efforts to give you the necessary assistance.

3.5.3 You warrant that you will use the Personal Information that Sangfor shares with you in an adequately rigorous attitude and in a legal and compliant manner, and will not use it for any purpose that may damage the legitimate rights and interests of the individual subjects. You shall bear the consequences arising from the violation of applicable laws or infringement upon the legitimate rights and interests of the individual subjects due to your breach of the foregoing warranty, and you shall indemnify Sangfor for all losses arising therefrom.

4. User Data Security Protection

4.1 You shall take security measures for data that you process and manage on your own in accordance with applicable data protection laws and regulations. Especially for Personal Information, you shall effectively take, and explicitly inform the Personal Information subjects involved of, the measures and mechanisms for Personal Information protection, including but not limited to encrypting or desensitizing the Personal Information and strictly controlling access to the Personal Information, so as to effectively protect the legitimate rights and interests of the Personal Information subjects.

4.2 Sangfor undertakes to fulfill the security obligation for the User Data that we are authorized to process in accordance with applicable laws and regulations. We use various technical security measures, such as data encryption, intrusion prevention, and anti-virus measures, to protect such User Data against unauthorized access, use, disclosure, abuse, or destruction; establish internal security management systems and work processes to strictly control access to such User Data; and regularly perform data security risk assessments and promptly handle related risks, so as to continuously improve our ability to protect the security of User Data.

5. Disclaimers

5.1 Liability for Your Data Processing

5.1.1 Management of Local User Data: Certain User Data generated during your use of a Sangfor Product that Sangfor is not authorized to process will be stored in your local server or the local device, and you shall manage and bear the full liability for such data pursuant to Section 3.1 hereof.

5.1.2 Products Not for Official Sale: If you use a Sangfor Product within a certain time period by means of borrowing, leasing, testing, or otherwise, you shall return the related device to Sangfor or our authorized distributor upon expiration of the use period. You shall be responsible for deleting the User Data contained in such device before returning the device. Otherwise, Sangfor shall not be liable for any damages arising out of the leakage or destruction of related data.

5.2 Limited Liability for User Data Security Protection

5.2.1 Sangfor undertakes to use our best efforts to take reasonable measures to protect the security of the User Data that we are authorized to process. However, you understand and accept that any security measures are not completely reliable, and Sangfor will sincerely cooperate with you to jointly ensure data security. In the event of any User Data leakage, loss, destruction, or other security incident arising out of hacking, intrusion of computer viruses, or force majeure, you understand that Sangfor shall not bear any direct or indirect loss or liability arising therefrom.

5.2.2 In the event of any User Data leakage, loss, destruction, or other security incident arising out of your disclosure of the Product account and password to a third party, or delivery of the Product or service account to a third party for management through online authorization or change of configurations, or your breach of other relevant provisions in this DPA or the End User License Agreement, or other reasons attributable to you, Sangfor shall not bear any direct or indirect loss or liability arising therefrom.

5.3 Exceptions

Sangfor may need to collect, disclose, or use related User Data beyond the scope of authorization hereunder for the purpose of performing the obligations specified by laws, regulations, or policies, or implementing relevant management requirements of the competent regulatory authority, or fulfilling other agreements reached with you, or for other necessary purposes. Under such exceptions, you agree to exempt Sangfor from the liability for breach of contract or damages:

5.3.1 It is for the purpose of performing the obligations directly related to national security, national defense, public security, public health, or other major public interests.

5.3.2 It is for the purpose of performing the obligations directly related to criminal investigation, prosecution, trial, or judgment execution.

5.3.3 It is for the purpose of safeguarding the life, property, or other significant legitimate rights and interests of you or other individuals while it is difficult to obtain your consent.

5.3.4 It is necessary to maintain the operational security and stability of Sangfor Products or services, such as discovering and handling the vulnerability or failure of our Products or services.

5.3.5 You have voluntarily disclosed the related data or information to the public.

5.3.6 The related data or information is collected from the information disclosed through legitimate public channels, such as lawful news reports or information disclosure by governments.

6. Data Content

6.1 Basic Information of the Product: In order to meet Customer's demand for unified security access to internal and external resources, Sangfor aTrust, combined with aTrust security Proxy Gateway, supports the docking of a unified identity authentication platform and provide fine-grained ACL access control based on identity authentication, and also support the integration of external security capabilities to achieve the ability to assess credibility for identity, endpoints, behaviors, and other aspects and automatically block threats. In order to provide Sangfor aTrust functionality, Customer can determine the specific range of endpoints to be controlled according to Customer's actual situation, and complete the corresponding configuration independently in the management console.

6.2 Based on the above basic information, the details of data processed in connection with your use of Sangfor aTrust are as follows:

6.2.1 User Data that authorized and transferred to Sangfor for processing:

6.2.1.1 Data attributable to Customer

①Device software and hardware version and license information, such as version number, serial number, gateway ID, hardware model, etc.

②Device configuration information, such as port open status (including port number), function open status, egress and access IP, etc.

③Device operation information, such as operation status information (CPU utilization, memory utilization, disk utilization), device status (cluster status information, Manager and Proxy Gateway interfacing status), SSH (exception) account list, process exception information (bt/core file, kernel crash dump file, etc.), device key service operation, device key service dump status, installed/to be Installed/to-be-installed patches list, device file fingerprint information, etc.

④Device file scan results, such as suspicious files (file path, file MD5, file size, file creation, modification and access time), suspicious software information (suspicious system commands, suspicious system environment variable names, suspicious kernel modules, suspicious process names), etc.

⑤Device log information, such as system security audit logs (shell operation logs, SSH logs, dmesg logs, secure logs), WAF logs, service logs, etc.

6.2.1.2 Other data that may contain personal information

① For the purpose of the product function implementation, product capability upgrade and security maintenance, as well as the need to contact Customer in the event of an emergency during your use of Sangfor aTrust, Customer's authorized administrators can submit and authorize Sangfor to process their name, contact phone number and email address information.

②In order to provide maintenance and troubleshooting service for Sangfor aTrust, aTrust Client will collect the following information from endpoint and transfer it to Sangfor servers directly: information related to the abnormal operation of the Sangfor aTrust client program installed on the endpoint, such as stack commands, failure exception codes, fault problem categories, abnormal function names, etc.

6.2.2 information processed by customer

The data that Customer process locally when using Sangfor aTrust include data collected through the application installed in the endpoint, related business data carried by Sangfor aTrust, and other data such as logs generated during the use of Sangfor aTrust, which can be viewed and managed by Customer through its local server or database. The personal data may be involved as follows:

6.2.2.1 Basic information about the endpoint, including computer name, operating system information (including system version information, system network configuration, process list information, system service list), browser version information, IP address, device MAC address, CPU model and other basic information.

6.2.2.2 Information about Sangfor aTrust client program, including version, configuration and logging information.

6.2.2.3 Information related to the operation of endpoints, including whether to run specified antivirus software, whether to install specified software, whether to run specified processes, whether to exist specified files, whether to open system firewall, etc., and if you configure the running process log collection function on the management side, the information of application usage on the endpoints within the scope of control will be collected for all or part of the time period (including the name of the application used, the time of use, and the domain name/IP address accessed through the application). You acknowledge and agree that you shall only collect and process the relevant log data for the purpose of dealing with the abnormal operation of endpoint client programs, and you shall protect the legitimate rights and interests of personal data of the End Users.

6.2.2.4 Workspace audit information. If Customer configures to enable the audit function for the workspace of the authenticated End Users, Sangfor aTrust will collect and process the names of processes performing copy/import/export operations, the names of exported/imported files, file sizes, file md5 values, and the contents of copied text on the endpoint. Customer can also configure to audit the operational behavior of specified internal sensitive business systems by means of screen-recording, and the information contained in the screen-recording audit logs may vary depending on the type of business system that Customer has configured in the audit scope.

For the above data processed locally by Customer when using Sangfor aTrust, Sangfor will not access or interfere with your own management by any means without your authorization.

6.2.3 information that may be transmitted to third parties

If Customer uses Sangfor aTrust APP in conjunction with Sangfor aTrust, based on the operation of message pushing SDK provide by the third-party embedded in the Trust APP, Sangfor aTrust needs to first transfer the content of the pushed messages to the server where the third-party provider deploys the SDK before further pushing to the corresponding mobile devices through the built-in SDK of the Sangfor aTrust APP. Customer acknowledges and agrees that in the using Sangfor aTrust APP, the message push content set according to their usage needs will be transmitted to the SDK provider for processing. The details of data processing when using the third parties' SDK are prescribed in the privacy policy of Sangfor aTrust APP, which can be obtained in the login interface of Sangfor aTrust APP.

7. Language

This DPA is prepared and executed in Chinese. The English version is provided for reference only. In the event of any inconsistency between the English version and Chinese version, the Chinese version shall prevail.