Last Updated: April 30, 2024

DATA PROCESSING AGREEMENT

This Data Processing Agreement, including its Annexes ("DPA") is incorporated into and forms part of the Agreement between Customer, and if applicable, Customer's Affiliates, and Sangfor, and contains the legal terms and conditions that apply to the processing of Personal Data, by any of the Product. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

1. DEFINITIONS

1.1 "Agreement" means Sangfor's End User License Agreement, unless a separate agreement governing the use of the Product exists between the parties.

1.2 "Data Protection Laws" means data protection laws applicable to Sangfor in its processing of Personal Data under this DPA.

1.3 "End User Data" means data that may be accessed or collected by the Product during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Product. End User Data may include confidential data and Personal Data, such as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.

1.4 "Personal Data" means any information Processed during the provision of a Product that i) relates to an identified or identifiable natural person; or ii) is defined as "personally identifiable information", "personal information", "personal data" or similar terms, as such terms are defined under Data Protection Laws, including as may be used in this DPA.

1.5 "Security Incident" means any unauthorized access to any End User Data stored on Sangfor's equipment or in Sangfor's facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of End User Data that compromises the privacy, security or confidentiality of such End User Data.

1.6 "Controller" means an entity that determines the purposes and means of the processing of End User Data.

1.7 "Processor" means an entity that processes End User Data on behalf of a Controller.

1.8 "Sub-processor" means any entity engaged by Sangfor to assist in fulfilling its obligations with respect to providing the Product pursuant to the Agreement or this DPA, insofar as such an entity processes Personal Data on behalf of Sangfor.

2. PROCESSING OF END USER DATA

In order to provide and operate the Product to Customer and for Sangfor's legitimate interest of operating, providing, maintaining, developing, and improving security technologies and services, Customer acknowledges, agrees and grants Sangfor the right to process and retain End User Data, including Personal Data, that is shared or transferred by Customer. Based on the actual use scenarios, such consents and grants may be obtained through clicking "agreed" or "accepted" online by the End User or authorized third parties of Customer, or Non-authenticated User.

3. PROCESSING OF PERSONAL DATA

3.1 Role of the Parties. As between Sangfor and Customer, Sangfor will process Personal Data under the Agreement and this DPA only as a Processor acting on behalf of Customer. Customer may act either as a Controller or as a Processor with respect to Personal Data.

3.2 Customer's Processing of Personal Data. Customer shall i) comply and will continue to comply all applicable laws, including Data Protection Laws, in respect of its use of the Product; ii) ensure that any instructions provided to Sangfor are at all times in accordance with Data Protection Laws; iii) process all the Personal Data in accordance with Data Protection Laws and obtain all consents and rights necessary for the Processing of Personal Data; iv) maintain at all times the accuracy, quality, and legality of Personal Data; v) provide to Sangfor the minimum amount of Personal Data necessary for the provision of the Product; vi) in particular, in the scenario of providing the SaaS, Customer is responsible for forwarding its web traffic or internal traffic to Sangfor via valid forwarding mechanisms that allow for automatic fail over.

3.3 Sangfor's Processing of Personal Data. Except as otherwise stated in this DPA or the Agreement, Sangfor will only Process Personal Data in accordance with Customer's documented instructions, the applicable Product privacy documentation, Data Protection Laws, and this DPA. Customer agrees that this DPA and the Agreement are its complete and final instructions to Sangfor in relation to the processing of Personal Data. Processing any Personal Data outside the scope of these instructions (if any) will require prior written agreement between the parties by ways of written amendment to this DPA. Sangfor shall immediately inform Customer if, in its opinion, any of the instructions violates applicable Data Protection Laws.

3.4 Details of Sangfor's Data Processing

3.4.1 Subject Matter: The subject matter of the Processing under this DPA is the Personal Data.

3.4.2 Duration: Sangfor may process Personal Data under this DPA until the termination or expiration of the Agreement or cease to processing Personal Data under the Customer's instructions.

3.4.3 Purpose: The purpose of the Processing of Personal Data under this DPA is to enable Sangfor to deliver the Product and perform its obligations as set forth in the Agreement (including this DPA) or as otherwise agreed by the parties in mutually executed written form.

3.4.4 Nature of the Processing: To provide Product as described in the Agreement, Sangfor will process Personal Data upon the instruction of Customer and in accordance with the terms of this DPA and the Agreement.

3.4.5 Categories of Data Subjects: Customer determines the categories and extent of any Personal Data that Customer or End User disclose to Sangfor, which may include without limitation Personal Data relating to the following categories of data subjects: i) employees, contractors, consultants, and individuals belonging to Customer, or Customer's clients' and partners' workforce; or ii) other individuals whose Personal Data is Processed as part of the provision of the Product.

3.4.6 Categories of Personal Data: Customer determines the categories of any Personal Data that it discloses to Sangfor, which may include without limitation Personal Data relating to the following categories:

i) Identification and contact data (e.g., name, address, phone number, title, email, other contact details);

ii) Employment details (e.g., job title, role, manager);

iii) IT information (e.g., entitlements, IP addresses and ports, username, usage data, cookies data, online identifiers);

iv) Domain and device information (e.g., MAC address, host names, International Mobile Subscriber Identity (IMSI), and qualified host names);

v) Information contained in logs related to security events identified and captured by Products; and/or

vi) Unstructured data provided to Sangfor for the purpose of providing support services (e.g., packet capture for file testing).

3.4.7 Sensitive Data Transferred (if applicable): When Processing Personal Data, Sangfor may process sensitive Personal Data. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

3.4.8 Frequency: The transfer of information between the parties to facilitate Sangfor's processing on behalf of Customer will occur as needed until the termination of the Agreement.

3.4.9 Retention and Deletion: Sangfor shall process and retain Personal Data no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, Sangfor shall: i) delete Personal Data that is no longer necessary to carry out for any of the purposes under this DPA or the Agreement; or ii) upon Customer's request, provide options to return or erase, destroy, and render unrecoverable the Personal Data, where reasonably possible.

4. Sub-Processors.

As part of the provision of a Product, Sangfor may engage Sub-processors identified in the applicable Product documentation for the relevant Product to process the Personal Data on its behalf. Customer consents to Sangfor engaging Sub-processors to process Personal Data under this DPA and the Agreement. In the event Sangfor engages any new sub-processor, Sangfor will:

4.1 Update our Sub-processors list on a regular basis and will provide it to Customer upon written request by Customer. If Customer objects to a new sub-processor, Sangfor will then endeavor to offer alternate options for the delivery of the relevant Product that do not involve the new Sub-processor, without prejudice to any of Customer's termination rights;

4.2 Enter into an agreement with each Sub-processor that imposes data protection terms as stringent as those set forth in this DPA; and

4.3 Remain responsible for the Sub-processor's compliance with this DPA and for any acts or omissions of the Sub-processor that cause Sangfor to breach any of its obligations under this DPA.

5. SECURITY

5.1 Safeguarding Confidentiality and Security of Personal Data. Sangfor will implement practices and maintain appropriate technical and organizational security measures to protect against Personal Data Incidents and to preserve the security and confidentiality of Personal Data processed by Sangfor on behalf of Customer in the provision of the Product. The security measures are subject to technical progress and development. Sangfor may update or modify the security measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Product purchased by the Customer.

5.2 Customer's Responsibilities. Customer is responsible for i) secure and appropriate use and configuration of the Product, including making appropriate use of the Product to ensure a level of security appropriate to the risk in respect of the Personal Data; ii) reviewing the DPA and evaluating for itself whether the Product and Sangfor's commitments under this DPA will meet Customer's needs, including with respect to any obligations of Customer under Data Protection Laws as applicable.

5.3 Confidentiality of Processing. Sangfor shall ensure that any person who is authorized by Sangfor to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.4 Security Incident. Sangfor shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident. Upon confirming that a Security Incident has occurred, Sangfor shall within 72 hours: i) notify the Customer, taking into account the nature of Sangfor's processing of Personal Data and the information available to Sangfor; ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and iii) promptly take reasonable steps to contain, investigate, and mitigate the Security Incident. Sangfor shall reasonably cooperate with Customer in any post Security Incident communication efforts.

6. COOPERATION

6.1 Data Subject Requests. Sangfor shall provide reasonable assistance to Customer to comply with its obligations with regard to data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to Sangfor. If Sangfor or any Sub-processor (if applicable) receives a request or a complaint from a data subject or its representative, including requests regarding the data subject's rights under applicable Data Protection Laws, Sangfor will forward the request without undue delay to Customer for handling unless Sangfor is required by law to address that request.

6.2 Government Request for Personal Data. If a law enforcement agency sends Sangfor a demand for Personal Data relating to the data subject, Sangfor will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Sangfor may provide Customer's contact information to the law enforcement agency. If compelled to disclose Data Subject Personal Data to a law enforcement agency, then Sangfor will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedies to the extent Sangfor is legally permitted to do so. Sangfor will only make an exception to its Customer notification commitments in emergency circumstances where notice could, in Sangfor sole discretion, result in danger or harm to an individual or group.

6.3 If Sangfor is legally required to respond to a request enumerated in Sections 6.1 and 6.2, Sangfor will notify the Customer and provide it with the contact information of the requesting party unless legally prohibited from doing so by applicable law.

6.4 DPIAs and Prior Consultations. Taking into account the nature of the processing and information available to Sangfor, Sangfor shall provide reasonably requested information regarding the Product to enable the Customer to carry out data protection impact assessments ("DPIA"). Sangfor shall provide reasonable assistance to Customer in the cooperation or prior consultations with supervisory authorities or other competent regulatory authorities, which the Customer reasonably considers to be required by Data Protection Laws.

6.5 For all instances in this Section 6, should Sangfor determine in good faith that the request for assistance is unreasonable, overly burdensome, and outside of industry expectation for assistance with each respective matter, Sangfor and Customer agree to discuss in good faith a fee to be charged to Customer for the support provided outside of the reasonable level of support.

7. LIMITATION OF LIABILITY

The liability of each party and each party's Affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement and shall not be modified by this DPA. Any claims brought by a party or its Affiliates under this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the exclusions and limitations set forth in the Agreement.

8. GENERAL

8.1 Conflict of Terms. In the event of any conflict between the terms of this DPA and any privacy-related provisions in the Agreement, the terms of this DPA shall prevail.

8.2 Update to this DPA. Sangfor may modify the terms of this DPA as provided in the Agreement, in circumstances such as i) if required to do so by a supervisory authority or other government or regulatory entity, ii) if necessary to comply with Data Protection Law, or iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Data Protection Law. Sangfor will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on the Product's interface if not specified in the Agreement.

8.3 Language. This Agreement is prepared and executed in English. Any other language version (if applicable) of this Agreement is provided for reference only. In the event of any inconsistency between the English version and the other version, the English version shall prevail.

8.4 Contacting Sangfor. If Customer has any further question about this DPA, or have any request or query for End User Data, Customer can always contact Sangfor by e-mail: privacy@sangfor.com

Sangfor aTrust Annex

1. PURPOSE

The purpose of this document is to provide Customer with the information that how Personal Data may be transferred to or processed by Sangfor.

2. PRODUCT SUMMARY

Sangfor aTrust is a zero-trust access control system designed based on the concept of zero trust. Sangfor aTrust takes identity as the center and reshapes the boundary with identity. It realizes trusted access through network stealth and dynamic business access, intelligent privileges through dynamic privileges control and privileges baseline tools, and simple operation and maintenance through client-free and privileges application self-service. Sangfor aTrust builds a more secure and better-experienced security solution for customers.

3. INFORMATION PROCESSED BY Sangfor

3.1 In order to provide and maintain Sangfor aTrust, Customer authorizes Sangfor to process the following information:

3.1.1. To understand the basic condition of the Sangfor aTrust to conduct relevant operation and maintenance, the following basic information of the device will be processed by Sangfor: device version information (software and hardware version), license information (such as licensee name, license date, license status, license type, license version, expiration time, authorized user number, etc.), gateway ID, device type, device deployment type, hardware information, disk size, memory size, etc.

3.1.2. To understand the operation status of Sangfor aTrust, the following device operation information will be processed by Sangfor:

Operation status information: CPU utilization, memory utilization, disk utilization, etc.

Alter information: alter ID, alter counts, alter date, etc.

Dump information: dump process, dump date, dump counts, etc.

Outside information information: device ID, device version, etc.

Request information: request URLs, request counts, request time, etc.

Interface, downflow and upflow information, reported time, etc.

3.1.3 To understand the Customer's use of the Sangfor aTrust functionality, the following business operation data will be processed by Sangfor: online user counts, application counts, endpoints counts, login device information (such as login methods and number), OS counts, client counts, browser counts, Device configuration information (such as port open status, function open status, enabled authentication servers list, security policy open status), etc.

3.1.4 For the purpose of the product function implementation, product capability upgrade and security maintenance, as well as the need to contact Customer in the event of an emergency during your use of Sangfor aTrust, Customer's authorized administrators can submit and authorize Sangfor to process their name, contact phone number and email address information.

3.1.5 In order to provide maintenance and troubleshooting service for Sangfor aTrust, aTrust Client will collect the following information from endpoint and transfer it to Sangfor servers directly: information related to the abnormal operation of the Sangfor aTrust client program installed on the endpoint, such as stack commands, failure exception codes, fault problem categories, abnormal function names, aTrust Client version and ID information, endpoint device information such as name, OS version, CPU information, and memory information.

4. INFORMATION PROCESSED BY CUSTOMER

4.1 The data that Customer process locally when using Sangfor aTrust include data collected through the application installed in the endpoint, related business data carried by Sangfor aTrust, and other data such as logs generated during the use of Sangfor aTrust, which can be viewed and managed by Customer through its local server or database. The personal data may be involved as follows:

Basic information about the endpoint, including computer name, operating system information (including system version information, system network configuration, process list information, system service list), browser version information, IP address, device MAC address, CPU model and other basic information.

Information about Sangfor aTrust client program, including version, configuration and logging information.

Information related to the operation of endpoints, including whether to run specified antivirus software, whether to install specified software, whether to run specified processes, whether to exist specified files, whether to open system firewall, etc., and if you configure the running process log collection function on the management side, the information of application usage on the endpoints within the scope of control will be collected for all or part of the time period (including the name of the application used, the time of use, and the domain name/IP address accessed through the application). You acknowledge and agree that you shall only collect and process the relevant log data for the purpose of dealing with the abnormal operation of endpoint client programs, and you shall protect the legitimate rights and interests of personal data of the End Users.

4.2 For the above data processed locally by Customer when using Sangfor aTrust, Sangfor will not access or interfere with your own management by any means without your authorization. If Customer configures and enables the relevant functions in the management platform, the corresponding data may be further transmitted to Sangfor's server for processing in accordance with the applicable data policies, for example, when Customer enables the integration function with Sangfor Endpoint Secure through the management platform, if the type of Sangfor Endpoint Secure selected for integration is locally deployed equipment, the data will be transmitted and processed locally by Customer, but if the type of Sangfor Endpoint Secure is deployed in a SaaS form, the data related to terminal assets collected including the computer name and operating system information of terminal equipment, CPU, memory, hard disk, motherboard, network card, sound card, monitor, etc. will be transmitted to the server deployed at the POP point where Sangfor Access Secure is provided by Sangfor, and will be processed in accordance with the data policy of Sangfor Sangfor Access Secure.

4.3 If Customer has the demand for global branch management, and the aTrust servers deployed by Customer and endpoints are located in different jurisdictions, the local data processing activities stated in Article 4.1 may involve data cross-border transfer. Customer shall independently assess whether the data cross-border transfers arising from the aTrust deployment policy comply with the applicable laws and regulations, and shall be solely responsible for the relevant liability and responsibility arising therefrom.

5. INFORMATION THAT MAY BE TRANSMITTED TO THIRD PARTIES

If Customer uses Sangfor aTrust APP in conjunction with Sangfor aTrust, based on the operation of message pushing SDK provide by the third-party embedded in the Trust APP, Sangfor aTrust needs to first transfer the content of the pushed messages to the server where the third-party provider deploys the SDK before further pushing to the corresponding mobile devices through the built-in SDK of the Sangfor aTrust APP. Customer acknowledges and agrees that in the using Sangfor aTrust APP, the message push content set according to their usage needs will be transmitted to the SDK provider for processing. The details of data processing when using the third parties' SDK are prescribed in the privacy policy of Sangfor aTrust APP, which can be obtained in the login interface of Sangfor aTrust APP.

6. CUSTOMER PRIVACY OPTIONS

Customer has the option of disabling data uploading by operating on the management platform of Sangfor aTrust (Access path: System Settings > General > Privacy Settings > Join in User Experience Improvement Programme), after disabling the data uploading function, the related data will not be sent to Sangfor.

7. RETENTION

Data collected by Sangfor aTrust and processed by Customer locally will be under Customer's fully control. Data transferred to Sangfor will be retained on Sangfor's data center located in Malaysia and will be retained for six(6) months.

8. ACCESS AND DISCLOSURE

8.1 Access by End User: Data and logs stored on Customer's premises can only be accessed by Customer's administrator and users authorized by the administrator.

8.2 Access by Sangfor: Data processing by Sangfor is mostly automated, and access by Sangfor is restricted and only occurs when required to troubleshoot a Customer support inquiry or address issues related to the service.

9. COMPLIANCE WITH DATA PROTECTION LAWS

Sangfor is committed to protecting personal data processed by Sangfor. Sangfor will not access the content of the files in a way in which Sangfor could acquire meaningful information about natural persons, other than in exceptional cases where it is necessary for identifying security threats.

10. ABOUT THIS DOCUMENT

The information provided with this privacy policy that concerns technical or professional subject matter is for general awareness only. And it may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws.