Revision Date: 20 January 2022
If this Data Processing Addendum (“Addendum”) is expressly incorporated by reference into an agreement (“Main Agreement”) between Sophos Limited, a company registered in England and Wales number 2096520, with its registered office at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP, UK (“Supplier”) and a customer of Supplier (“Customer”), this Addendum forms part of the Main Agreement and is effective between the Supplier and the Customer.
If you wish to view this Addendum in another language, visit any of the following pages: Spanish, French, Italian, Brazilian Portuguese, German, Chinese Traditional, Chinese Simplified, and Japanese.
1. PREAMBLE
1.1 The parties have entered into the Main Agreement regarding the provision by the Supplier to the Customer of certain products and/or services (collectively, “Products”).
1.2 If the Main Agreement is an MSP agreement in similar form to the MSP agreement located at https://www.sophos.com/en-us/legal/sophos-msp-partner-terms-and-conditions (“MSP Agreement”), the Customer is a managed service provider (“MSP”). If the Main Agreement is an OEM agreement under which the Customer is authorised to distribute, sublicense, or make available to third parties Supplier Products in combination with the Customer’s products as part of a bundled unit (“OEM Agreement”), the Customer is an original equipment manufacturer (“OEM”). Otherwise, the Customer is an end user (“End User”).
1.3 The provision of the Products may include the collection, processing and use of Controller Data by the Supplier for the Customer. This Addendum sets forth the obligations of the parties with respect to such data processing and supplements the terms and conditions of the Main Agreement.
1.4 The Main Agreement, this Addendum and the documents expressly referenced in the Main Agreement and this Addendum shall constitute the entire agreement between the parties in relation to personal data collected, processed and used by the Supplier on behalf of the Customer in connection with the Main Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
2. DEFINITIONS
2.1 In this Addendum, the following terms shall have the following meanings:
“Applicable Data Protection Laws” means (i) EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Pro-tection Regulation or "GDPR"); (ii) the e-Privacy Directive (EU Directive 2002/58/EC); and (iii) any and all applicable national data protection legislation, including legislation made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to time.
“Beneficiary” has the meaning given to it in the MSP Agreement.
“Controller” means either: (a) the Customer, if the Customer is an End User; (b) the Beneficiary, if the Customer is an MSP; or (c) the End Customer, if the Customer is an OEM.
“Controller Data” means any and all personal data for which the Controller is the controller under Applicable Data Protection Laws.
“End Customer” has the meaning given to it in the OEM Agreement.
"Europe" (and "European") means (i) the Member States of the European Economic Area (“EEA”), and (ii) with immediate effect following the date from which European Union law no longer applies to the United Kingdom, the United Kingdom.
“EU Standard Contractual Clauses” or “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by the European Commission implementing decision (EU) 2021/914 of 4 June 2021;
“EU Controller to Processor Clauses” means the Module Two Clauses to the EU SCCs;
“EU Processor to Processor Clauses” means the Module Three Clauses to the EU SCCs.
“Hosted Products” mean the Products listed in Exhibit 3.
“Personal Data Breach” means a breach of security (other than those caused by the Customer or its users) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Data processed by the Supplier under this Addendum.
“UK Addendum” means the addendum to the EU SCCs set out in the Exhibit where applicable.
2.2 In this Addendum, the lower case terms "controller", "processor", "data subject", "personal data" and "processing" (and derivatives thereof) shall have the meanings given in Applicable Data Protection Law.
3. SCOPE
3.1 The subject matter and duration of the Supplier's processing of Controller Data, including the nature and purpose of the processing, the types of Controller Data to be processed, and the categories of data subjects, shall be as described in: (i) this Addendum; (ii) the Main Agreement; (iii) any instructions in Exhibit 1; and (v) the Customer’s instructions issued in accordance with Clause 4.
3.2 The Customer is responsible for ensuring (i) that the Controller has a lawful basis for the processing of Controller Data that will be carried out by the Supplier on its behalf, and (ii) that the Controller has obtained all necessary consents from data subjects that may be required for the processing of Controller Data by the Customer and the Supplier (including but without limitation, in relation to special categories of data); and (iii) that it is otherwise compliant with, and will ensure its instructions to the Supplier for the processing of Controller Data comply in all respects with, Applicable Data Protection Laws.
3.3 The remaining provisions of this Addendum describe the parties’ respective obligations in relation to Controller Data for which either: (i) the Customer is the controller and the Supplier is the processor, if the Customer is an End User; or (ii) the Customer is the processor for a third party controller, and the Supplier is the sub-processor, if the Customer is an MSP or OEM.
4. CUSTOMER INSTRUCTIONS
4.1 The Supplier shall process the Controller Data in accordance with the Customer's documented processing instructions, as exclusively set out in Clause 3.1 except:
(a) where otherwise agreed in writing between the Supplier and the Customer; or
(b) where required by law to which the Supplier is subject (in which event, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits the provision of such information).
4.2 If the Supplier becomes aware that the Customer's processing instructions infringe Applicable Data Protection Laws (without imposing any obligation on the Supplier to actively monitor the Customer's compliance), it will promptly notify the Customer of same and suspend processing of the Controller Data.
5. DUTIES OF THE SUPPLIER
5.1 All Supplier personnel who process the Controller Data shall be adequately trained with respect to their data protection, security and confidentiality obligations, and shall be subject to written obligations to maintain confidentiality.
5.2 The Supplier will, at its own cost, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to protect the Controller Data against a Personal Data Breach. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons so as to ensure a level of security that is appropriate to the risk. In particular, the measures taken by the Supplier shall include those described in Exhibit 2 of this Addendum. The Supplier may change or amend the technical and organisational measures described in Exhibit 2 without the prior written consent of the Customer provided that the Supplier maintains at least an equivalent level of protection. Upon request by the Customer, the Supplier will provide an updated description of the technical and organisational measures in the form as presented in Exhibit 2.
5.3 The Supplier shall follow the requirements specified in Clause 7 for engaging any subprocessor to process Controller Data.
5.4 The Supplier shall follow the requirements specified in Clause 8 for assisting the Customer to respond to enquiries from third parties, including any requests from data subjects to exercise their rights under Applicable Data Protection Laws.
5.5 Upon confirming the occurrence of any Personal Data Breach, the Supplier shall inform the Customer without undue delay and shall provide all such timely information and cooperation as the Customer may reasonably require in order for the Customer (and, if the Customer is an MSP or OEM, its Controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. The Supplier shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Personal Data Breach and shall keep the Customer informed of all developments in connection with the Personal Data Breach.
5.6 The Supplier shall provide the Customer (or, if the Customer is an MSP or OEM, its Controller) with all such reasonable and timely assistance as the Customer (or, as applicable, the Controller) may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority. Such assistance shall be provided at the Customer's expense.
5.7 The Supplier shall delete the Controller’s Controller Data within a reasonable period of time following termination or expiry of this Addendum, in each case if and to the extent permitted by applicable European law.
5.8 The Supplier shall follow the requirements specified in Clause 6 for providing to the Customer (and, if the Customer is an MSP or OEM, its Controller) such information as is necessary to demonstrate the Supplier's compliance with the obligations laid down in this Addendum.
6. AUDIT RIGHTS OF THE CUSTOMER
6.1 The Customer acknowledges that the Supplier is regularly audited against SSAE 18 SOC 2 standards by independent third party auditors. Upon request, the Supplier shall supply a copy of its SOC 2 audit report to the Customer, which reports shall be subject to the confidentiality provisions of the Main Agreement as the Supplier’s confidential information. The Customer acknowledges and agrees that the third party auditor that authored such report (“Author”) does not accept any responsibility or liability to the Customer or the Customer’s auditors unless and until the Customer enters into a separate duty of care agreement with the Author. The Supplier shall also respond to any written audit questions submitted to it by the Customer, provided that the Customer shall not exercise this right more than once per year.
7. SUBPROCESSORS
7.1 The Customer consents to the Supplier’s existing subprocessors as at the date of this Addendum, which are listed at https://www.sophos.com/en-us/legal (“Subprocessor List”). The Supplier will not subcontract the processing of any Controller Data to any additional third party subprocessors (each a “New Subprocessor”) without prior notification to the Customer. The Supplier will provide prior notice of the addition of any New Subprocessor (including general details of the processing it performs or will perform), which notice may be given by posting details of such addition to the Subprocessor List. If the Customer does not object in writing to the Supplier’s appointment of a New Subprocessor (on reasonable grounds relating to the protection of Controller Data) within 30 days of the Supplier adding that New Subprocessor to the Subprocessor List, the Customer agrees that it will be deemed to have consented to that New Subprocessor. If the Customer provides such a written objection to the Supplier, the Supplier will notify the Customer in writing within 30 days that either: (i) the Supplier will not use the New Subprocessor to process the Controller Data; or (ii) the Supplier is unable or unwilling to do so. If the notification in paragraph (ii) is given, the Customer may, within 30 days of such notification, elect to terminate this Addendum and the Main Agreement as to the affected processing upon written notice to the Supplier and Supplier shall for Customers located within the European Economic Area and UK only, authorize a pro rata refund or credit of any prepaid fees for the period remaining after the termination. However, if no such notice of termination is provided within that timeframe, the Customer will be deemed to have consented to the New Subprocessor. The Supplier will impose data protection terms on New Subprocessors to protect the Controller Data to the same standard as provided for by this Addendum and the Supplier will remain fully liable for any breach of this Addendum that is caused by any such subprocessor.
8. INQUIRIES OF THIRD PARTIES
8.1 The Supplier shall provide all reasonable and timely assistance to the Customer (or, if the Customer is an MSP or OEM, the Controller), at the Customer's expense, to enable the Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Controller Data. If any such request, correspondence, enquiry or complaint is made directly to the Supplier, the Supplier shall promptly inform the Customer providing full details of the same.
9. INTERNATIONAL DATA TRANSFERS
9.1 Certain Products enable the Customer to choose whether to host the Controller Data for such Products in data centres that may be located in (i) the European Economic Area, (ii) the United Kingdom, or (iii) the United States of America (“Central Storage Location”). This selection takes place at the point of installation, account creation, or first use of the relevant Product. Once selected, the Central Storage Location cannot be varied at a later date.
9.2 The Customer acknowledges and agrees that, regardless of the selected Central Storage Location (if relevant), Controller Data may be exported through or to other jurisdictions (inside and/or outside of the United Kingdom and the European Economic Area): (i) to Sophos’s global team of technicians and engineers for malware, security threat, and false positive analysis, and research and development purposes, (ii) in order to provide technical and customer support, account management, billing and other ancillary functions, and (iii) as expressly described in the documentation referenced in Clause 3.1.
9.3 The Supplier shall not transfer the Controller Data (nor permit the Controller Data to be processed in or from) a country outside of Europe unless the transfer is to a country that is deemed adequate under Applicable Data Protection Laws or Supplier takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, including, for example but without limitation, by use of the EU SCC’s (as amended from time to time).
9.4 The transfer restriction described in Clause 9.3, shall also apply to transfers of Controller Data from the European Economic Area to the United Kingdom if and when the United Kingdom ceases to be subject to European Union law.
9.5 If Clause 9.3 applies because the Supplier or a Supplier affiliate will process Controller Data in a country outside of the UK or the EEA then in such case (and only to the extent that for any transfers of Controller Data, no other measure recognised under Applicable Data Protection Laws for permitting such transfers is available (such as, without limitation, transfer to a recipient in a country that is deemed to provide adequate protection for personal data under Applicable Data Protection Laws or transfer to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Laws)) for any transfers of Controller Data, the parties agree that:
(a) for transfers from the EEA, the EU Controller to Processor Clauses shall apply and such EU SCCs are hereby incorporated by reference into this Addendum;
(b) for transfers from the UK, the EU Controller to Processor Clauses shall apply (and such EU SCCs are hereby incorporated by reference into this Addendum) provided that such EU Controller to Processor Clauses shall be subject to the UK Addendum.
9.6 if Clause 9.3 applies because the Supplier or a Supplier affiliate will process Controller Data in a country outside of the UK or the EEA then in such case (and only to the extent that for any transfers of Controller Data, no other measure recognised under Applicable Data Protection Laws for permitting such transfers is available (such as, without limitation, transfer to a recipient in a country that is deemed to provide adequate protection for personal data under Applicable Data Protection Laws or transfer to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Laws)) where (as contemplated under Clause 3.3(ii)) the Customer is the processor for a third party controller and the Supplier is the sub-processor, the parties agree that:
(a) for transfers from the EEA, the EU Processor to Processor Clauses shall apply and such EU SCCs are hereby incorporated by reference into this Addendum;
(b) for transfers from the UK, the EU Processor to Processor Clauses shall apply (and such EU SCCs are hereby incorporated by reference into this Addendum) provided that such EU Processor to Processor Clauses shall be subject to the UK Addendum.
9.7 The Appendix to the EU SCC’s shall be completed as set out in Exhibit 4 below.
9.8 For each Module to the EU SCCs, where applicable:
(a) the optional docking clause in Clause 7 shall not apply;
(b) Option 2 under Clause 9 shall apply. The data importer shall notify the data exporter 30 days in advance of any intended changes (via addition or replacement) to the list of sub-processors.
(c) in Clause 11, the optional language shall not apply;
(d) For the purposes of Clauses 13(a):
• where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer will be the competent supervisory authority where the data exporter is established and shall act as competent supervisory authority.
(e) For the purposes of Clause 17, the EU SCC’s shall be governed by the law of the EU Member State in which the data exporter is established;
(f) For the purposes of Clause 18(b), disputes will be resolved before the courts of the EU member state in which the data exporter is established.
10. DURATION
10.1 This Addendum commences upon execution by both parties of the Main Agreement (or the date on which the Main Agreement becomes effective, if later) and continues until the earlier of: (i) the expiry of the Customer’s entitlement to use and receive the Products, as noted in the Main Agreement or on any associated license entitlement; and (ii) the termination of the Main Agreement.
11. OTHER REGULATIONS
11.1 Modifications of and amendments to this Addendum require the written form. This also applies to changes and modifications to this Clause 11.1.
11.2 In no event shall the Supplier's liability to the Customer in connection with any issue arising out of, or in connection with, this Addendum exceed the Supplier's limitations on liability set out in the Main Agreement. The Supplier's limitations on liability as set out in the Main Agreement shall apply in aggregate across both the Main Addendum and this Addendum, such that a single limitation on liability regime shall apply across both the Main Agreement and this Addendum.
11.3 This Addendum shall be governed by and construed in accordance with the laws of England and Wales, without regard to conflict of laws principles. To the extent permitted by applicable law, the courts of England shall have exclusive jurisdiction to determine any dispute or claim that may arise out of, under, or in connection with this Addendum.
11.4 To the extent of any conflict with the terms of this Data Processing Addendum and the terms of any SCC’s entered into by the parties, the terms of the applicable EU SCC’s shall take precedence.
Exhibit 1
Data Processing Instructions
This Exhibit 1 describes the processing that the Supplier will perform on behalf of the Customer.
(A) Subject matter, nature and purpose of the processing operations
The Controller Data will be subject to the following basic processing activities (please specify):
1. Providing the Products purchased by the Customer under and pursuant to the Main Agreement
2. Providing account management and customer technical support services
The Supplier provides Products that are designed to detect, prevent, and manage, or assist the Supplier to detect, prevent, and manage security threats within or against systems, networks, devices, files, and other data made available by the Customer. The content of any information held in these systems, networks, devices, files and other data is determined solely by the Customer and not by the Supplier.
(B) Duration of the processing operations:
The Controller Data will be processed for the following duration (please specify):
The duration specified in the Main Agreement (or for the term of the Main Agreement, if not otherwise specified).
(C) Data subjects
The Controller Data concern the following categories of data subjects (please specify):
Data subjects include the individuals about whom data is provided to the Supplier via the Products by (or at the direction of) Customer or Customer‘s end users.
(D) Types of personal data
The Controller Data concern the following categories of data (please specify):
Data relating to individuals provided to the Supplier via the Products, by (or at the direction of) Customer or by Customer‘s end users, such as contact information
(E) Special categories of data (if appropriate)
The Controller Data concern the following special categories of data (please specify):
Unless otherwise specified, the Supplier’s Products are not designed to process special categories of data.
Exhibit 2
Technical and Organisational Measures
Certain of these measures may only be relevant or applicable to Hosted Products.
A) Physical Access Control.
- Sophos has a physical access control policy;
- All staff carry ID / access badges;
- Entrances to facilities are protected by access badges or keys;
- Facilities are divided into (i) public access areas (such as reception areas), (ii) general staff access areas, and (iii) restricted access areas which may only be accessed by those personnel with an express business need;
- Access badges and keys control access to restricted areas within each facility according to an individual’s authorised access levels;
- Access levels for individuals are approved by senior staff members and are verified on a quarterly basis;
- Reception and/or security staff are present at entrances to larger sites;
- Facilities are protected by alarms;
- Visitors are pre-registered and visitor logs are maintained.
B) System Access Control.
- Sophos has a logical access control policy;
- The network is protected by firewalls at each Internet connection;
- The internal network is segmented by firewalls based on application sensitivity;
- IDS and other threat detection and blocking controls run on all firewalls;
- Filtering of network traffic is based on rules that apply the principle of “least access”;
- Access rights are only granted to authorised personnel to the extent and for the duration necessary in order to perform their job roles and are reviewed quarterly;
- Access to all systems and applications is controlled by a secure log-on procedure;
- Individuals have unique user IDs and passwords for their own use;
- Passwords are strength tested and changes are enforced to weak passwords;
- Screens and sessions automatically lock after a period of inactivity;
- Sophos malware protection products are installed as standard;
- Regular vulnerability scans are conducted on IP addresses and systems;
- Systems are patched on a regular cycle with a prioritisation system for fast-tracking urgent patches.
C) Data Access Control.
- Sophos has a logical access control policy;
- Access rights are only granted to authorised personnel to the extent and for the duration necessary in order to perform their job roles and are reviewed quarterly;
- Access to all systems and applications is controlled by a secure log-on procedure;
- Individuals have unique user IDs and passwords for their own use;
- Passwords are strength tested and changes are enforced to weak passwords;
- Screens and sessions automatically lock after a period of inactivity;
- Laptops are encrypted using Sophos encryption products;
- Senders are directed to consider file encryption prior to sending any external email.
D) Input Control.
- Access to all systems and applications is controlled by a secure log-on procedure;
- Individuals have unique user IDs and passwords for their own use;
- The Sophos Central Products use transfer layer encryption to protect data in transit;
- Communication between the client software and the backend Sophos system is performed over HTTPS to secure the data in transit, establishing trust communication via certificates and server validation.
E) Subcontractor Control.
- Subcontractors with access to data undertake an IT security vetting procedure prior to onboarding and as required thereafter;
- Contracts contain an appropriate confidentiality and data protection obligations based on the subcontractor’s duties.
F) Availability Control.
- Sophos protects its premises from fire, flood and other environmental hazards;
- Back-up generators are available to maintain power supplies in the event of power outages;
- Data centres and server rooms use climate controls and monitoring;
- The Sophos Central system is load balanced and has failover between three sites, each running two instances of the software, any one of which is capable of providing the full service.
G) Segregation Control.
- Sophos maintains and applies a quality control process for the deployment of new customer products;
- Testing and production environments are separate;
- New software, systems and developments are tested prior to release to the production environment.
H) Organisational Control.
- Sophos has a dedicated IT security team;
- The Risk and Compliance team manage internal risk reporting and controls, which include reporting on key risks to management;
- An incident response process identifies and remedies risks and vulnerabilities on a timely basis;
- Each new employee undertakes data protection and IT security training;
- The IT Security department conducts quarterly security awareness campaigns.
Exhibit 3
Hosted Products
- Sophos Central
- Sophos Cloud Optix
- Central Device Encryption
- Central Endpoint Protection
- Central Endpoint Intercept X
- Central Endpoint Intercept X Advanced
- Central Mobile Advanced
- Central Mobile Standard
- Central Phish Threat
- Central Intercept X Advanced for Server
- Central Server Protection
- Central Mobile Security
- Central Web Gateway Advanced
- Central Web Gateway Standard
- Central Email Standard
- Central Email Advanced
- Central Wireless Standard
- Any other Sophos product that is administered and operated via Sophos Central
Exhibit 4
Reference data for EU STANDARD CONTRACTUAL CLAUSES
APPENDIX 1 TO THE EU STANDARD CONTRACTUAL CLAUSES
A: LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s), including any contact person with responsibility for data protection]
Customer Name: as provided to Supplier under the Main Agreement
Address: as provided to Supplier under the Main Agreement Contact email:
Contact person’s name/ position: as provided to Supplier under the Main Agreement
Activities relevant to the data transferred under these Clauses: As described in Clause 3 above
Role (controller/processor): Controller
Data importer(s): [Identity and contact details of the data importer(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Name: Sophos Limited (for and on behalf of its EU and Swiss subsidiaries)
Address:The Pentagon, Abingdon Science Park Abingdon, OX14 3YP, UK
Registration number: 2096520
Contact person’s name, position and contact details: dataprotection@sophos.com
Activities relevant to the data transferred under these Clauses: As described in Clause 3 above.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
As described in Section C, Exhibit 1 above
Categories of personal data transferred:
As described in Section D, Exhibit 1 above.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
As described in Section E, Exhibit 1 above.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous
Nature of the processing
As described in Section A, Exhibit 1 above.
Purpose(s) of the data transfer and further processing
As described in Section A, Exhibit 1 above.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the duration of the contracting period.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As described in Clause 3 above.
COMPETENT SUPERVISORY AUTHORITY
SEE CLAUSE 9.8 ABOVE
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA1
The measures are set out in Exhibit 2 above.
ANNEX III – LIST OF SUB-PROCESSORS2
Not required as Clause 9(a), Option 1 has not been selected.
Archived Versions
1 Annex II must be completed for all modules except MODULE FOUR.
2 Annex III applies only to MODULE TWO (Transfer controller to processor) and MODULE THREE (Transfer processor to processor) where Clause 9(a), Option 1) has been selected.