adobe systems software ireland limited 1. definitions. · 2020-06-23 · this data processing...

of 25 CONFIDENTIAL

DPA_SCC_English_FX2 2018-NOV-14

Data Processing Agreement for Adobe Cloud Services

[with EU Standard Contractual Clauses] This data processing agreement (the “Data Processing Agreement”) is by and between on the one hand Acme Corporation Inc. having a principal place of business Road Runner Road, Coyoteville, CA78961, United States (“Customer”) and Adobe Systems Software Ireland Limited, having a principal place of business at 4-6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland ("Adobe") and supplements any License Agreement. If the parties previously entered into a data processing agreement for Adobe Cloud Services, this Data Processing Agreement shall now supersede the foregoing. This Data Processing Agreement is meant to ensure the parties’ compliance with the requirements imposed by the applicable data protection laws and regulations for Customer´s use of Adobe Cloud Services. The attached Annexes and Attachment supplement the terms of this Data Processing Agreement.

1. Definitions.

a. The capitalized terms will have the meanings set forth below:

b. “Adobe Cloud Services” means the On-demand Services and Managed Services provided by Adobe.

c. "License Agreement" means the agreement under which Adobe or Adobe as authorized agent of Adobe Systems Pty Ltd (Adobe Australia) supplies Customer with the Adobe Cloud Services, whether directly or indirectly.

d. “EEA” means the European Economic Area with its Member States.

e. “European Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Directive 2002/58/EC (as amended by Directive 2009/136/EC) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Regulation and Directive, and any amendments to or replacements thereto.

f. “EU – U.S. Privacy Shield” means the framework of adequate data protection principles agreed between the European Commission and the U.S. Department of Commerce to enable organizations in the European Union and the United States to transfer personal data from the European Union to the United States.

g. “Instruction” means any documented instruction - written or by data input - received by Adobe from Customer, including licenses granted under the License Agreement and this Data Processing Agreement.

h. “Personal Data” shall have the same meaning as defined under European Data Protection Laws.

i. “Personal Data Breach” means a confirmed unauthorized access by a third party or confirmed accidental or unlawful destruction, loss or alteration of Personal Data.

of 25 CONFIDENTIAL


j. “Process” or “Processing” shall have the meaning as defined under applicable European Data Protection Laws.

k. “Standard Contractual Clauses” means the agreement pursuant to European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to processors established in third countries which do not provide an adequate level of data protection, attached hereto as Attachment 1.

l. “Support Services” means the applicable customer support services provided by Adobe under the License Agreement.

m. “Swiss U.S. Privacy Shield” means the framework of adequate data protection principles agreed between Switzerland and the U.S. Department of Commerce to enable organizations in Switzerland and the United States to transfer personal data from Switzerland to the United States.

n. All other capitalized terms not defined in this Data Processing Agreement shall have the meanings ascribed to them in the License Agreement.

2. General Provisions.

Applicability. The provisions of this Data Processing Agreement are applicable to the Processing of Personal Data by Adobe under the respective License Agreement. In case of discrepancies between this Data Processing Agreement and the License Agreement the provisions of this Data Processing Agreement shall prevail. If there are any discrepancies between this Data Processing Agreement, the Standard Contractual Clauses and the EU – U.S. Privacy Shield, the EU – US Privacy Shield shall prevail, save where the Customer and Adobe have entered into the Standard Contractual Clauses for the purposes of this Agreement, in which case, the Standard Contractual Clauses shall prevail.

3. Processing and Categories of Personal Data.

a. Adobe Processes all Customer Data that may contain Personal Data in the locations described in the Adobe Privacy Center website: www.adobe.com/go/processing .

b. Details of Processing of Personal Data. The subject matter, nature and purpose and details of the data processing and the details of the type of Personal Data and categories of data subjects are in accordance with Adobe Cloud Services licensed by Customer and as more specifically described in the applicable documentation (which is also available here: https://helpx.adobe.com/legal/product-descriptions.html ). Personal Data may include the categories listed in the Adobe Privacy Center website: www.adobe.com/go/processing .

4. Data Controller.

In accordance with all applicable data protection laws, Customer shall be the data controller and Adobe shall be the data processor.

http://www.adobe.com/go/processing

https://helpx.adobe.com/legal/product-descriptions.html

https://helpx.adobe.com/legal/product-descriptions.html


of 25 CONFIDENTIAL


5. Data subjects.

Data subjects may include Customer´s end users, customers, prospects, business partners, vendors, contractors, employees, agents and advisors.

6. Adobe’s Responsibility.

Collection, Processing and Use of Personal Data. Adobe will only process Personal Data within the scope of Customer’s Instructions for the applicable Adobe Cloud Service. Adobe shall notify Customer promptly if it considers that an Instruction from Customer is in breach of European Data Protection Law, and Adobe shall be entitled, but not obliged, to suspend execution of the Instructions concerned, until Customer confirms such Instructions in writing. Notwithstanding the foregoing, Adobe may process the Personal Data if it is required under European Union or Member State law to which it is subject. In this situation, Adobe shall inform the Customer of such a requirement before Adobe processes the data unless the law prohibits this on important grounds of public interest.

7. Security of Processing.

a. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Adobe has implemented and maintains technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk as set forth in Annex 1 Technical and Organizational Measures for which Adobe has obtained the third-party certifications and audits listed on Adobe´s Trust Center website (also accessible via https://www.adobe.com/security/compliance.html ).

b. Adobe´s Technical and Organisational Measures are subject to technical progress and further development. Accordingly, Adobe reserves the right to modify the Technical and Organisational Measures provided that the functionality and security of the Adobe Cloud Services are not degraded.

8. Personal Data Breach

In the case of a Personal Data Breach, Adobe will notify Customer without undue delay after Adobe becomes aware of the Personal Data Breach via the email address specified by Customer in Clause 17 or as may be provided in the Adobe Cloud Service user interface and, as required by Article 33 of the General Data Protection Regulation, Adobe shall supply Customer with information regarding the Personal Data Breach (to the extent that such information is available to Adobe) to enable Customer to comply with its notification requirements to the supervisory authority (and, if necessary, the relevant data subjects) under European Data Protection Laws. Adobe will, promptly, commence a forensic investigation of a Personal Data Breach and take appropriate remedial steps to prevent and minimize any possible harm. For the avoidance of doubt, Personal Data Breaches will not include unsuccessful attempts to, or activities that do not, compromise the security of Personal Data including, without limitation, unsuccessful log in attempts, denial of service attacks and other attacks on firewalls or networked systems.

https://www.adobe.com/trust.html

https://www.adobe.com/trust.html

https://www.adobe.com/security/compliance.html

of 25 CONFIDENTIAL


9. Further Obligations

a. Taking into account the nature of the Processing under this Data Processing Agreement, Adobe shall take all reasonable steps to assist Customer in meeting Customer's obligations under Articles 30, and 32 to 36 of GDPR. Adobe and Customer agree that, for the purposes of Article 30 GDPR, the License Agreement and this Data Processing Agreement constitute the record of all categories of Processing activities carried out by Adobe on behalf of Customer.

b. Adobe will, at the choice of the Controller, delete or return to the Controller all Personal Data after the end of the applicable License Agreement, unless European Data Protection Laws require storage of Personal Data.

10. Responsibilities of the Data Controller.

a. Instructions. Customer shall give Instructions to Adobe as agreed by the Parties in the License Agreement.

b. Information Duty. If Customer becomes aware of any breaches of, or other irregularities with, the requirements of all applicable data protection laws, if required by applicable law, Customer shall promptly notify and provide Adobe with Instructions detailing the Processing activities that Adobe must take to ensure the protection of Personal Data, or avoid non-compliance with applicable data protection laws.

11. Records of Processing.

Customer shall maintain at all times, and keep up to date, a record of Processing activities under its responsibility, as required under Article 30 (1) GDPR.

12. Costs.

In the event that Customer Instructs Adobe to provide assistance which goes beyond the standard functionality of the Service(s), then Adobe may charge Customer for any costs beyond the agreed upon license fees to the extent it is not commercially reasonable for Adobe to provide such assistance without charge (considering relevant factors such as volume of requests, complexity of Instructions and timescale requested). This shall include, without limitation, costs incurred by Adobe in executing Customer's Instructions relating to the erasure, additional storage and/or retention of Customer's Personal Data, and compliance with any subject access request received by Customer in accordance with Clause 13.

13. Access and Data Deletion.

Data Subject Requests. Adobe will promptly inform Customer of any data subject requests it receives in connection with the Adobe Cloud Services licensed by Customer. Customer is responsible for ensuring such requests are handled in accordance with European Data Protection Laws. Adobe will implement appropriate technical and organizational measures to assist Customer with its obligations in connection with such data subject requests.

14. Audit

of 25 CONFIDENTIAL


a. Customer may audit Adobe’s compliance with the terms of this Data Processing Agreement up to once per year (either for itself or on behalf of a regulatory body to which it is subject and only pursuant to a formal request for information from such regulator) (“Audit”).

b. Customer agrees that its right to audit set out above means that it shall be entitled to exercise the following process:

i. Customer will be able to review the output of the formal annual independent review of Adobe’s Technical and Organisational Measures conducted by a reputable qualified third party (“Compliance Report”).

ii. Upon review of the Compliance Report if Customer identifies areas that have not been covered that is it lawfully under this Data Processing Agreement permitted to audit, then Customer will submit an additional list of reasonably specific and detailed questions to Adobe in writing. (“Audit Questions”).

1. Within a reasonable timeframe, Adobe will respond to the Audit Questions (“Responses”) to Customer (or its Regulator if so Instructed by Customer).

2. Customer agrees that upon receipt of the responses to the Audit Questions Customer will have completed its Audit, unless Customer can objectively demonstrate that the Responses do not adequately demonstrate Adobe´s compliance with its statutory obligations and this Data Processing Agreement. Under such an event, Customer may then be entitled to invoke the process set out below.

iii. Subject to compliance with i. and ii. above, Customer shall be entitled to request a formal audit of Adobe’s compliance with this Data Processing Agreement concerning the Audit Questions not already covered by the documentation provided by Adobe (“Gap Audit”). In order to be able to do this, Customer must submit a detailed audit plan to Adobe at least two weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the Gap Audit. Adobe will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Adobe’s security, privacy, employment or other relevant policies), and work with Customer to agree on a final audit plan.

1. The Gap Audit will at all times be subject to the following:

a. It must be conducted during normal business hours at the applicable facility, subject to Adobe policies with respect to on-site visitors and may not unreasonably interfere with Adobe business activities;

b. The parties agree to use the least intrusive means to verify Adobe's, compliance with obligations under this Data Processing Agreement;

c. The Parties agree to respect the need for Adobe to maintain the security of facilities and uninterrupted business operation, protect themselves and customers from risk and to prevent disclosure of information that

of 25 CONFIDENTIAL


would jeopardize the confidentiality of Adobe or Adobe´s customers’ information.

d. If Customer appoints a third party is to conduct the Gap Audit, the third party must be mutually agreed to by Customer and Adobe and must execute a written confidentiality agreement acceptable to Adobe before conducting the Gap Audit.

e. Where Customer is conducting a Gap Audit as a result of a regulator’s requests, and if Adobe and/or Adobe´s sub-processor believe that it is not possible to meet a specific time frame set by the regulator, Adobe and/or its sub-processor will assist Customer to explain this to the relevant regulator. Customer acknowledges that access to the sub-processor's facilities is subject to agreement from the relevant sub-processor, and that Adobe cannot guarantee access to that sub-processor's facilities at any particular time.

f. Customer will provide Adobe any Gap Audit reports generated under this section, unless prohibited by law. Customer may use the Gap Audit report only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement.

g. The Gap Audit report is Confidential Information of the parties under the terms of the License Agreement.

iv. Any audits (and any related costs incurred by Adobe (e.g. damages caused by Customer or its auditors to facilities or data held therein) are at the Customer's expense.

15. Sub-processors

a. Customer agrees that Adobe shall be entitled to use sub-processors listed on the Adobe Privacy Center ( http://www.adobe.com/go/processing ) for the Adobe Cloud Services subscribed to by Customer in the License Agreement. Adobe has entered into an agreement with the applicable sub-processor which ensures that such sub-processor shall be obliged to meet equivalent obligations as those set out in this Data Processing Agreement and, where the Standard Contractual Clauses are applicable and where the sub-processor is located in a third country which does not provide adequate protection for Personal Data, for the purposes of Clause 11(1) of the Standard Contractual Clauses, Adobe has entered into the Standard Contractual Clauses with such sub-processor. Where Adobe´s sub-processor fails to fulfil its data protection obligations, Adobe will remain responsible.

b. Adding Sub-processors. At least 14 days prior to authorizing any new sub-processor to access Personal Data, Adobe will update the Adobe Processor Website and such update will serve as notice to Customer. Customer may subscribe to receive Email notifications for updates to the Adobe Processor Website, when Adobe makes this available. If Customer wishes to object to the approval of the new sub-processor it must provide such objection in writing to Adobe promptly

https://www.adobe.com/privacy/sub-processors.html

https://www.adobe.com/privacy/sub-processors.html


https://www.adobe.com/ie/privacy/sub-processors.html

https://www.adobe.com/ie/privacy/sub-processors.html

of 25 CONFIDENTIAL


after receipt of Adobe's notice. In the event that Customer objects to such new sub-processor then Customer may terminate the applicable Adobe Cloud Service without penalty by providing written notice of termination that includes an explanation on the grounds for non-approval.

c. Sub-processor Agreements. In the event the Standard Contractual Clauses are applicable, the parties agree that copies of sub-processor agreements that must be sent to data exporter by data importer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information removed by the data importer, and that such copies will be provided by data importer only upon request.

16. Adequate Data Transfer Mechanism to the US.

a. EU – U.S. Privacy Shield and Swiss – U.S. Privacy Shield. Adobe Inc. (Adobe US) is a certified organization under the EU – U.S. Privacy Shield and Swiss – U.S. Privacy Shield and intends to maintain its certification status in the future. The principles of the EU – U.S. Privacy Shield and Swiss – U.S. Privacy Shield framework apply to the transfer of Personal Data from the EU/Switzerland to the US, except if Customer and Adobe US enter the Standard Contractual Clauses for this purpose.

b. Standard Contractual Clauses. If Customer does not wish to rely on Adobe’s EU – U.S. Privacy Shield registration as an adequate transfer mechanism, Customer and Adobe US enter into the Standard Contractual Clauses in Attachment 1 for the transfer and Processing of Personal Data.

17. Contact Information and Notifications:

a. For Adobe:

Data Protection Officer Adobe Systems Software Ireland Limited 4-6 Riverwalk, City West Business Campus Dublin 24 Ireland Email: [email protected]

b. For Customer:

Customer Data Protection Officer:

Insert name{{ es signer1 DPO name }}

Insert email{{es signer1 DPO email }}

Customer Representative:

Insert name{{ es signer1 Rep name }}

Insert email{{es signer1 Rep email }}

Insert name{{ es signer2 DPO name }}

mailto:[email protected]

of 25 CONFIDENTIAL


Insert email{{es signer2 DPO email }}

Customer Representative:

Insert name{{ es signer2 Rep name }}

Insert email{{es signer2 Rep email }}

18. Miscellaneous.

No amendment, change or suspension of this Data Processing Agreement shall be valid unless agreed upon in writing between Customer and Adobe and unless this Data Processing Agreement is expressly referred to.

Adobe Systems Software Ireland Limited 4-6 Riverwalk, City West Business Campus, Dublin 24 Ireland

Acme Corporation Inc. Road Runner Road, Coyoteville, CA78961, United States

{{_es_signer1_signature }} ________________________________________________________________________________________________________

Authorized Signature

________________________________________________________________________________________________________

Authorized Signature ________________________________________ __________________________________________________________

Print Name

________________________ ________________________________________________________________________________

Print Name _______________________________________________________________________________________________________

Title

____________________ _____________ ______________________________________________________________________

Title _________________________ _ ___________________________________________________________________________

Date

_________________________ _ ___________________________________________________________________________

Date

of 25 CONFIDENTIAL


Annex 1

Technical and Organisational Security Measures

I. Adobe Security Certifications.

Adobe Cloud Services meet the specific requirements of data protection, including, without limitation, Article 28 of the General Data Protection Regulation and which are listed as SOC2, Type 2 (Security and Availability)- and ISO 27001 compliant at http://www.adobe.com/go/cloudcompliance. At a minimum, Adobe has implemented for the Adobe Cloud Services the technical and organizational measures and maintains security practices within the production environments as follows:

II. Confidentiality Measures

A. Site Operations

1. Physical Access Management

a) Employee physical access that is no longer required in the event of personnel termination or role change is p r o m p t l y revoked. If applicable, temporary badges are returned prior to exiting facility.

b) Initial permission definitions, and changes to permissions, associated with physical access roles are approved by appropriate Adobe personnel.

2. Physical Access Reviews. Adobe performs physical access account reviews on a quarterly basis, corrective action is taken where applicable.

3. Physical Security

a) Physical access to restricted areas of the facility is protected by walls with non-partitioned ceilings, secured entry points and/or manned reception desks.

b) All facilities require badge and/or biometric access and have 24x7 security guards. Some facilities use additional measures to prevent unauthorized individuals from tailgating authorized individuals into the facility.

c) Intrusion detection and video surveillance are installed at all facilities. Adobe may review video logs when issues or concerns arise in order to determine access.

d) Adobe power and telecommunication lines are protected from interference, interception and damage.

e) Granting physical access to an Adobe data center requires management approval and documented specification of:

(1) account type: (visitor, vendor, or regular);

(2) access privileges granted;

http://www.adobe.com/go/cloudcompliance

of 25 CONFIDENTIAL


(3) intended business purpose;

(4) visitor identification method, if applicable;

(5) temporary badge issued, if applicable;

(6) access start date; and,

(7) access duration.

f) Visitors to a facility where allowed are required to be escorted at all times and are not allowed in caged areas.

g) Visitor Access Logs are retained in accordance with Adobe’s documentation retention policy.

B. Identity and Access Management of Adobe Personnel.

1. Logical access

a) Logical access provisioning to information systems requires approval from appropriate personnel.

b) Logical access that is no longer required in the event of a termination is documented, communicated to management, and revoked.

c) Adobe performs account and access reviews on a quarterly basis, and corrective action is taken where applicable.

2. Authentication.

a) Adobe creates unique identifiers for user accounts and prevents the reuse of identifiers. Account Login parameters follow these rules:

(1) Accounts are not shared;

(2) Inactive sessions are password protected after 15 minutes; and,

(3) Accounts are locked after 5 failed login attempts.

b) User and device authentication to information systems is protected by passwords that meet Adobe's password complexity requirements. Strong password configurations adhere to the following rules:

(1) Must be at least eight characters in length;

(2) Has at least one symbol/number character between the first and last characters;

(3) Has at least one alpha character;

(4) Cannot be found in a dictionary or contain words from a dictionary (English);

of 25 CONFIDENTIAL


(5) May not include any three (3) consecutive characters from the login username; and,

(6) Must be different than the previous 10 passwords.

c) Adobe requires system users to change passwords at least every 180 days.

d) Remote connections to the corporate network are accessed via VPN through managed gateways.

3. Role Based Access Control

a) Initial permission definitions, and changes to permissions associated with logical access roles are approved by appropriate personnel.

b) Access that allows modification to source code is restricted to authorized personnel.

c) Adobe restricts the use of shared and group authentication credentials via the use of a shared secret solution. Authentication credentials for shared and group accounts are reset every 90 days.

4. Network Operations

a) Adobe maintains a dedicated Network Operations Center (NOC), which is staffed 24/7 with at least 2 dedicated personnel.

b) Network traffic to and from untrusted networks passes through a policy enforcement point; firewall rules are established in accordance to identified security requirements and business justifications.

c) Adobe uses IDSs, Firewalls and bastion hosts- Access DMZ as layers of security. Antivirus is running on all employee desktops and laptops and all email traffic is scanned for malware. Additionally, On-Demand antivirus scanning is enabled.

d) Production environments are logically segregated from non-production environments.

5. Key Management

a) Access to the cryptographic keystores is limited to authorized personnel.

C. Employee Management

1. Background Checks and Non-Disclosure Agreements

a) Adobe obtains pre-hire background check reports for employment purposes. The specific nature and scope of the report that Adobe typically seeks includes (as permitted by applicable law) may include:

(1) Educational background;

of 25 CONFIDENTIAL


(2) Work history;

(3) Court records (including criminal conviction records); and,

(4) References obtained from professional and personal associates.

b) Adobe hires employees based on a documented job description.

c) Employees are required to sign a Non-Disclosure Agreement upon employment. Adobe employees including contractors are required to sign an agreement that they will protect confidential information.

2. Training and Awareness

a) Adobe personnel including contractors complete security awareness training, which includes annual updates about relevant policies, standards, and new or modified attack vectors and how to report security events to the appropriate response team. Records of annual training completion are documented and retained for tracking purposes.

b) Annually, Adobe fulltime and temporary employees and interns complete a code of business conduct training. Anyone who is found to violate the Code of Business Conduct or other Adobe policies may be subject to disciplinary action including termination of employment or contract.

III. Integrity, availability and resilience of processing systems

A. Information Systems and Technology Management

1. Production Configuration Management

a) Adobe ensures security hardening and baseline configuration standards have been established according to industry standards and are reviewed and updated periodically.

b) Adobe uses mechanisms to detect deviations from baseline configurations on production environments.

c) Installation of software or programs in the production environment requires approval by appropriate personnel.

2. Change Management

a) Change scope, change type, and roles and responsibilities are pre-established and documented in a change control workflow. Notification and approval requirements are also pre-established based on risk associated with change scope and type.

b) Based on risk, prior to introducing changes into the production environment, approval from appropriate personnel is required based on the following:

of 25 CONFIDENTIAL


(1) Change description is documented;

(2) Impact of change;

(3) Test results are documented; and,

(4) Back-out procedures are defined.

c) Changes to the production environment are implemented by authorized personnel only.

3. Data Transfer

a) Adobe deploys dedicated network connections from its corporate offices to Adobe data center facilities in order to enable secure management of the servers.

b) All management connections to the servers occur over encrypted Secure Shell (SSH), Transport Layer Security (TLS)), or Virtual Private Network (VPN) channels for remote access always requires two-factor authentication.

c) Unless the connection originates from a list of trusted IP addresses, Adobe does not allow management access from the internet.

d) Administrative data is encrypted in transit across the internet via TLS over HTTPS between the Customer and the user interface.

4. Security Governance

a) Corporate Documents. Adobe's key business functions and information security capabilities are supported by documented procedures that are communicated to authorized personnel.

b) Information Security Management. Adobe has an established governance framework that supports relevant aspects of information security with policies and standards.

c) Security Leadership & Roles. Roles and responsibilities for the governance of Information Security within Adobe are formally documented and communicated by Management.

5. Cloud Services Systems Monitoring

a) Critical Information System Logs

(1) Adobe utilizes a centralized SIEM solution to aggregate and correlate logged events.

(2) In order to protect against unauthorized access and modification, Adobe captures network logs, operating system logs, application logs and intrusion detections events.

(3) Application user activity is logged by the application.

of 25 CONFIDENTIAL


b) Security Monitoring and Evaluation

(1) Adobe defines security monitoring alert criteria, how alert criteria will be flagged, and identifies authorized personnel for flagged system alerts.

(2) Adobe defines availability monitoring alert criteria, how alert criteria will be flagged, and identifies authorized personnel for flagged system alerts.

c) System Design Documentation

(1) Documentation of system boundaries and key aspects of their functionality are published to authorized Adobe personnel.

(2) Adobe publishes public-facing whitepapers that describe the purpose, design, and boundaries of the system and system components which are available here: https://www.adobe.com/security/resources.html.

B. Service & Product Lifecycle

1. Source Code. Source code is checked for vulnerabilities using static code analysis tools prior to being released into production.

2. Major software releases are subject to the Service Life Cycle, which requires acceptance via Concept Accept and Project Plan Commit phases prior to implementation.

C. Vulnerability Management

1. Information Systems and Technology

a) Adobe conducts vulnerability assessments, assigns risk ratings to the discovered vulnerabilities, and tracks legitimate vulnerabilities through remediation. Scan tools are updated prior to running scans.

b) At least annually, Adobe will engage with a third party to perform penetration testing , assign risk ratings to discovered vulnerabilities, and track vulnerabilities through resolution.

c) If applicable, Adobe has managed enterprise antivirus deployments and ensures the following:

(1) Signature definitions are updated;

(2) Full scans are performed periodically and real-time scans are enabled; and,

(3) Alerts are reviewed and resolved by appropriate personnel.

2. Patch Management. Adobe installs security-relevant patches, including software or firmware updates in accordance with Adobe’s patch management standard.

3. Vulnerability Reviews. Adobe reviews reasonable customer vulnerability-related inquiries.

https://www.adobe.com/security/resources.html

of 25 CONFIDENTIAL


IV. Measures for prompt recoverability and access to Personal Data

A. Incident Response. Adobe has implemented a comprehensive incident response program that includes at least the measures below and as described at the Adobe Trust Center website.

1. Adobe defines the types of incidents that need to be managed, tracked, and reported. Such management includes the following:

a) Procedures for the identification and management of incidents;

b) Procedures for the resolution of confirmed incidents;

c) Key incident response systems;

d) Incident coordination and communication strategy;

e) Contact method for internal parties to report potential incidents;

f) Support team contact information;

g) Notification to relevant Adobe management in the event of a security breach;

h) Provisions for updating and communicating the plan;

i) Provisions for training of support team;

j) Preservation of incident information; and,

k) Management review and approval (either annually or when major changes to internal organization occur).

2. Adobe responds to confirmed incidents and resolution is tracked with appropriate management channels. If applicable, Adobe coordinates the incident response with business contingency activities.

3. Adobe provides a contact method for external parties to report incidents here: https://www.adobe.com/security/incident-response.html.

B. Environmental security

1. Temperature and humidity levels of data halls are monitored and maintained at appropriate levels.

2. Emergency responders are automatically contacted when fire detection systems are activated. The design and function of fire detection and suppression systems is certified at appropriate intervals.

3. Adobe employs uninterruptible power supplies (UPS) and generators to support critical systems in the event of a power disruption or failure. The design and function of relevant equipment is certified at appropriate intervals.

C. Disaster Recovery and Business Continuity Plans

https://www.adobe.com/security/incident-response.html

https://www.adobe.com/security/incident-response.html

of 25 CONFIDENTIAL


1. Adobe maintains disaster recovery and business continuity plans and processes to allow for continuation of the services and to provide an effective and accurate recovery. [Example: backup copies of the data stock are generated by means of the following procedures: description of the intervals, media, retention period and storage location of backup copies.]

V. Processes for regular testing, assessing and evaluating the effectiveness of security measures

A. Risk Management

1. Adobe management performs an annual risk assessment. Results from risk assessment activities are reviewed to prioritize mitigation of identified risks.

2. Management assesses the design and operating effectiveness of internal controls against the established controls framework. Corrective actions related to identified deficiencies are tracked to resolution.

3. Adobe establishes internal audit requirements and executes audits on information systems and processes at planned intervals.

4. Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities.

B. Third Party Management

1. On a periodic basis, management reviews controls within third party assurance reports to ensure that they meet organizational requirements. If control gaps are identified in the assurance reports, management addresses the impact that disclosed gaps have on the organization.

2. Adobe performs a risk assessment to determine the data types that can be shared with a managed service provider.

of 25 CONFIDENTIAL


ATTACHMENT 1

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection

The entity identified as “Customer” on the License agreement and the Data Processing Agreement for Adobe Cloud Services (with EU Standard Contract Clauses to which these Standard Contractual Clauses are attached)

(the “data exporter”)

AND

Adobe Inc.

345 Park Avenue, San Jose, CA95110, USA

(the “data importer”)

each a “party”; together “the parties”

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

'the data exporter' means the controller who transfers the personal data;

'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

‘the sub-processor' means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

of 25 CONFIDENTIAL


‘the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in the Data Processing Agreement, which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

The data exporter agrees and warrants:

Obligations of the data exporter:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

of 25 CONFIDENTIAL


(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

The data importer agrees and warrants:

(a) Obligations of the data importer to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it

of 25 CONFIDENTIAL


is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organizational security measures specified in Appendix 1 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorized access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 1 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

of 25 CONFIDENTIAL


2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

of 25 CONFIDENTIAL


Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the da ta importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement.

2. The prior written contract between the data importer and the sub-processor shall also provide for a third -party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the

of 25 CONFIDENTIAL


confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data importer: On behalf of the data exporter:

Adobe Inc. 345 Park Avenue San Jose, CA 95110-2704 USA

Acme Corporation Inc. Road Runner Road, Coyoteville, CA78961, United States

____________________________________________________ ___________________________________________________

Authorized Signature

{{_es_signer1_signature }} ___________________________________________________ _________________ _ ___________________________________

Authorized Signature _____________________________ __________________________________________________________________________

Print Name

{{_es_signer1_fullname }} ___________________________ ____________ _______________________________________________________ __________

Print Name _______________ ________________________________________________________________________________________

Title

{{*_es_signer1_title }} _________ ____________________________ __________________________________________________________________

Title _______________________________________________________________________________________________________

Date

{{_es_signer1_date }} _________________ __________ __________________ __________________________________________________________

Date

of 25 CONFIDENTIAL


APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

Data exporter

The data exporter is identified as “Customer” on the Sales Order to which these Standard Contractual Clauses are annexed. The Customer has licensed the Adobe Cloud Services as set forth in the Sales Order.

Data importer

The data importer is Adobe Inc. who is a provider of software and services to the data exporter.

Data subjects

Data subjects may include the data exporter’s end users, customers, prospects, business partners, vendors, contractors, employees, agents, and advisors.

Categories of data

Data Importer may process the categories of Personal Data listed in the Adobe Privacy Center website: www.adobe.com/go/processing

Sensitive data

The personal data transferred may include the following categories of sensitive data, as determined at the sole discretion of the data exporter and as permitted by the Sales Order:

• Sexual preferences

• Medical or health information

• Political Opinions

• Religious beliefs

• Trade union membership

• Racial or ethnic origin

Purposes of the transfer / Processing operations

The personal data transferred will be subject to the following basic processing activities:

The processing of the personal data by Data Importer shall be to enable (1) the performance of the Adobe Cloud Services; (2) to provide any technical and customer support as requested by Data Exporter, and; (3) to fulfil all other obligations under the License Agreement.


of 25 CONFIDENTIAL


APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The data importer has implemented and will maintain appropriate technical and organizational measures to protect the Personal Data, against misuse and accidental loss or destruction as set forth in Section 7 and Annex 1 of the Data Protection Agreement (with EU Standard Contractual Clauses), and which are hereby incorporated into this Appendix 2 by reference.