|
CrowdStrike Form May 27 2019 13 of 17
<br />
<br />Exhibit A: Data Security and Privacy Schedule
<br />
<br />1. Definitions
<br />a. “CrowdStrike Systems” means those computer systems hosting the ‘Falcon EPP Platform’.
<br />b. “Customer Data” means the data generated by the Customer’s Endpoint and collected by: (i) the Products,
<br />and/or (ii) the CrowdStrike Tools, and in either case, sent to the CrowdStrike Systems. Customer Data is
<br />considered Customer’s Confidential Information (defined in Section 7 Confidentiality) and subject to the
<br />exclusions, exceptions and obligations set forth therein and this Exhibit A Data Security and Privacy
<br />Schedule.
<br />c. “Execution Profile/Metric Data” means any machine-generated data, such as metadata derived from
<br />tasks, file execution, commands, resources, network telemetry, executable binary files, macros, scripts,
<br />and processes, that: (i) Customer provides to CrowdStrike in connection with this Agreement or (ii) is
<br />collected or discovered during the course of CrowdStrike providing Offerings, excluding any such
<br />information or data that identifies Customer or to the extent it includes Personal Data.
<br />d. “Personal Data” means information provided by Customer to CrowdStrike or collected by CrowdStrike
<br />from Customer used to distinguish or trace a natural person’s identity, either alone or when combined with
<br />other personal or identifying information that is linked or linkable by CrowdStrike to a specific natural person.
<br />Personal Data also includes such other information about a specific natural person to the extent that the
<br />data protection laws applicable in the jurisdictions in which such person resides define such information as
<br />Personal Data.
<br />e. “Privacy and Security Laws” means U.S. federal, state and local and non-U.S. laws, including those of
<br />the European Union, that regulate the privacy or security of Personal Data and that are directly applicable
<br />to CrowdStrike.
<br />f. “Security Breach” means unauthorized access to, or unauthorized acquisition of : (i) Customer Data, or
<br />(ii) Personal Data, stored on CrowdStrike Systems that results in the compromise of such Customer Data
<br />and/or Personal Data.
<br />g. “Threat Actor Data” means any malware, spyware, virus, worm, Trojan horse, or other potentially
<br />malicious or harmful code or files, URLs, DNS data, network telemetry, commands, processes or
<br />techniques, metadata, or other information or data, in each case that is potentially related to unauthorized
<br />third parties associated therewith and that: (i) Customer provides to CrowdStrike in connection with this
<br />Agreement, or (ii) is collected or discovered during the course of CrowdStrike providing Offerings, excluding
<br />any such information or data that identifies Customer or to the extent that it includes Personal Data.
<br />
<br />2. Falcon Platform
<br />The ‘Falcon EPP Platform’ uses a crowd-sourced environment, for the benefit of all customers, to help customers
<br />protect themselves against suspicious and potentially destructive activities. CrowdStrike’s Products are designed
<br />to detect, prevent, respond to, and identify intrusions by collecting and analyzing data, including machine event
<br />data, executed scripts, code, system files, log files, dll files, login data, binary files, tasks, resource information,
<br />commands, protocol identifiers, URLs, network data, and/or other executable code and metadata. Customer,
<br />rather than CrowdStrike, determines which types of data, whether Personal Data or not, exist on its systems.
<br />Accordingly, Customer’s endpoint environment is unique in configurations and naming convention s and the
<br />machine event data could potentially include Personal Data. CrowdStrike uses the data to: (i) analyze,
<br />characterize, attribute, warn of, and/or respond to threats against Customer and other customer, (ii) analyze
<br />trends and performance, (iii) improve the functionality of, and develop, CrowdStrike’s products and services, and
<br />enhance cybersecurity; and (iv) permit Customers to leverage other applications that use the data, but for all of
<br />the foregoing, in a way that does not identify Customer or Customer’s Personal Data to other customers. Neither
<br />Execution Profile/Metric Data nor Threat Actor Data are Customer’s Confidential Information or Customer Data.
<br />
<br />3. Processing Personal Data
<br />a. Provisioning/Use of Offerings. Personal Data may be collected and used during the provisioning and use
<br />of the Offerings to deliver, support and improve the Offerings, administer the Agreement and further the
<br />business relationship between Customer and CrowdStrike, comply with law, act in accordance with
<br />Customer’s written instructions, or otherwise in accordance with this Agreement. Customer authorizes
<br />CrowdStrike to collect, use, store, and transfer the Personal Data that Customer provides to CrowdStrike
<br />as contemplated in this Agreement.
<br />
<br />DocuSign Envelope ID: 15D73919-3C2B-4FD5-B1D4-12D3A740401FDocuSign Envelope ID: 8CCC378C-D84F-4D9F-BAF3-FB77653C088ADocuSign Envelope ID: BA2C0343-56AA-4434-92F9-D28AEB96D976
|