Last Updated: [January 30, 2024]

This Data Processing Agreement, including its Annexes (“DPA”) is incorporated into and forms part of the Agreement between Customer, and if applicable, Customer’s Affiliates, and CuriosityCloud, and contains the legal terms and conditions that apply to the processing of Personal Data, by any of the Product. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

1. DEFINITIONS

1.1

“Agreement” means CuriosityCloud’s End User License Agreement, unless a separate agreement governing the use of the Product exists between the parties.

1.2

“Data Protection Laws” means data protection laws applicable to CuriosityCloud in its processing of Personal Data under this DPA.

1.3

“End User Data” means data that may be accessed or collected by the Product during the relationship governed by the Agreement, in the form of logs, session data, telemetry, user data, usage data, threat intelligence data, and copies of potentially malicious files detected by the Product. End User Data may include confidential data and Personal Data, such as source and destination IP addresses, active directory information, file applications, URLs, file names, and file content.

1.4

“Personal Data” means any information Processed during the provision of a Product that i) relates to an identified or identifiable natural person; or ii) is defined as “personally identifiable information”, “personal information”, “personal data” or similar terms, as such terms are defined under Data Protection Laws, including as may be used in this DPA.

1.5

“Security Incident” means any unauthorized access to any End User Data stored on CuriosityCloud’s equipment or in CuriosityCloud’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of End User Data that compromises the privacy, security or confidentiality of such End User Data.

1.6

“Controller” means an entity that determines the purposes and means of the processing of End User Data.

1.7

“Processor” means an entity that processes End User Data on behalf of a Controller.

1.8

“Sub-processor” means any entity engaged by CuriosityCloud to assist in fulfilling its obligations with respect to providing the Product pursuant to the Agreement or this DPA, insofar as such an entity processes Personal Data on behalf of CuriosityCloud. 

1.9

“Designated Product” means the CuriosityCloud Product specified in the Section 2 of the Annexes to the DPA.

2. PROCESSING OF END USER DATA

In order to provide and operate the Product to Customer and for CuriosityCloud’s legitimate interest of operating, providing, maintaining, developing, and improving security technologies and services, Customer acknowledges, agrees and grants CuriosityCloud the right to process and retain End User Data, including Personal Data, that is shared or transferred by Customer. Based on the actual use scenarios, such consents and grants may be obtained through clicking “agreed” or “accepted” online by the End User or authorized third parties of Customer, or Non-authenticated User.

3. PROCESSING OF PERSONAL DATA

3.1 Role of the Parties

As between CuriosityCloud and Customer, CuriosityCloud will process Personal Data under the Agreement and this DPA only as a Processor acting on behalf of Customer. Customer may act either as a Controller or as a Processor with respect to Personal Data.

3.2 Customer’s Processing of Personal Data

Customer shall i) comply and will continue to comply all applicable laws, including Data Protection Laws, in respect of its use of the Product; ii) ensure that any instructions provided to CuriosityCloud are at all times in accordance with Data Protection Laws; iii) process all the Personal Data in accordance with Data Protection Laws and obtain all consents and rights necessary for the Processing of Personal Data; iv) maintain at all times the accuracy, quality, and legality of Personal Data; v) provide to CuriosityCloud the minimum amount of Personal Data necessary for the provision of the Product; vi) in particular, in the scenario of providing the SaaS, Customer is responsible for forwarding its web traffic or internal traffic to CuriosityCloud via valid forwarding mechanisms that allow for automatic fail over.

3.3 CuriosityCloud’s Processing of Personal Data

Except as otherwise stated in this DPA or the Agreement, CuriosityCloud will only Process Personal Data in accordance with Customer’s documented instructions, the applicable Product privacy documentation, Data Protection Laws, and this DPA. Customer agrees that this DPA and the Agreement are its complete and final instructions to CuriosityCloud in relation to the processing of Personal Data. Processing any Personal Data outside the scope of these instructions (if any) will require prior written agreement between the parties by ways of written amendment to this DPA. CuriosityCloud shall immediately inform Customer if, in its opinion, any of the instructions violates applicable Data Protection Laws.

3.4  Details of CuriosityCloud’s Data Processing

3.4.1 Subject Matter

The subject matter of the Processing under this DPA is the Personal Data.

3.4.2 Duration

CuriosityCloud may process Personal Data under this DPA until the termination or expiration of the Agreement or cease to processing Personal Data under the Customer’s instructions.

3.4.3 Purpose

The purpose of the Processing of Personal Data under this DPA is to enable CuriosityCloud to deliver the Product and perform its obligations as set forth in the Agreement (including this DPA) or as otherwise agreed by the parties in mutually executed written form.

3.4.4 Nature of the Processing

To provide Product as described in the Agreement, CuriosityCloud will process Personal Data upon the instruction of Customer and in accordance with the terms of this DPA and the Agreement.

3.4.5 Categories of Data Subjects

Customer determines the categories and extent of any Personal Data that Customer or End User disclose to CuriosityCloud, which may include without limitation Personal Data relating to the following categories of data subjects: i) employees, contractors, consultants, and individuals belonging to Customer, or Customer’s clients’ and partners’ workforce; or ii) other individuals whose Personal Data is Processed as part of the provision of the Product.

3.4.6 Categories of Personal Data

Customer determines the categories of any Personal Data that it discloses to CuriosityCloud, which may include without limitation Personal Data relating to the following categories:

i) Identification and contact data (e.g., name, address, phone number, title, email, other contact details);

ii) Employment details (e.g., job title, role, manager);

iii) IT information (e.g., entitlements, IP addresses and ports, username, usage data, cookies data, online identifiers);

iv) Domain and device information (e.g., MAC address, host names, International Mobile Subscriber Identity (IMSI), and qualified host names);

v) Information contained in logs related to security events identified and captured by Products; and/or

vi) Unstructured data provided to CuriosityCloud for the purpose of providing support services (e.g., packet capture for file testing).

3.4.7 Sensitive data transferred (if applicable)

When Processing Personal Data, CuriosityCloud may process sensitive Personal Data. The nature and scope of the sensitive data that is transferred may not be known until after the Processing has taken place and may include: Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

3.4.8 Frequency

The transfer of information between the parties to facilitate CuriosityCloud’s processing on behalf of Customer will occur as needed until the termination of the Agreement.

3.4.9 Retention and Deletion

: CuriosityCloud shall process and retain Personal Data no longer than necessary for the purposes for which it is processed. Upon termination of this DPA or the Agreement, CuriosityCloud shall: i) delete Personal Data that is no longer necessary to carry out for any of the purposes under this DPA or the Agreement; or ii) upon Customer’s request, provide options to return or erase, destroy, and render unrecoverable the Personal Data, where reasonably possible.

4. Sub-Processors

As part of the provision of a Product, CuriosityCloud may engage Sub-processors identified in the applicable Annex to this DPA or other applicable Product documentation for the relevant Product to process the Personal Data on its behalf. Customer consents to CuriosityCloud engaging Sub-processors to process Personal Data under this DPA and the Agreement. In the event CuriosityCloud engages any new sub-processor, CuriosityCloud will:

4.1

Update our Sub-processors list on a regular basis and will provide it to Customer upon written request by Customer. If Customer objects to a new sub-processor, CuriosityCloud will then endeavor to offer alternate options for the delivery of the relevant Product that do not involve the new Sub-processor, without prejudice to any of Customer’s termination rights;

4.2

Enter into an agreement with each Sub-processor that imposes data protection terms as stringent as those set forth in this DPA; and

4.3

Remain responsible for the Sub-processor’s compliance with this DPA and for any acts or omissions of the Sub-processor that cause CuriosityCloud to breach any of its obligations under this DPA.

5. SECURITY

5.1 Safeguarding Confidentiality and Security of Personal Data

CuriosityCloud will implement practices and maintain appropriate technical and organizational security measures to protect against Personal Data Incidents and to preserve the security and confidentiality of Personal Data processed by CuriosityCloud on behalf of Customer in the provision of the Product. The security measures are subject to technical progress and development. CuriosityCloud may update or modify the security measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Product purchased by the Customer. 

5.2 Customer’s Responsibilities

Customer is responsible for i) secure and appropriate use and configuration of the Product, including making appropriate use of the Product to ensure a level of security appropriate to the risk in respect of the Personal Data; ii) reviewing the DPA and evaluating for itself whether the Product and CuriosityCloud’s commitments under this DPA will meet Customer’s needs, including with respect to any obligations of Customer under Data Protection Laws as applicable. 

5.3 Confidentiality of Processing

CuriosityCloud shall ensure that any person who is authorized by CuriosityCloud to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). 

5.4 Security Incident

CuriosityCloud shall implement and maintain an incident response plan that specifies actions, including containment, investigation, reporting, and remediation, to be taken in the event of a Security Incident. Upon confirming that a Security Incident has occurred, CuriosityCloud shall within 72 hours: i) taking into account the nature of CuriosityCloud’s processing of Personal Data and the information available to CuriosityCloud, notify the Customer; ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and iii) promptly take reasonable steps to contain, investigate, and mitigate the Security Incident. CuriosityCloud shall reasonably cooperate with Customer in any post Security Incident communication efforts.

6. COOPERATION

6.1 Data Subject Requests

CuriosityCloud shall provide reasonable assistance to Customer to comply with its obligations with regard to data subject rights under applicable Data Protection Laws, taking into account the nature of the data processing and the information available to CuriosityCloud. If CuriosityCloud or any Sub-processor (if applicable) receives a request or a complaint from a data subject or its representative, including requests regarding the data subject’s rights under applicable Data Protection Laws, CuriosityCloud will forward the request without undue delay to Customer for handling unless CuriosityCloud is required by law to address that request.

6.2 Government Request for Personal Data

If a law enforcement agency sends CuriosityCloud a demand for Personal Data relating to the data subject, CuriosityCloud will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, CuriosityCloud may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Data Subject Personal Data to a law enforcement agency, then CuriosityCloud will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedies to the extent CuriosityCloud is legally permitted to do so. CuriosityCloud will only make an exception to its Customer notification commitments in emergency circumstances where notice could, in CuriosityCloud sole discretion, result in danger or harm to an individual or group. 

6.3

If CuriosityCloud is legally required to respond to a request enumerated in Sections 6.1 and 6.2, CuriosityCloud will notify the Customer and provide it with the contact information of the requesting party unless legally prohibited from doing so by applicable law.

6.4 DPIAs and Prior Consultations

Taking into account the nature of the processing and information available to CuriosityCloud, CuriosityCloud shall provide reasonably requested information regarding the Product to enable the Customer to carry out data protection impact assessments (“DPIA”). CuriosityCloud shall provide reasonable assistance to Customer in the cooperation or prior consultations with supervisory authorities or other competent regulatory authorities, which the Customer reasonably considers to be required by Data Protection Laws.

6.5

For all instances in this Section 6, should CuriosityCloud determine in good faith that the request for assistance is unreasonable, overly burdensome, and outside of industry expectation for assistance with each respective matter, CuriosityCloud and Customer agree to discuss in good faith a fee to be charged to Customer for the support provided outside of the reasonable level of support.

7. LIMITATION OF LIABILITY

The liability of each party and each party’s Affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement and shall not be modified by this DPA. Any claims brought by a party or its Affiliates under this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the exclusions and limitations set forth in the Agreement.

8. JURISDICTION ADN PRODUCT SPECIFIC ANNEXES

8.1

Attached to this DPA are specific Annexes applicable to Customer located in different jurisdictions in respect of different designated Products and the Parties agree to incorporated the applicable Annex by reference to this Agreement.

8.2

If the Customer is located in the EEA, please refer to the ANNEX 1 for details of data processing activity for the Designated Product;

8.3

If the Customer is located outside of the EEA, please refer to the ANNEX 2 for details of data processing activity for the Designated Product.

8.4

PLEASE CAREFULLY READ AND FULLY UNDERSTAND ALL TERMS AND CLAUSES OF THE APPLICABLE ANNEX BEFORE USING THE DESIGNATED PRODUCT AND YOUR ACCEPTANCE APPLIED TO THE AGREEMENT WILL BE TAKEN AS EQUALLY SIGNING AND EFFECTUATING THE APPLICABLE ANNEX. In the event of a conflict or inconsistency between this DPA and the Annex, the Annex applicable shall prevail with respect to Data from that relevant jurisdiction and the Designated Product, but solely with regard to the portion of the provision in conflict or inconsistency.

9. GENERAL

9.1 Conflict of Terms

In the event of any conflict between the terms of this DPA and any privacy-related provisions in the Agreement, the terms of this DPA shall prevail.

9.2 Update to this DPA

CuriosityCloud may modify the terms of this DPA as provided in the Agreement, in circumstances such as i) if required to do so by a supervisory authority or other government or regulatory entity, ii) if necessary to comply with Data Protection Law, or iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Data Protection Law. CuriosityCloud will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on the Product’s interface if not specified in the Agreement.

9.3 Language

This Agreement is prepared and executed in English. Any other language version (if applicable) of this Agreement is provided for reference only. In the event of any inconsistency between the English version and the other version, the English version shall prevail.

9.4 Contacting CuriosityCloud

If Customer has any further question about this DPA, or have any request or query for End User Data, Customer can always contact CuriosityCloud by e-mail: privacy@curiositycloud

ANNEX 1
CURIOSITYCLOUD CLOUD PLATFORM ANNEX (EEA)

1. PURPOSE

The purpose of this document is to provide Customer with the information that how Personal Data may be transferred to or processed by CuriosityCloud.

2. PRODUCT SUMMARY

CuriosityCloud Cloud Platform (SCP) is a comprehensive, safe and reliable cloud management platform that can support the Customer to manage multiple data centers in different areas and to manage the resources by connecting the infrastructure resources with the managed data centers. The SCP supports the account creation based on different roles, which can help the Customer to carry out hierarchical management in accordance with the organization structure, and it can also provide multi-functions to support the Customer in carrying out flexible and efficient management of data centers and infrastructure resources, so that the Customer can deploy and configure the SCP platform in accordance with their actual needs.

3. INFORMATION PROCESSED BY CURIOSITYCLOUD

Based on the upgrade and update needs of SCP, the Customer has to transfer log data such as product name, device ID, serial number ID, authorization information, version detail information, patch upgrading information, signature and authentication information to CuriosityCloud for processing.

4. INFORMATION PROCESSED BY THE CUSTOMER

Data processed by the Customer using the Product will be synchronously stored in the local servers or databases where the Product is deployed by the Customer, which may contain relevant operational records as well as some business data that the Customer may access and process as needed. The Information processed in the Customer’s local environment is as follows:

4.1

In order to record the Customer’s use of the SCP, the information about operations performed by the Customer administrator on the management platform will be collected and transferred to CuriosityCloud, which may include the user ID, specific operation behaviors, platform page information, and information about the functions and performance of the browser used by the administrator, etc.

4.2

If the Customer deploys CuriosityCloud Self-built Cloud, the data center resources provided by CuriosityCloud can be used to provide disaster recovery service for the Customer’s local data center or infrastructure resources, and the data involved in enabling the disaster recovery function may include: disaster recovery resource information, task and policy configuration information, link information, operation log information, recovery plan settings, and information about the actual recovery status, etc. Based on user authentication requirements, it may also involve the Customer name, login password, and authentication information.

4.3

If the Customer deploys and enables a cloud host security protection component (the Component) for the purpose of enhancing SCP security protection capacity, the following data will be transferred to CuriosityCloud for processing:

4.3.1

Information relating the the Component: Software and hardware version and authorization information (such as version number, serial number, gateway ID, hardware model), component and terminal client ID, asset number, MAC address and other basic information, port opening information (including port number and protocol), detailed information on accessed terminal number and authorization, function enablement and specific configurations, IP address information, high-risk profile information and other usage configuration information, process List (process ID, process name), running status information (CPU utilization, memory utilization and disk utilization), list of SSH (anomalous) accounts, information on processes with security risks or other anomalies (information on the execution commands of the processes identified as suspicious or malicious, bt/core files, kernel crash dump files, etc.), detailed information on vulnerabilities, list of installed/to be installed patches, component service restart records (service name, start time point, end time point), terminal function operation (operation data of each function module/rule base and error logs, dump information, restart time of each service module) etc., the administrator’s operation record information, the security audit logs of the system (Shell operation logs, SSH logs, dmesg logs, secure logs), WAF logs, service logs and other log data, as well as other information related to the use of component configuration or security status.

4.3.2

Personal data relating the the function of the Component:

Ÿ  Basic personal information: name, contact telephone number, e-mail address, work number of the administrator and the responsible personnel for the terminal.

Ÿ  Network identification information: terminal computer name, host name, operating system account, IP address;

Ÿ  Terminal device information: serial number, MAC address (or unique identification information such as terminal ID generated by MAC) of the terminal device, asset name and ID of the terminal device, business group to which it belongs, asset code, information on the location of the asset, name, version, and patch information of the installed software, information on the operating system (name, version, patch information, coredump information and source file), and information on the resources of the terminal device, such as CPU, memory, and disk.

Ÿ  Terminal device usage record information: identification of domain name access information that poses a security risk, information on processes running on terminal device (including process name, process ID, path to executable file, process command line, process user name, name of software corresponding to the process, process running time, occupied resources, total number of processes, etc.).

Ÿ  Other data that may contain personal data: such as file-related details, including basic information such as file name, format, size, path, creation and modification time, as well as specific content information of some files that are detected as security threats/risks according to product policies, such as the content of binary executable files in PE/ELF format, the content of script files in various formats (including JSP, ASP/ASPX, PHP, VBS JS, XML, Python, VB source files, Lua, Perl, Ruby, Lisp, Bat, powershell, Linux Shell/Bash, Autorun, shortcuts, registry files, Mach-O executable files); for office documents, only macros are extracted and VBA code is uploaded, not the original content of the document; for PDF documents, only JavaScript code is uploaded, not the original content of the document.

Regarding the data processed locally by the Customer using the Products, CuriosityCloud will not, without the Customer’s authorization or consent, access the data in any way or interfere with the Customer’s self-management.

5. RETENTION

5.1

Data transferred to CuriosityCloud is retained on the third party’s data center and will be retained for the period agreed upon by the Party or in accordance with relevant laws or regulations.

5.2

During the above-mentioned data retention process, CuriosityCloud will engage ForeNova Technologies GmbH as the Sub-processor for the purpose of the provision of the data center’s infrastructure and daily maintenance. CuriosityCloud will ensure that the engagement of the Sub-processor is performed in accordance with Section 4 of the DPA and CuriosityCloud will be responsible for the Sub-processor’s compliance with this DPA and for any acts or omissions of the Sub-processor that cause CuriosityCloud to breach any of its obligations under this DPA.

5.3

If we need to transfer any personal information outside of the EEA for the purpose of conducting cross-border business, we will obtain the Customer’s consent in advance and transfer the personal information in accordance with the European General Data Protection Regulation.

6. ACCESS AND DISCLOSURE}

6.1 Access by Customer:

Data and logs stored on Customer’s premises can only be accessed by Customer’s administrator and users authorized by the administrator.

6.2 Access by CuriosityCloud:

Data processing by CuriosityCloud is mostly automated, and access by CuriosityCloud is restricted occurs when required to troubleshoot an Customer support inquiry or address issues related to the service.

7. COMPLIANCE WITH DATA PROTECTION LAWS

CuriosityCloud is committed to protecting personal data processed by CuriosityCloud. CuriosityCloud will not access the content of the files in a way in which CuriosityCloud could acquire meaningful information about natural persons, other than in exceptional cases where it is necessary for identifying security threats.

8. ABOUT THIS DOCUMENT

The information provided with this privacy policy that concerns technical or professional subject matter is for general awareness only, may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws.

ANNEX 2
CURIOSITYCLOUD CLOUD PLATFORM ANNEX (NON-EEA)

1. PURPOSE

The purpose of this document is to provide Customer with the information that how Personal Data may be transferred to or processed by CuriosityCloud.

2. PRODUCT SUMMARY

CuriosityCloud Cloud Platform (SCP) is a comprehensive, safe and reliable cloud management platform that can support the Customer to manage multiple data centers in different areas and to manage the resources by connecting the infrastructure resources with the managed data centers. The SCP supports the account creation based on different roles, which can help the Customer to carry out hierarchical management in accordance with the organization structure, and it can also provide multi-functions to support the Customer in carrying out flexible and efficient management of data centers and infrastructure resources, so that the Customer can deploy and configure the SCP platform in accordance with their actual needs.

3. INFORMATION PROCESSED BY CURIOSITYCLOUD

3.1

Based on the upgrade and update as well as maintenance and operation needs of SCP, the Customer has to transfer log data such as product name, device ID, serial number ID, authorization information, version detail information, patch upgrading information, device protection logs, ssh login logs of the operating system of the virtual machine of SCP, operation audit logs, as well as information that the Customer submits to CuriosityCloud such as name and mobile phone number, signature and authentication information to CuriosityCloud for processing. 

3.2

In order to understand the Customer’s use of the SCP so as to continuously optimize the platform performance and interface design, the information about operations performed by the Customer administrator on the management platform will be collected and transferred to CuriosityCloud, which may include the user ID, specific operation behaviors, platform page information, and information about the functions and performance of the browser used by the administrator, etc.

3.3

If the Customer deploys CuriosityCloud Managed Cloud solution, the data center resources provided by CuriosityCloud can be used to provide disaster recovery service for the Customer’s local data center or infrastructure resources, and the data involved in enabling the disaster recovery function may include: disaster recovery resource information, task and policy configuration information, link information, operation log information, recovery plan settings, and information about the actual recovery status, etc. Based on user authentication requirements, it may also involve the Customer name, login password, and authentication information.

3.4

If the Customer deploys and enables a cloud host security protection component (the Component) for the purpose of enhancing SCP security protection capacity, the following data will be transferred to CuriosityCloud for processing:

3.4.1

Information relating the the Component: Software and hardware version and authorization information (such as version number, serial number, gateway ID, hardware model), component and terminal client ID, asset number, MAC address and other basic information, port opening information (including port number and protocol), detailed information on accessed terminal number and authorization, function enablement and specific configurations, IP address information, high-risk profile information and other usage configuration information, process List (process ID, process name), running status information (CPU utilization, memory utilization and disk utilization), list of SSH (anomalous) accounts, information on processes with security risks or other anomalies (information on the execution commands of the processes identified as suspicious or malicious, bt/core files, kernel crash dump files, etc.), detailed information on vulnerabilities, list of installed/to be installed patches, component service restart records (service name, start time point, end time point), terminal function operation (operation data of each function module/rule base and error logs, dump information, restart time of each service module) etc., the administrator’s operation record information, the security audit logs of the system (Shell operation logs, SSH logs, dmesg logs, secure logs), WAF logs, service logs and other log data, as well as other information related to the use of component configuration or security status.

3.4.2

Personal data relating the the function of the Component:

Ÿ  Basic personal information: name, contact telephone number, e-mail address, work number of the administrator and the responsible personnel for the terminal.

Ÿ  Network identification information: terminal computer name, host name, operating system account, IP address;

Ÿ  Terminal device information: serial number, MAC address (or unique identification information such as terminal ID generated by MAC) of the terminal device, asset name and ID of the terminal device, business group to which it belongs, asset code, information on the location of the asset, name, version, and patch information of the installed software, information on the operating system (name, version, patch information, coredump information and source file), and information on the resources of the terminal device, such as CPU, memory, and disk.

Ÿ  Terminal device usage record information: identification of domain name access information that poses a security risk, information on processes running on terminal device (including process name, process ID, path to executable file, process command line, process user name, name of software corresponding to the process, process running time, occupied resources, total number of processes, etc.).

Ÿ  Other data that may contain personal data: such as file-related details, including basic information such as file name, format, size, path, creation and modification time, as well as specific content information of some files that are detected as security threats/risks according to product policies, such as the content of binary executable files in PE/ELF format, the content of script files in various formats (including JSP, ASP/ASPX, PHP, VBS JS, XML, Python, VB source files, Lua, Perl, Ruby, Lisp, Bat, powershell, Linux Shell/Bash, Autorun, shortcuts, registry files, Mach-O executable files); for office documents, only macros are extracted and VBA code is uploaded, not the original content of the document; for PDF documents, only JavaScript code is uploaded, not the original content of the document.

4. INFORMATION PROCESSED BY THE CUSTOMER

Data processed by the Customer using the Product will be synchronously stored in the local servers or databases where the Product is deployed by the Customer, which may contain relevant business data that the Customer may access and process as needed. Regarding the data processed locally by the Customer using the Products, CuriosityCloud will not, without the Customer’s authorization or consent, access the data in any way or interfere with the Customer’s self-management.

5. RETENTION

Data transferred to CuriosityCloud is retained in CuriosityCloud’s data center located in Customer’s jurisdiction and will be retained for the period agreed upon by the Party or in accordance with relevant laws or regulations.

6. ACCESS AND DISCLOSURE

6.1 Access by Customer:

Data and logs stored on Customer’s premises can only be accessed by Customer’s administrator and users authorized by the administrator.

6.2 Access by CuriosityCloud:

Data processing by CuriosityCloud is mostly automated, and access by CuriosityCloud is restricted occurs when required to troubleshoot an Customer support inquiry or address issues related to the service.

7. COMPLIANCE WITH DATA PROTECTION LAWS

CuriosityCloud is committed to protecting personal data processed by CuriosityCloud. CuriosityCloud will not access the content of the files in a way in which CuriosityCloud could acquire meaningful information about natural persons, other than in exceptional cases where it is necessary for identifying security threats.

8. ABOUT THIS DOCUMENT

The information provided with this privacy policy that concerns technical or professional subject matter is for general awareness only, may be subject to change, and does not constitute legal or professional advice, nor warranty of fitness for a particular purpose or compliance with applicable laws.