This Data Processing Agreement (“DPA”) concluded by Bitdefender SRL (“Bitdefender”) and Business Client of the applicable Bitdefender Solutions (“Client”/ “You”) is hereby incorporated into and supplements the License and Services Agreement for Bitdefender Business Solutions (“Agreement”) between the two parties and aims to clarify the roles and responsibilities for data protection from both parties, based on obligations imposed by the EU Regulation 2016/279 (GDPR). 

This DPA shall apply only for the following Bitdefender Solutions where we are a data processor of the Personal Data collected through our solutions: Bitdefender Integrity Monitoring, Bitdefender GravityZone Security for Mobile Solution, Bitdefender Offensive Services, Bitdefender GravityZone Cloud Security. 

DISCLAIMER: The DPA does not cover the processing of personal data by Bitdefender within Bitdefender GravityZone and other Bitdefender Solutions, including the processing of Personal Data through the Console even for the above- mentioned solutions and where Bitdefender will act only as a Data Controller or joint Data Controller. 

Such data collection and processing are covered by the Privacy Policy for Business Solutions and Privacy Notice for business contacts listed on Bitdefender’s website.   

The DPA is formed of two parts: A. Key Terms of DPA and B. General Terms and Conditions of DPA.

In the context of this DPA, Client is the Data Controller and Bitdefender is the Data Processor for all the personal data as defined by GDPR which is collected and processed by certain Bitdefender Services and solutions as stated herein:

   A. Key terms of DPA

   1. Categories of Data Subjects: Client’s employees, representatives, customers, vendors, and/or any other business contacts including senders and recipients of emails, as applicable. 

   2. Collected Data by Bitdefender for each of the Bitdefender Solution or service where Bitdefender acts as a processor. 

   2.1 Collected Data for Bitdefender Integrity Monitoring:

- Technical data: file path or folder path 

- other user interaction with an event defined in GravityZone Integrity Monitor Add-on (e.g. end user opening/modifying/changing attributes/deleting an entity – defined folder, files, registry values, path, install software and services)

Other data that are only technical data and may not directly or indirectly be linked to a data subject, other than link it with the data above, may also be collected according to the details in the technical specifications of the product. 

There is no sensitive data presumed to be collected.

Retention: Personal Data is retained for 1 week by default. The retention period may be extended to 3, 6 or 12 months; the Client selects the specific option.

2.2 Collected Data for Bitdefender GravityZone Security for Mobile Solution:

2.2.1  Basic Personal Data: user name - usually an email address, device type/model and a device id (unique per installation) are collected via invitation links or QR codes sent by the Client or with an MDM integration. In the latter case more data (such as name and surname) may be collected, if the Client decides so.  

The Client  may instruct to collect less data by using the “Anonymous User” feature which will add several users under the same username. 

There are no special categories of Personal Data presumed to be collected.  

2.2.2 Device data: In order to perform the necessary functions, the minimum data collected includes operating system, device model and IP address. 

Please note that in case of data subjects that are not added with an MDM integration, the data collection might also be limited by the specific app permissions allowed by the data subject.  

Depending on the privacy settings enabled by the Client and the Policies activated (with their specific settings),  other personal data can also be collected from the device, as explained below:

2.2.3 Android Devices: Operating System, Model, IP Address, Certain configuration data of the device, such as whether the device is configured to allow root access or whether hardware restrictions of the device have been removed; Running Processes (optional): The list of processes currently running on the device;  

Connection Details (Optional): This information is provided, if requested: 

o SSID: Android shows the network name (SSID) of the connected network.  

o BSSID: Android shows the BSSID of the connected network. 

o External IP Address: External IP address for the user’s device.  

o Gateway IP address: Gateway IP address for the user’s device. 

o Gateway MAC address: MAC address for the gateway for the user’s device.  

o Nearby Wi-Fi networks: Android shows the network name (SSID) and BSSID of the nearby wi-fi networks. 

o ARP table of the device: This includes all local hosts in the LAN that interacted with the device.  

o Route table of the device: This includes every IP the device contacted with the default gateway for each one. 

● Carrier Information: Name of the Carrier. (Optional) ● Attacker network details including IP and MAC addresses: IP address of the attacker’s device and MAC address of the attacker’s device. (Optional) ● Risky or Unapproved Sites (Optional) - List of malicious URLs visited by the user (based on Client’s policies) 

● Location: This information is shown at Street/City/Country, if requested. (Optional) – depending on specific app permissions allowed by the data subject in case of non-MDM integrations.  

The same data can also be collected for Security for Chrome, which may also scan (and disable) malicious Chrome extensions.

2.2.4 iOS Devices: Operating System, Model, IP Address  

Connection Details (Optional): This information is provided, if requested:

o SSID: iOS shows the network name (SSID) of the current connected network.  

o BSSID: iOS shows the BSSID of the current connected network. 

o External IP Address: External IP address for the user’s device.  

o Gateway IP address: Gateway IP address for the user’s device. 

o Gateway MAC address: MAC address for the gateway for the user’s device.  

o Nearby Wi-Fi networks: iOS shows the network name (SSID) and BSSID of the nearby wi-fi networks. 

o ARP table of the device: This includes all local hosts in the LAN that interacted with the device.  

o Route table of the device: This includes every IP the device contacted with the default gateway for each one. 

● Carrier Information: Name of the Carrier. (Optional) ● Attacker IP and MAC addresses: IP address of the attacker’s device and MAC address of the attacker’s device. (Optional) ● Risky or Unapproved Sites (Optional) - List of malicious URLs visited by the user (based on Client’s policies 

● Location: This information is shown at Street/City/Country, if requested. (Optional) – depending on specific app permissions allowed by the data subject in case of non-MDM integrations.  

2.2.5  Threat detection data 

In case of threat detection, the following data is collected:  

• Device data as mentioned above. 

• Threat forensics (Optional) (for example the name and bundle ID of the sideloaded app or suspicious app detected on the device. This may also include application binaries), Location of Device (If allowed by user and settings), IP address  

• For iOS, App inventory (Optional) (list of App and App version) is gathered from MDM and App analysis (Malware and Risk Analysis) is performed on this list and provided back to User/Console 

• For Android, App inventory (Optional) (list of App and App version) is fetched directly from devices and App analysis (Malware and Risk Analysis) is performed on this list and provided back to User/Console 

2.2.6 Other technical data 

Other data that are only technical data and may not directly or indirectly be linked to a data subject, other than link it with the data above, may also be collected according to the details in the technical specifications of the product. This will include:  

• Data from tracking tools used to analyze product performance on the device; and 

• System monitoring data such as memory utilization, process metrics, network statistics (but no data like web pages or emails), and other non-user-identifiable type monitoring values.  

Data is collected and processed at the device level and, depending on the appropriate privacy settings and/or Policies, it may also be displayed in the GravityZone console.

Retention: by default, Personal Data is retained for the duration of the Agreement and maximum 90 days after the termination.  

The retention period may be changed if both parties agree on different terms.

2.3 Collected Data for Bitdefender Offensive Services:

Depending on data that is disclosed by the system or application of the Client that is subject of the services, the categories of personal data may include: 

- Technical data of these devices or applications (e.g. IP, MAC Address, configuration data, running processes, system/network information). In most cases, these technical data may not lead to the direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific device. Therefore, we treat all such information as personal data and protect it as such. Other data that are only technical data and may not directly or indirectly be linked to a data subject, other than link it with the data above, may also be collected according to details in the technical specifications of the product and the specified tools;

- other basic personal data (for example, username, email address or even name and surname) could be inadvertently or incidentally processed during the dynamic provisions of the services;

In case of Red Teaming services, personal data may be collected from publicly available sources (such as social media profiles, OSINT tools) and may additionally include: password and/or password hashes, email addresses, name, job title, LinkedIn profile URL, cookies/session tokens, system/network information.

There is no sensitive personal data presumed to be processed, except if otherwise specifically instructed by the Client.

Retention: By default, the Personal Data is being retained for the entire duration of the business relationship and maximum 3 years after the agreement expires.

The retention period may be changed, if both parties agree on different terms. 

2.4 Collected Data for Bitdefender GravityZone Cloud Security:

Depending on data that is disclosed by the system or application of the Client that is subject of the services, the categories of personal data include: 

- name, email and other technical data associated with these devices or users (e.g. AWS instance ID, AWS username or similar data from other cloud providers, depending on integration) In most cases, these technical data may not lead on their own to the direct or indirect identification, but in some very specific cases computer specialists might be able to identify a specific device. Therefore, we treat all such information as personal data and protect it as such. Other data that are only technical data and may not directly or indirectly be linked to a data subject, other than link it with the data above, may also be collected according to the details in the technical specifications of the product, but they will always be presented in/from the Bitdefender Cloud Security console;

There is no sensitive data presumed to be processed.

Retention: By default, the Personal Data is being retained for the entire duration of the contract and maximum 60 days after the agreement expires.

The retention period may be changed, if both parties agree on different terms.

B. General Terms and Conditions of DPA

The present DPA is governed by the provisions of the General Terms and Conditions of the DPA published on Bitdefender website: lhttps://www.bitdefender.com/site/view/general-terms-and-conditions-of-data-processing-agreement.html  

In case of contradiction between sections A. Key terms of DPA and B. General Terms and Conditions of DPA, the provisions of Key Terms of DPA shall prevail. If there are any other terms regarding processing of Personal Data under the Agreement or other documentation provided or requested by the Client that contradict the provisions of the DPA, the provisions of DPA shall prevail.