Data Processing Agreement for Jamf Customers

1. Subject Matter of this DPA. This DPA supplements either Jamf’s Software License and Services Agreement or such other negotiated agreement (as applicable) between the Parties pursuant to which Jamf provides Software and/or Services to Customer, along with any subsequent amendments or orders (the “Agreement”). It is applicable when Data Protection Laws apply to Customer’s use of the Services to Process Personal Data. In consideration of the mutual obligations hereto, the Parties agree that the terms of this DPA will form part of the Agreement, which shall remain in full force and effect except as modified below.

2.

Definitions. The following defined terms are used in this DPA, together with other terms defined herein.

  1. a) “Data Protection Laws” means all applicable data protection, privacy, and cyber security laws, rules and regulations of any country, including (where applicable and without limitation) the GDPR, the UK GDPR, the Swiss Data Protection Act, data protection laws of the European Union (“EU”), European Economic Area (“EEA”) member states or the United Kingdom (“UK”) that supplement the GDPR or UK GDPR (respectively), and the California Consumer Privacy Act of 2018 (“CCPA”).

  2. b) “Data Subject” means the individual to whom the Personal Data relates, which is Processed for the performance of the Agreement by Jamf.

  3. c) “GDPR” means the EU General Data Protection Regulation 2016/679.

  4. d) “EEA Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data in countries not otherwise recognised as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time) as set out in Schedule 4.

  5. e) "ex-EEA Transfer" means a processing activity whereby Personal Data which is Processed in accordance with the GDPR is transferred from the Customer to Jamf (or its premises) outside the EEA, and such transfer is not governed by an adequacy decision made by the European Commission in accordance with the relevant provisions of the GDPR.

  6. f) "ex-UK Transfer" means a processing activity whereby Personal Data which is Processed in accordance with the UK Data Protection Laws is transferred from the Customer to Jamf (or its premises) outside the UK, and such transfer is not governed by an adequacy decision made by the Secretary of State in accordance with the relevant provisions of the UK GDPR.

  7. g) “Personal Data” means any personal data (as defined in applicable Data Protection Laws) Processed by Jamf (or any Subprocessor) as part of Jamf’s performance of the Agreement or provision of the Services to Customer.

  8. h) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, transmitted, stored, or otherwise Processed.

  9. i) “Processing” or “Process” means any operation or set of operations that is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure, or destruction.

  10. j) "Secretary of State" means the Secretary of State in the United Kingdom.

  11. k) “Services” means the same services that Jamf provides to Customer as defined in the Agreement.

  12. l) “Standard Contractual Clauses” or “SCCs” means the EEA Standard Contractual Clauses and/or the UK Standard Contractual Clauses.

Jamf Customer DPA V10182021

  1. m) "Subprocessor" means any person or entity appointed by or on behalf of Jamf that Processes Personal Data.

  2. n) “UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018. Where the UK GDPR applies to the Processing of Personal Data under this DPA, references in this DPA to the GDPR and to provisions of the GDPR shall be construed as references to the UK GDPR and to the corresponding provisions of the UK GDPR, and references to EU or Member State law shall be construed as references to UK law.

o) "UK Standard Contractual Clauses" means the standard contractual clauses approved by the European Commission for transfers of Personal Data in countries not otherwise recognised as offering an adequate level of protection for personal data by the European Commission, being controller to processor clauses as approved by the European Commission in Commission Decision 2010/87/EU, dated 5 February 2010 (as amended and updated from time to time) as set out in Schedule 5.

  1. CCPA Processing of Personal Data. In connection with Jamf’s provision of Services to Customer, if the CCPA applies and Jamf receives any Personal Data from or on behalf of Customer, then:

    1. a) Jamf will not retain, use, or disclose such Personal Data: (i) for any purpose other than to perform the Services or (ii) outside of the direct business relationship between Customer and Jamf;

    2. b) Jamf will not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate such Personal Data to any third party for monetary or other valuable consideration;

    3. c) Jamf certifies that it understands the restrictions on Jamf’s Processing such Personal Data as set forth in this sentence and will comply with them;

    4. d) Jamf may disclose Personal Data to Jamf’s service providers in connection with such service providers providing services to Jamf and Jamf may permit such service providers to Process Personal Data as necessary for Jamf to provide the Services to Customer; and

    5. e) Jamf may combine Customer’s Personal Data with Personal Data received from other entities to the extent necessary to detect security incidents or protect against fraudulent or illegal activity, to the extent that Jamf acts as a “service provider” as defined in California Civil Code § 1798.140(v) with regard to all such Personal Data.

  2. Processing of Personal Data.

    1. a) Jamf’s Processing of Personal Data. Jamf will Process Personal Data in accordance with the requirements of Data Protection Laws and only upon Customer’s documented instructions, except where Processing is otherwise permitted by Data Protection Laws.

    2. b) Transfers of Personal Data. The EEA Standard Contractual Clauses (attached as Schedule 4) will apply to any ex-EEA Transfer of Personal Data between Customer (as data exporter) and Jamf (as data importer) with Annex 1 completed with information set out in Schedule 1, Annex II completed with information set out in Schedule 3 and Annex III completed with information in Schedule 2. The UK Standard Contractual Clauses (attached as Schedule 5) will apply to any ex-UK Transfer of Personal Data between Customer (as data exporter) and Jamf (as data importer) with Appendix 1 completed with information set out in Schedule 1 and Appendix 2 completed with information set out in Schedule 3. References to "Member State" in the UK Standard Contractual Clauses are deemed amended to refer to the United Kingdom.

    3. c) New UK Standard Contractual Clauses. If the UK Standard Contractual Clauses are replaced or superseded by new standard data protection clauses pursuant to Article 46 of UK GDPR and related provisions of the DPA 2018 ("New UK SCCs"), then the Customer may give notice to Jamf and, with effect from the date set out in such notice, amend the application of clause 4.b) to one or more ex-UK Transfers so that:

Jamf Customer DPA V10182021

  1. i) the UK Standard Contractual Clauses cease to apply to those ex-UK Transfers as further specified in such notice;

  2. ii) those of the New UK Standard Contractual Clauses as are specified in such notice will apply in respect of such ex-UK Transfers in substitution for the UK Standard Contractual Clauses; and

  3. iii) such consequential amendments as Jamf reasonably considers necessary are made to this DPA to ensure that it remains compliant with the provisions of Data Protection Law.

  1. d) Further Assurance. If Data Protection Law requires Customer to execute the SCCs applicable to a particular transfer of Personal Data to Jamf as a separate agreement, Jamf will, on request of the Customer, promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required by Customer to reflect the applicable clauses and Schedules of this DPA, the details of the transfer and the requirements of the relevant Data Protection Law. If either (i) any of the means of legitimising transfers of Personal Data outside of the EEA or UK which are referred to in this DPA cease to be valid or (ii) any supervisory authority requires transfers of Personal Data pursuant to those means to be suspended, then Jamf may, by notice to Customer and with effect from the date set out in such notice, amend or put in place alternative arrangements for such transfers, as required by the relevant Data Protection Law.

  2. e) Supplementary measures. For any ex-EEA or ex-UK Transfers, the following supplementary measures will apply:

    1. i) Jamf represents and warrants that, at the time of the transfer, it has not received any formal legal requests from any government intelligence or security service/agencies in the country to which the relevant Personal Data is being exported, for access to (or for copies of) Personal Data that has been transferred to Jamf pursuant to this Agreement ("Government Agency Requests");

    2. ii) if, after the Effective Date of this DPA, Jamf receives any Government Agency Requests, it will (unless prohibited by law from doing so) inform the Customer in writing as soon as reasonably practicable and the Customer and Jamf will (as soon as reasonably practicable) discuss and determine whether all or any transfers of Personal Data pursuant to this DPA should be suspended in the light of such Government Agency Requests; and

    3. iii) the Customer and Jamf will meet regularly to consider whether:

      1. 1) the protection afforded by the laws where Jamf is based to Data Subjects whose Personal Data is being transferred is sufficient to provide broadly equivalent protection to that afforded in the EEA and/or the UK;

      2. 2) additional measures are reasonably necessary to enable the transfer to be compliant with the Data Protection Law; and

      3. 3) it is still appropriate for Personal Data to be transferred to Jamf, considering all relevant information available to the Parties, together with guidance provided by the supervisory authorities.

  3. f) Details of Processing. Jamf will Process the Personal Data only as necessary for the performance of the Agreement, as provided for under this DPA, the Agreement or as otherwise agreed in writing between the Parties, and as further described in Schedule 1 (Details of Processing).

  4. g) Types of Personal Data. On behalf of the Customer, Jamf Processes the Personal Data that is necessary for the performance of the Agreement. This includes the types of Personal Data as set out in Schedule 1.

Jamf Customer DPA V10182021

h) Categories of Data Subjects. The categories of Data Subjects whose Personal Data Jamf Processes on behalf of the Customer under this DPA are set out in Schedule 1.

5. Subprocessors

  1. a) Approved Subprocessors. The Customer hereby authorizes the Processing of Personal Data by the Subprocessors listed in Schedule 2 (Approved Sub-Processors). Jamf will notify the Customer of any changes in Subprocessors, including the addition or replacement of Subprocessors, thereby giving the Customer the opportunity to object to such changes. If, within thirty (30) business days of receipt of this notice, the Customer has not objected to the intended change, the Customer is deemed to have authorized the intended change.

  2. b) Contract with Subprocessor. Jamf will impose on all Subprocessors written data protection obligations that offer at least the same protection of Personal Data as the data protection obligations to which Jamf is bound in the Agreement and this DPA. To the extent that a transfer of Personal Data between Jamf and a Subprocessor constitutes an ex-EEA or ex-UK Transfer, the Customer hereby authorizes Jamf to enter into the Standard Contractual Clauses with the Subprocessor for and on its behalf. Jamf will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessors that cause Jamf to breach any of Jamf’s obligations under this DPA.

  1. Rights of Data Subjects.

    1. a) Correction, Blocking and Deletion. To the extent Customer does not have the ability to correct, amend, block, or delete Personal Data, as required by Data Protection Laws, Jamf will comply with any commercially reasonable request by Customer to facilitate such actions and provide such other assistance in relation to rights of Data Subjects to the extent Jamf is legally required to do so. Customer is responsible for any costs arising from Jamf’s assistance to the extent any such assistance exceeds the scope of Jamf’s obligations under Data Protection Laws and/or standard technical support.

    2. b) Data Subject Requests. Should a Data Subject contact Jamf with about correcting or deleting its Personal Data, Jamf will use commercially reasonable efforts to forward such requests to Customer. Jamf will not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Jamf will provide Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data. Customer is responsible for any costs arising from Jamf’s assistance to the extent such assistance exceeds the scope of Jamf’s obligations under Data Protection Laws and/or routine customer service.

  2. Jamf Personnel.

    1. a) Confidentiality. Jamf will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Jamf will ensure that such confidentiality obligations survive the termination of the personnel engagement.

    2. b) Reliability. Jamf will take commercially reasonable steps to ensure the reliability of any Jamf personnel engaged in the Processing of Personal Data.

    3. c) Limitation of Access. Jamf will ensure that access to Personal Data is limited to personnel performing Services in accordance with the Agreement.

    4. d) Privacy Officer. Jamf has appointed a privacy officer. The appointed person may be reached at privacy@Jamf.com.

Jamf Customer DPA V10182021

  1. Security. Jamf has implemented and will maintain technical and organizational measures to secure Personal Data against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data and will comply with Data Protection Laws by taking the security measures set out in Schedule 3 (Security Measures). Jamf will ensure an appropriate level of security, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects.

  2. Personal Data Breach Management and Notification. Jamf maintains security incident management policies and procedures and will notify Customer of a Personal Data Breach of which Jamf becomes aware without undue delay and provide such further assistance as may be required by Data Protection Laws. To the extent such Personal Data Breach is caused by Jamf’s violation of the requirements of this DPA, Jamf will make reasonable efforts to identify and remediate the cause of such Personal Data Breach. If a Personal Data Breach is caused by Customer’s violation of the requirements of this DPA, Customer will make reasonable efforts to identify and remediate the cause of such Personal Data Breach.

10. Data Protection Impact Assessments. Where the Customer is required to complete a data protection impact assessment or privacy impact assessment under Data Protection Laws, Jamf, upon written request by the Customer, will provide reasonable assistance to the Customer in relation to that requirement. Customer is responsible for any costs arising from Jamf’s assistance to the extent such assistance exceeds the scope of Jamf’s obligations under Data Protection Laws and/or routine customer service.

  1. Audits. Jamf, allows for, cooperates with, and contributes to audits, including inspections, conducted by Customer or an external auditor engaged by Customer. Audits may be conducted: (i) from time to time on reasonable notice, but no more than once annually; (ii) during normal business hours and so as not to unreasonably interfere with Jamf’s performance of the Services under the Agreement or unreasonably interfere with Jamf’s business; and (iii) during the term of this DPA. The notice requirement in this section 11(i) and the restrictions stated in 11(ii) will not apply to the extent the audit is initiated by a regulator. Jamf will provide to Customer, its auditors, and regulators reasonable assistance so they can perform an audit, including permitting them access to the following: the place, premises, and facilities from which the Services will be performed; the systems (including software, networks, firewalls, and servers) used to perform the Services; and data, records, manuals, and other information relating to the Services. Jamf will not be required to give auditors any access or information that may cause Jamf to compromise its own internal, legal, or regulatory compliance obligations, is subject to confidentiality obligations with its customers, vendors or other third parties, or is commercially sensitive (such as trade secrets). If an audit results in Jamf being notified that it, or its Processing of Personal Data, does not comply with Data Protection Laws, the Parties will discuss that finding and, with respect to any such non-compliance, Jamf will take corrective actions to achieve compliance to the reasonable satisfaction of the auditor.

  2. Term

    1. a) Duration. The term of this DPA is the same as the term of the Agreement. Regardless of the termination of this DPA, Jamf is obliged to comply with the provisions of this DPA as long as Personal Data are Processed by Jamf on behalf of Customer.

    2. b) Obligation to Delete or Return Personal Data. Upon termination or expiration of the Agreement and this DPA, and, at the choice of and upon Customer’s written request, Jamf will, return the Personal Data and all copies thereof to the Customer and/or will securely destroy (delete) the Personal Data and all existing copies thereof in accordance with the Agreement, except to the extent continued storage is required under applicable laws and permitted under Data Protection Laws. In such case, Jamf will inform the Customer of such legal obligation, keep the Personal Data confidential and only Process the Personal Data to the extent required by applicable laws.

  3. Limitation of Liability. NEITHER JAMF NOR ANY OF JAMF’S AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT OR DAMAGES ARISING IN CONNECTION

Jamf Customer DPA V10182021

WITH ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR FAILURE TO STORE ANY PERSONAL DATA. IN ANY CASE, JAMF’S AND JAMF’S AFFILIATES’ AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS DPA WILL NOT EXCEED THE AMOUNT CUSTOMER ACTUALLY PAYS JAMF UNDER THE AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS BEFORE THE LIABILITY AROSE. THE EXCLUSIONS AND LIMITATIONS IN THIS SECTION 14 APPLY ONLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

  1. General Provisions.

    1. a) Entire Agreement/Order of Precedence. This DPA constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior understandings regarding such subject matter, whether written or oral. To the extent a conflict exists between this DPA and the Agreement regarding the subject matter of this DPA, the terms of this DPA will govern. To the extent a conflict exists between this DPA and the Standard Contractual clauses regarding the subject matter of this DPA, the Standard Contractual Clauses will govern.

    2. b) Amendment. No amendment or modification of this DPA will be binding unless in writing and signed by the Parties.

    3. c) Waiver. Any waiver by a Party of a breach of any provision of this DPA will not operate as or be construed as a waiver of any further or subsequent breach.

    4. d) Survival. Provisions of this DPA that by their nature are to be performed or enforced following any termination of this DPA will survive such termination.

    5. e) Assignment. Jamf may assign this DPA to an affiliate or in connection with a merger of Jamf or the sale of substantially all Jamf’s assets.

    6. f) Binding Effect. This DPA will be binding upon and inure to the benefit of the Parties, their successors and permitted assigns.

    7. g) Unenforceability and Severability. If for any reason, a court of competent jurisdiction or duly appointed arbitrator finds any provision or portion of this DPA to be unenforceable, the remainder of this DPA will continue in full force and effect.

    8. h) Translations. If this DPA is translated into languages other than English, the English version will control.

    9. i) Headings. The headings are for convenience only and do not affect the interpretation of this DPA.

    10. j) Counterparts. This DPA may be executed by electronic signature and in counterparts, which together constitute one binding agreement.

    11. k) Third Party Rights. Except to the extent expressly provided by the Standard Contractual Clauses with respect to Data Subjects, this DPA does not give rise to any rights for third parties to enforce any term of this DPA.

  2. Authority of Signatories. Each person signing this DPA represents and warrants that they are duly authorized and have legal capacity to execute it.

    {remainder of page intentionally blank – signature page follows}

Jamf Customer DPA V10182021

Jamf Software, LLC

Signature: Name: Title: Date:

Jamf Internal Account Reference:

Customer

Signature: Name: Title: Date:

Full Company Legal Name: Type of Legal Entity:

Street Address:

State/Province: Postal Code:

Jamf Customer DPA V10182021

SCHEDULE 1 DETAILS OF PROCESSING

Name: ___________________________________________
Address: _________________________________________
Contact person’s name, position, and contact details: _______________________________________________ ___________________________________________________________________
Activities relevant to the data transferred under these Clauses: use of Services provided by Jamf.
Signature and date: ___________________________________________________
Role (controller/processor): Controller

Name: JAMF Software, LLC
Address: 100 Washington Avenue South, Suite 1100, Minneapolis, MN 55401 USA

Contact person’s name, position, and contact details: Justin Francis, Senior Director, Enterprise Risk & Compliance; privacy@jamf.com; +1 612-605-6625

Activities relevant to the data transferred under these Clauses: Jamf’s provision of Services under the Agreement. Signature and date: ___________________________________________________
Role (controller/processor): Processor
B. Description of Transfer

Categories of Data Subjects whose Personal Data is transferred: employees of Customer (and students of Customer if Customer is an education customer).

Categories of Personal Data transferred: Names, IP addresses, telephone numbers, computer names, job titles and functions and email addresses.

Sensitive data/special categories transferred (if any): none.

Frequency of transfer: the frequency of the transfer of Personal Data is directly related to the nature of processing.

Nature of the Processing: Process Personal Data if Customer enters Personal Data into Customer’s instance of the Hosted Services provided by Jamf pursuant to the Agreement. Jamf utilizes subprocessors for infrastructure to provide the Hosted Services in which Personal Data is stored.

Purpose(s) of the data transfer and further processing: the purpose of data transfers is for Customer to utilize Jamf’s Services.

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Jamf Customer DPA V10182021

The period for which Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data is retained in accordance with the Agreement and this DPA.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the Processing: Jamf utilizes the approved Subprocessors set forth in and as further described in Schedule 2. The duration of the Processing is equivalent to the length of time Customer utilizes Jamf’s Services under the Agreement.

C. Competent Supervisory Authority (identify the competent supervisory authority/ies in accordance with Clause 13 of Schedule 4 to the DPA (EEA Standard Contractual Clauses)): The competent supervisory authority is identified in Clause 13 of the EEA Standard Contractual Clauses.

Jamf Customer DPA V10182021

SCHEDULE 2 APPROVED SUBPROCESSORS

Jamf’s subprocessor list can be found at https://www.jamf.com/trust-center/legal/.

Jamf Customer DPA V10182021

SCHEDULE 3 SECURITY MEASURES

Processing of Personal Data takes place on data processing systems for which technical and organizational measures for protecting such data have been implemented. In this context, Jamf assures Customer that it will take all reasonable measures required to ensure such Processing is done in accordance with applicable Data Protection Laws. Considering the state of technological development and the cost of implementing such measures, Jamf will ensure a level of security appropriate to the harm that might result from unauthorized or unlawful Processing or accidental loss, destruction, or damage, considering the nature of the Personal Data to be protected.

Jamf will implement the following measures:

  1. Information Security Policies and Measures

    1. a) Policies. Jamf’s information security policies will be documented and approved by Jamf’s senior management.

    2. b) Review of the Policies. Jamf’s information security policies will be reviewed by Jamf at least annually, or promptly after material changes are made to the policies to confirm applicability and effectiveness. Jamf will not make changes to the policies that would materially degrade Jamf’s security obligations.

    3. c) Information Security Reviews. Jamf will independently review its approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures for information security) at planned intervals or when significant changes occur.

    4. d) Disaster Recovery. During the term of the Agreement, Jamf will maintain a disaster recovery (DR) or high availability (HA) solution and related plan that is consistent with Industry Standards for the Services Jamf provides to Customer. Jamf will test the DR or HA solution and related plan at least once annually. In addition, the solution and related plan will ensure:

      1. i) that installed systems used to provide Services will be restored in case of interruption;

      2. ii) Jamf’s ability to restore the availability and access to Customer Content in a timely manner in the event of a physical or technical incident; and

      3. iii) the ongoing confidentiality, integrity, availability, and resilience of systems Jamf uses to provide Services.

    5. e) Testing. Jamf will maintain a process for regularly testing the effectiveness of its technical and organizational measures for ensuring the security of the processing of Customer Content.

  2. Information Security Framework

    1. a) Security Accountability. Jamf will assign one or more security officers who will be responsible for coordinating

      and monitoring all information security functions, policies and procedures.

    2. b) Security Roles and Responsibility. Jamf personnel, contractors and agents who are involved in providing Services will be subject to confidentiality agreements with Jamf.

    3. c) Risk Management. Jamf will perform appropriate information security risk assessments as part of an ongoing risk governance program with the following objectives (i) recognize risk, (ii) assess the impact of risk and (iii) where risk reduction or mitigation strategies are identified and implemented, effectively manage the risk with recognition that the threat landscape constantly changes.

  3. Human Resource Security

Jamf Customer DPA V10182021

  1. a) Security Training. Jamf will provide appropriate security awareness, education, and training to all Jamf personnel and contractors with access to the Software and Services provided to Customer.

  2. b) Background Screening. Jamf will ensure that background checks have been performed on Jamf personnel who are part of teams managing Jamf’s hosting infrastructure. Additionally, background checks will be performed on Jamf personnel or agents assigned to provide Services at Customer’s premises. Jamf will perform background checks in accordance with applicable law and Jamf’s background screening policies and procedures. Only individuals who have passed background checks will be allowed by Jamf to provide Services at Customer’s premises or be part of Jamf’s teams managing Jamf’s hosted infrastructure.

4. Asset Management

a)

Asset Inventory.

  1. i) Jamf will maintain an asset inventory of all media and equipment where Customer Content is stored. Jamf will restrict access to such media and equipment to authorized personnel of Jamf. Jamf will prevent the unauthorized reading, copying modification or removal of data media.

  2. ii) Jamf will classify Customer Content so that it is properly identified and will appropriately restrict access to Customer Content. Specifically, Jamf will ensure that no person appointed by Jamf to process Customer Content, will process Customer Content unless that person:

b)

1) 2) 3)

4)

has a need to access Customer Content for the purpose of performing Jamf’s obligations under the Agreement;

has been authorized by Jamf in a manner consistent with Jamf’s information security policies;

has been fully instructed by Jamf in the procedures relevant to the performance of the obligations of Jamf under the Agreement, in particular the limited purpose of processing Customer Content; and

is aware that they are prohibited from copying any Customer Content transmitted by Customer to Jamf, provided, however, that Jamf may retain copies of Customer Content provided to it under the Agreement in its servers for backup and archive purposes until completion of the Agreement.

  1. iii) Jamf will
    Content will prevent the unauthorized input of Customer Content and the unauthorized inspection, modification, or deletion of stored Customer Content.

  2. iv) Jamf will maintain an appropriate approval process whereby approval is provided to personnel, contractors, and agents prior to storing Customer Content on portable devices or remotely accessing Customer Content. All approvals will be subject to measures designed to prevent the unauthorized reading, copying, modification or deletion of Customer Content during transfers of such content or during transportation of data media. If remote access is approved and granted, Jamf personnel, agents and contractors will use multi-factor authentication. Multi-factor authentication may include techniques such as the use of cryptographic certificates, one time password (OTP) tokens or biometrics.

Security of Software Components. Jamf agrees to appropriately inventory all Software components (including open-source software) used with Jamf’s Software and Services. Jamf will assess whether any such software components have any security defects and/or vulnerabilities that could lead to unauthorized disclosure of Customer Content. Jamf will perform such assessment prior to delivery of, or providing Customer access to,

further maintain measures to ensure that persons appointed by Jamf to process Customer

Jamf Customer DPA V10182021

Jamf’s Software and Services and on an on-going basis thereafter during the term of the Agreement. Jamf agrees to remediate any security defect or vulnerability it detects in a timely manner.

5. Access Control a) Policy.

i) Jamf will maintain an appropriate access control policy that is designed to restrict access to Customer Content and Jamf assets to authorized personnel, agents, and contractors. To ensure clarity, all references to user accounts and passwords in this section relate only to Jamf’s users, user accounts and passwords. This Section 5 does not apply to Customer’s access to and use of the Software and Services, Customer user accounts or Customer passwords.

b) Authorization.

  1. i) Jamf will maintain user account creation and deletion procedures for granting and revoking access to all assets, Customer Content and all Jamf internal applications while providing Software and Services under the Agreement. Jamf will assign an appropriate authority to approve creation of user accounts or elevated levels of access for existing accounts.

  2. ii) Jamf will maintain and update records of employees and contractors who are authorized to access systems that are involved in providing Software and Services to the Customer and review such records at least quarterly. Administrative and technical support personnel, agents or contractors will only be permitted to have access to such data when required; provided, such personnel, agents or contractors comply with applicable Jamf technical and organizational measures.

  3. iii) Jamf will ensure the uniqueness of user accounts and passwords for everyone. Individual user accounts will not be shared.

  4. iv) Jamf will remove access rights of personnel and contractors to assets that store Customer Content upon termination of their employment, contract, or agreement within 24 hours, or adjust access upon change of personnel role.

c) Authentication.

d)

  1. i) Jamf will use Industry Standard capabilities to identify and authenticate personnel, agents and contractors who attempt to access information systems and assets.

  2. ii) Jamf will maintain Industry Standard practices to deactivate passwords that have been corrupted or disclosed.

  3. iii) Jamf will monitor for repeated access attempts to information systems and assets.

  4. iv) Jamf will maintain Industry Standard password protection practices that are designed to maintain the confidentiality and integrity of passwords generated, assigned, distributed, and stored in any form.

  5. v) Jamf will use multi-factor authentication for all administrative access, including domain and cloud portal administrative access. Multi-factor authentication may include techniques such as the use of cryptographic certificates, One Time Password (OTP) tokens or biometrics.

Data-processing Equipment.
i) Jamf will deny unauthorized persons access to systems and equipment used for processing Customer

Content (“Data-Processing Equipment”).

Jamf Customer DPA V10182021

  1. ii) Jamf will prevent the use of automated Data-processing Equipment by unauthorized persons using data communication equipment.

  2. iii) Jamf will ensure that persons authorized to use an automated Data-processing Equipment only have access to the Customer Content covered by their access authorization.

  3. iv) Jamf will ensure that it is subsequently possible to verify and establish which Customer Content has been put into automated Data-processing Equipment when it was added and by whom the input was made.

6. Cryptography

7.

a) Jamf will maintain policies and standards regarding the use of cryptographic controls that are implemented to protect Customer Content. Such protections will include the pseudonymization and encryption of Personal Data, as further detailed below in Section 9. Jamf will implement Industry Standard key management policies and practices designed to protect encryption keys for their entire lifetime.

Physical and Environmental Security

  1. a) Physical Access to Facilities. Jamf will limit access to facilities where systems that are involved in providing the Services are located to identified personnel, agents, and contractors.

  2. b) Protection from Disruptions. Jamf will use reasonable efforts, and, to the best of Jamf’s ability and to the extent within Jamf’s control, protect equipment from power failures and other disruptions caused by failures in supporting utilities.

  3. c) Secure Disposal or Reuse of Equipment. Jamf will verify that all Customer Content has been deleted or securely overwritten from equipment containing storage media using Industry Standard processes prior to disposal or re-use.

Operations Security

  1. a) Operations Policy. Jamf will maintain appropriate operational, and security operating procedures and such procedures will be made available to all Jamf personnel who require them.

  2. b) Protections from Malware. Jamf will maintain anti-malware controls that are designed to protect systems from malicious software, including malicious software that originates from public networks.

  3. c) Configuration Management. Jamf will have policies that govern the installation of software and utilities by personnel.

  4. d) Change Management. Jamf will maintain and implement procedures to ensure that only approved and secure versions of the code, configurations, systems, and applications will be deployed in the production environment(s).

  5. e) Encryption of Data. Encryption solutions will be deployed with no less than 256-bit Advanced Encryption Standard (AES) encryption.

  6. f) Systems. Jamf will ensure that the functions of the systems utilized to provide Services perform, that the appearance of faults in the functions is reported and that stored Customer Content cannot be corrupted by means of a malfunctioning of such systems.

Communications Security

8.

9.

Jamf Customer DPA V10182021

  1. a) Information Transfer.

    1. i) With respect to Jamf’s Hosted Services, Customer Content is encrypted in-transit to the Hosted Services and maintained in encrypted storage. Jamf will use Industry Standard encryption to encrypt Customer Content.

    2. ii) Jamf will restrict access through encryption to Customer Content stored on media that is physically transported from Jamf facilities.

    3. iii) Jamf will ensure that it is possible to verify and establish the extent to which Customer Content has been or may be transmitted or made available using data communication equipment.

  2. b) Security of Network Services.

i) Jamf will ensure that Industry Standard security controls and procedures for all network services and components are implemented whether such services are provided in-house or outsourced.

c) Intrusion Detection.

i) Jamf will deploy intrusion detection or intrusion prevention systems for all systems used to provide Services to Customer to provide continuous surveillance for intercepting and responding to security events as they are identified and update the signature database as soon as new releases become available for commercial distribution.

d) Firewalls.

i) Jamf will have appropriate firewalls in place which will only allow documented and approved ports and services to be used. All other ports will be in a deny all mode.

10. System Acquisition, Development and Maintenance

  1. a) Workstation Encryption. Jamf will require hard disk encryption of at least 256-bit Advanced Encryption Standard (AES) on all workstations and/or laptops used by personnel, contractors, and agents where such personnel are accessing or processing Customer Content.

  2. b) Application Hardening.

    1. i) Jamf will maintain and implement secure application development policies, procedures and standards that are aligned to Industry Standard practices such as the SANS Top 25 Security Development Techniques or the OWASP Top Ten project.

    2. ii) All personnel responsible for secure application design, development, configuration, testing and deployment will be qualified to perform the Services and receive appropriate training regarding Jamf’s secure application development practices.

  3. c) System Hardening.

i) Jamf will establish and ensure the use of standard secure configurations of operating systems. Images should represent hardened versions of the underlying operating system and the applications installed on the system. Hardening includes removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems. These images should be validated on a regular basis to update their security configuration as appropriate.

Jamf Customer DPA V10182021

  1. ii) Jamf will perform periodic (at least quarterly) access reviews for system administrators for all supporting systems requiring access control.

  2. iii) Jamf will implement patching tools and processes for both applications and operating system software. When outdated systems can no longer be patched, Jamf will update to the latest version of application software. Jamf will remove outdated, unsupported, and unused software from the system.

  3. iv) Jamf will limit administrative privileges to only those personnel who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system.

  1. d) Infrastructure Vulnerability Scanning. Jamf will scan its internal environment (e.g., servers, network devices, etc.) related to the Services monthly and external environment related to the Services on a weekly basis. Jamf will have a defined process to address any findings but will ensure that any high-risk vulnerabilities are addressed no later than 30 days after discovery.

  2. e) Application Vulnerability Assessment. Jamf will perform an application security vulnerability assessment prior to any new public release. Jamf will have a defined process to address any findings but will ensure that any high-risk vulnerabilities are addressed within 30 days of discovery.

  3. f) Penetration Tests and Security Evaluations of Websites. Jamf will perform a comprehensive penetration test and security evaluation of all systems and websites involved in providing Services on a recurring basis no less frequent than once annually. Additionally, Jamf will have an industry-recognized independent third party perform an annual test. Jamf will have a defined process to address any findings but will ensure that any high- risk vulnerabilities are addressed within 30 days of discovery. Upon Customer’s written request, but no more than once per year, Jamf will provide an assertion statement to validate the completion of the independent third-party penetration test and attest to the fact that Jamf maintains a process to address findings.

11. Jamf Relationships

  1. a) If Jamf must use a third-party application or service to provide the Services, Jamf’s contract with that third- party vendor must clearly outline security requirements for the third-party vendor consistent with the security requirements of this Information Security Schedule. In addition, service level agreements with the third party must be clearly defined.

  2. b) Any third-party gaining access to Jamf systems must be covered by a signed agreement containing confidentiality and security provisions consistent with the confidentiality and security requirements of the Agreement and this Information Security Schedule.

  3. c) Jamf will perform quality control and security management oversight of outsourced software development.

Jamf Customer DPA V10182021

SECTION I

Clause 1
Purpose and scope

SCHEDULE 4

EEA Standard Contractual Clauses

  1. (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of data to a third country.

  2. (b) The Parties:

    1. (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

    2. (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

    have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

  3. (c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

  4. (d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2
Effect and invariability of the Clauses

  1. (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

  2. (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3
Third-party beneficiaries

  1. (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

    1. (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

    2. (ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);

    3. (iii) Clause 9(a), (c), (d) and (e);

    4. (iv) Clause 12(a), (d) and (f);

    5. (v) Clause 13;

    6. (vi) Clause 15.1(c), (d) and (e);

    7. (vii) Clause 16(e);

    8. (viii) Clause 18(a) and (b).

  2. (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Jamf Customer DPA V10182021

Clause 4 Interpretation

  1. (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

  2. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

  3. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation

    (EU) 2016/679.

Clause 5 Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6
Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 Reserved

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8
Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

  1. (a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

  2. (b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless

on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, availab le to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix

to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

Jamf Customer DPA V10182021

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data

processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations

under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

  1. (b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  2. (c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address

the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Jamf Customer DPA V10182021

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (2) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

  1. (a) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

  2. (b) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

  3. (c) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory, or judicial proceedings; or

  4. (d) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

  1. (a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

  2. (b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

  3. (c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of

the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

  1. (d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

  2. (e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9
Use of sub-processors

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection

obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (3) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

Jamf Customer DPA V10182021

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10
Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraph (a) and (b), the data importer&