Privacy Policy for Customer Portal Users – March 17, 2020

Purpose

Arctic Wolf Networks, Inc. (“AWN,” “Arctic Wolf,” “we,” “us,” “our,” or the “Company”) and its affiliates are committed to protecting the privacy of the information (“Customer Information” as defined below) provided by you and your authorized resources (“Users”, “you”, “your”) while using the Arctic Wolf Customer Portal (the “Customer Portal”) and the Arctic Wolf SOC-as-a-service or other products and services (collectively, “Solutions”).  For purposes of clarity, MSP Partners (“MSP,” “MSPs”) using the Customer Portal and Solutions on behalf of its end-users are considered Users for the purposes of this Privacy Policy. This Privacy Policy describes the Customer Information (as defined below) we collect through the Solutions and Customer Portal and the manner in which the Customer Information is used to deliver and support the Solutions.

Terms of Use

If you have any dispute over the privacy of your information, the dispute is subject to this Privacy Policy and, as applicable, the Master Solutions Agreement or Master Partner Agreement made between us, including any provisions related to the limitation of liability and application of choice of law.

Scope

This Privacy Policy covers the Customer Information collected by us from Users of the Customer Portal and Solutions and the access to and submission of Customer Information for the purpose of:

• Opening tickets
• Adding comments to existing tickets
• Adding attachment(s) to tickets
• Being authenticated to use the Solutions
• Uploading credentials for application event monitoring
• Obtaining configuration information, reports, and metrics related to the operation of the Solutions within your environment

Customer Information

Each User is responsible for the quality, integrity, reliability, and appropriateness of Customer Information submitted in the Customer Portal and Solutions and must comply with terms contained in the applicable Arctic Wolf Master Solutions Agreement or, in the case of an MSP, by the terms of the applicable Arctic Wolf Master Partner Agreement.  The information we may collect from you while using the Customer Portal and Solutions (the “Customer Information”) includes: Customer Information Obtained via the Customer Portal The types of Customer Information we collect about Users of the Customer Portal includes: 1) Corporate or Employee Information Customer Portal Users experiencing issues relating to the Solutions may submit support tickets via the Customer Portal.  In the course of your creation of support tickets and our provision of support services, you may provide corporate or employee information that assists us with the definition and resolution of issues. 2) Uploaded Credentials Customers Portal Users may upload their credentials (such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data, and device ID identifiers). Customer Information Obtained via the Solutions When using the Solutions, the Solutions may collect, and/or you may choose to submit to us, the following: 1) System Data The Solutions, depending on their set up and deployment in your environment, may collect log data from various sources, including your:

• data center,
• applications,
• infrastructure in the cloud,
• on-premises infrastructure, and
• remote endpoints.

In addition, the Solutions may perform inspection of network traffic, scan internal and external-facing devices, and collect configuration data, vulnerability data, system-level inventory, and event data. 2) Uploaded Credentials Solutions Users may be required to upload their credentials (such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data, and device ID identifiers).

How We Use the Information

We use Customer Information for the following purposes: 1) Support Ticket Management and Resolution Support tickets are the primary medium that Users and the Concierge Security™ engineers (CSEs) use to communicate issues or requests over the use and improvement of the Solutions. Both parties can comment and provide more information in a support ticket until the issue/request is resolved. The CSEs use a ticketing system to communicate security alerts to Users allowing the Users to respond and see the status of the alert until it is closed. 2) Provision of the Solutions System Data and uploaded credentials are integral to the functionality of our Solutions.  This Information is used to provision the Solutions to you and to monitor and detect security and threat incidents within your network of connected applications and systems. Uploaded credentials can be viewed and managed by Users, including your MSP, and—to a limited extent—may be accessed and viewed by Arctic Wolf employees for support ticket issue resolution. Based on the your environment and configuration, Users can upload credentials in the Solutions and/or Customer Portal to:

• configure the Solutions, and to monitor cloud infrastructure resources to detect access and misuse of a User’s networks, resources, and application instances;
• monitor SaaS applications to detect malicious activities and potential data exposures in cloud-based applications; and
• monitor security events related to user single sign-on and malicious endpoint activity for security providers.

3) Communication With You Arctic Wolf may use your Customer Information for business purposes of communicating with you about Solutions in which you may be interested, updating you about changes to our terms and conditions, sending you general information about Arctic Wolf and its business, or other similar types of business purposes. 4) Improve the Customer Portal and Solutions Arctic Wolf may aggregate and anonymize your Customer Information in order to improve the information it uses to deliver its Solutions.

How We May Share the Information

We do not sell your Customer Information.  We do not share, distribute, use, disclose, review, transfer, or reference any Customer Information except as set forth herein, as expressly permitted in writing by the User, as needed by an MSP to perform services for its end users, or as required or permitted by law. Additional information about our confidentiality and security practices with respect to Customer Information is available on our Information Security Overview page. We may share Customer Information only in the manner described below. We do not control, however, how you or your third party service providers, collect, uses, shares or discloses Customer Information. We may share or disclose Customer Information in the following ways: When changing our business structure In the event of a proposed or completed merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of our assets, similar transactions or proceedings, or steps in contemplation of such activities, Customer Information held by us may be among the assets transferred to the buyer or acquirer; When conducting our business operations We may use third party service providers and tools to provide services on our behalf, including billing, customer ticketing and collaboration, internal support ticketing, access and identity management, cloud hosting, customer relations management, marketing and advertising, Solution improvement projects, etc. Our service providers are only provided with information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers may be located in the U.S., Canada or other foreign jurisdictions; To comply with laws We and our affiliates or service providers in the U.S. or other jurisdictions may disclose Customer Information to comply with applicable legal or regulatory requirements (which may include lawful access by U.S. or foreign courts, law enforcement or other government authorities) and to respond to lawful requests by public authorities, including to meet national security, law enforcement requirements, court orders and legal processes; To protect rights and safety To protect and defend the brand, rights, property and safety of Arctic Wolf Networks, Inc. and its affiliates, Arctic Wolf customers, including enforcing contracts or policies, or in connection with investigating and preventing fraud. If Users have any questions about its Customer Information or rights with respect to the foregoing, please contact us at dataprotection@arcticwolf.com or open a ticket via your Customer Portal.

Security

The security of Customer Information is important to us. We maintain appropriate administrative, physical, and technical safeguards to help protect the confidentiality and integrity of Customer Information, during transmission and once it is received. However, we cannot guarantee that hackers or unauthorized personnel will not gain access to Customer Information, despite our best efforts. No method of transmission over the Internet, or method of electronic storage, is 100% secure.  Therefore, while we strive to use commercially acceptable means to protect Customer Information, we cannot guarantee its absolute security.  Customer Portal Users are responsible for protecting themselves against unauthorized access to passwords, private keys and computers, and unauthorized disclosure, alteration, and destruction of Customer Information.  To learn more about our Security practices, please refer to Information Security Overview.

Location of Data

All Customer Information uploaded to the Customer Portal and the Solutions may be stored within the Amazon Web Services environment, or such other third party cloud service provider(s) selected by us, within the U.S., however, Customer Information may be accessed by employees, including non-US citizens, outside of the U.S.

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

Arctic Wolf complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Arctic Wolf has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  Arctic Wolf may process some personal data from individuals or companies via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.  To learn more about the Privacy Shield program and view our certification, visit the U.S. Department of Commerce’s Privacy Shield site at Privacy Shield.  Arctic Wolf is responsible for the processing of the personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf. Arctic Wolf complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, Switzerland and United Kingdom, including the onward transfer liability provisions. With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Arctic Wolf is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we are required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In compliance with the Privacy Shield Principles, Arctic Wolf commits to resolve complaints about our collection or use of your personal data. EU, Swiss, and UK individuals with inquiries or complaints regarding our Privacy Statement should first contact Arctic Wolf at dataprotection@arcticwolf.com or you may also call (888) 286-6726. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield. Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration by going to Submitting a Complaint on the Privacy Shield website when other dispute resolution procedures have been exhausted.

Supplemental Privacy Policy Terms

Canada Access to Information Subject to limited exceptions under applicable law, Users may have the right to access, update and correct inaccuracies on their Customer Information.  To exercise these rights, please submit a request by emailing dataprotection@arcticwolf.com or you may also call (888) 286-6726.  Please be as specific as possible in relation to the Customer Information you wish to access.  Once Arctic Wolf receives your request, Arctic Wolf will review it, determine whether Arctic Wolf can verify your identity, and process the request accordingly.  If Arctic Wolf needs additional information to verify your identity, Arctic Wolf will let you know. California Consumer Privacy Act The California Consumer Privacy Act (“CCPA”), which is effective as of January 1, 2020, regulates how Arctic Wolf handles personal information of California residents and gives California residents certain rights with respect to their personal information. Arctic Wolf is both a “business” and a “service provider” under the CCPA. The following supplemental privacy policy applies to information Arctic Wolf collects in its role as a business.  If you would like more information about how your personal information is processed by such other companies, including companies that engage Arctic Wolf as a service provider, please contact those companies directly. This provision is effective as of January 1, 2020, shall apply only to residents of California, and may be subject to change.  The general privacy policy shall continue to apply to the extent that it applies to you as a resident of California; however, if you are a resident of California, Arctic Wolf also is required to disclose certain uses and disclosures in a certain format, as well as to inform you of certain rights you may have.  Any capitalized terms used in this supplemental privacy policy shall have the same meaning as in the general privacy policy. Information Arctic Wolf May Collect: We may collect the following categories of information:

• Corporate or employee information that you may provide to Arctic Wolf
• Uploaded Credentials – such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data and device ID identifiers
• System Log Data that may include personal information you elect to provide to us

For each category of information, Arctic Wolf collects the information from a variety of sources, including directly from you, from your devices, and/or from your third party providers.  Arctic Wolf collects the information to:

• provide you with support on the Solutions,
• deliver the Solutions to you,
• protect Arctic Wolf (including the Solutions) and its customers,
• communicate with you regarding our Solutions and terms and conditions,
• conduct internal marketing activities, and
• improve our Solutions.

Arctic Wolf may share personal information with Third Parties as the term is defined under the CCPA. Additional Disclosures: Arctic Wolf does not sell personal information of any individual, including personal information of minors under 16 years of age. Arctic Wolf engages certain trusted third parties to perform functions and provide services to us, including auditing, marketing, hosting and maintenance, error monitoring, debugging, performance monitoring, and other short term uses.  We may share your Customer Information with these third parties, but only to the extent necessary to perform these functions and provide such services.  We require these third parties to maintain the privacy and security of the Customer Information they process on our behalf. Arctic Wolf has disclosed the following categories of personal information for business purposes and valuable consideration in the 12 months prior to this Privacy Policy’s last update:

Identifiers (names, email addresses, phone numbers, mailing address)	YES
Commercial Information (Solution information)	YES
Geolocation Data	NO

Do Not Sell My Personal Information: Arctic Wolf does not sell your personal information as defined under CCPA. Your Rights: You may have certain rights with respect to your personal information, including:

• The right to access, including the right to know the categories and specific pieces of personal information Arctic Wolf collects;
• The right to deletion of your personal information, subject to certain limitations under applicable law;
• The right to request disclosure of information collected;
• The right to disclosure of information disclosed for valuable consideration; and
• The right not to be discriminated against for exercising certain rights under California law.

To exercise these rights, please submit a request by emailing dataprotection@arcticwolf.com or you may also call (888) 286-6726.  Please be as specific as possible in relation to the personal information you wish to access.  Once Arctic Wolf receives your request, Arctic Wolf will review it, determine whether Arctic Wolf can verify your identity, and process the request accordingly. If Arctic Wolf needs additional information to verify your identity, Arctic Wolf will let you know. Arctic Wolf will respond to your request within 45 days of receipt or notify you if Arctic Wolf requires additional time. If you would prefer, you may designate an authorized agent to make a request on your behalf.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Updates to the Privacy Policy will be posted on the Arctic Wolf Website with an indication of when it has been updated. We encourage you to periodically review this Privacy Policy for any changes.

Additional Information

Questions regarding this privacy policy or about the manner in which we or our service providers treat your Customer Information can be directed to us by sending an email to dataprotection@arcticwolf.com or by regular mail addressed to: Arctic Wolf Networks, Inc. Attn: Information Security and Data Protection Officer 111 West Evelyn Ave., Suite 115 Sunnyvale, CA 94086 U.S.A.