Supplemental Measures to Protect Customer Personal Data

Last Updated: April 26, 2023

Consistent with our data protection obligations under laws and regulations worldwide (including under the EU GDPR), Trellix has adopted organizational, technical, and contractual measures to protect personal data entrusted to us.

Organizational Measures

Trellix has adopted appropriate policies and procedures that apply to our affiliates, employees, contractors, and suppliers worldwide – including without limitation our internal Enterprise Privacy Policy, HR Privacy and Data Protection Policy, Code of Conduct, Acceptable Use Policy, Information Security Policy, Information Classification and Handling Policy, and Law Enforcement Request Policy.

Among other things, our Law Enforcement Request Policy guides how Trellix responds to requests from law enforcement and government entities. Before sharing personal data with law enforcement or government agencies, we determine whether the request meets the relevant statutory and regulatory requirements; and where the request involves EU personal data, we confirm whether it is necessary and genuinely meets the objectives of general interests recognized by the EU or the need to protect the rights and freedoms of individuals, consistent with EU law. Further, the Trellix Privacy Office will assess how to answer the request while ensuring that Trellix also follows data minimization and other basic privacy principles, and otherwise complies with relevant obligations to data subjects.

Consistent with our Trellix Customer Data Processing Agreement, we will notify our customers promptly if we have reason to believe that we have become subject to laws or practices not consistent with our obligations to customers and data subjects.

We will also notify customers in any circumstance where we (1) receive a legally binding request from a government regulator for the disclosure of customer personal data, or (2) become aware of direct access by any government regulator, unless prohibited by law. In cases where we are legally prohibited from notifying a customer, Trellix will attempt to obtain a waiver of the prohibition and communicate as much information to the customer as possible, as soon as possible.

Technical Measures

Trellix has implemented technical and organizational security measures that are consistent with industry standards, including ISO 27001, 27017, 27018 and 27701. Trellix’s Information Security & Privacy Management System helps ensure continued operation of such measures and supports the governance of information security and processing of personal data as a processor across all of our locations and cloud services worldwide.

In addition, Trellix offers product features that customers can adopt to further enhance protection of personal data processed by Trellix. For more information about these features, see our GDPR Statements [and/or Privacy Data Sheets].

3. On What Basis Do We Transfer Personal Data Across Borders?

Our Trellix Customer Data Processing Agreement incorporates our Data Transfer Addendum (including EU Standard Contractual Clauses), and Technical and Organizational Measures. In addition, we contractually require all vendors that process personal data on our behalf to comply with our rigorous privacy and security standards.

For information about the privacy and security standards that our processors and other suppliers must meet, see our Trellix Supplier Portal (https://www.trellix.com/en-us/about/legal/supplierportal. html), which among other things includes our Supplier Security Requirements and Expectations (https://www.trellix.com/en-us/assets/legal/trellix-supplier-securityrequirements. pdf).

For more information on our privacy practices, please see our Privacy Notice (https://www.trellix.com/en-us/about/legal/privacy.html).