Abnormal AI, Inc. Service Privacy Notice

This Privacy Notice explains how Abnormal AI, Inc. (“Abnormal,” “we,” or “us”) collects, uses, shares, and otherwise processes your personal information (also known as personal data) in connection with our products and services (the “Service”). It also contains information about your choices and privacy rights.

We recommend that you read this Privacy Notice in full to ensure that you are informed.

Service

In the event of any conflict or inconsistency between the Privacy Notice and the Customer Agreements, the Customer Agreements will control.

We provide the Service to our customers and users (collectively, “Customers”) under an Agreement with them and solely for their benefit and the benefit of personnel authorized to use the Service. Abnormal processes personal information only as provided in our agreements with the relevant Customer, such as our Cloud Terms of Service. Abnormal also includes for our Customers a Data Processing Addendum (DPA), accompanying our Cloud Terms of Service, which contains the Standard Contractual Clauses, for transfers between us and our Customers (collectively, “Customer Agreements”). Additional information about our privacy and security practices for the Service is available in our Security Hub and the Information Security Policy. Customers may choose to enable integrations or exchange personal data from the Service with third-party platforms. Your use of third-party platforms and how such providers use personal data is governed by the terms of use and privacy notices of such third party platforms.

Notice to Users

Our Service is intended to be used by Customers. Where the Service is made available to you through a Customer (e.g., your employer), the Customer is the administrator of the Service and responsible for the accounts and/or services over which it has control. For example, administrators can access and change information in your account or restrict and terminate your access to the Service. We are not responsible for the privacy or security practices of a Customer, which may be different from this Privacy Notice. Please contact the applicable Customer or refer to your organization’s policies for more information.

1. Information We Collect About You

To use the Service, a user typically authenticates by means of a Customer’s single-sign-on (SSO) provider, so we do not collect or process any personally identifiable login credentials, however, we do collect the IP address from which the user logs into the Service each time. In addition, as part of its normal functioning, the Service collects personal information contained in message content and file attachments, user information including user names, roles, email, group assignments, and configurations; and personal data contained within activity logs, audit logs, and administrator reports (“Service Information”).

1a. Information we collect automatically

When you use our Service, we automatically collect information about how you are using the Service:

• information about your account (such as user ID, email address, or Internet Protocol (IP) address);
• Information about your computer or device (such as browser type and operating system);
• Information about your activities within the Service, such as the pages or features you access or use, the time spent on those pages or features, search terms entered, commands executed;
• Information about the types and sizes of files analyzed via the Service; and
• Other statistical information relating to your use of the Service.

2. How We Use Your Information

Our purposes for the collection of your personal information include:

• To implement, provide, maintain, improve, and update the Service;
• To understand how our Authorized Users and Customers are using the Service;
• To develop new features, products and services;
• To create and maintain your Service portal account;
• To send notifications within the Service;
• To provide you with customer service and support;
• For billing, payment, or account management; for example, to identify your account and correctly identify your usage of our products and services;
• To respond to your responsible disclosure reports;
• To measure your use and improve the Service, and to develop new products and services;
• To generate and analyze statistical information about how the Service is used in the aggregate;
• For other legitimate interests or lawful business purposes; for example, customer surveys, collecting feedback, and conducting audits;
• To comply with our obligations under applicable law, legal process, or government regulation; and
• For other purposes, where you have given consent.

We do not sell Customer Data. We do not share, transfer, or disclose Customer Data to third parties except as necessary to provide and support the Service, including to our service providers (subprocessors) who process data on our behalf and are bound by contractual obligations, including confidentiality and data protection requirements; or as directed by the customer through use of the Service, including when enabling third-party integrations. We use Customer Data solely for the purpose of providing and improving the Service and do not use such data for advertising or unrelated purposes.

3. International Transfers

Abnormal may transfer your personal information to countries other than your country of residence. In particular, we may transfer your personal information to the United States and other countries where our affiliates, business partners, and service providers are located. These countries may not have equivalent data protection laws to the country where you reside.

Wherever we process your personal information, we take appropriate steps to ensure it is protected in accordance with this Privacy Notice and applicable data protection laws. These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information from the European Economic Area or Switzerland between us and our business partners and service providers, and equivalent measures for transfers of personal information from the United Kingdom.

4. Your Choices and Rights

We offer you choices regarding the collection, use, and sharing of your personal information and we will respect the choices you make in accordance with applicable law. You may choose (opt-out) whether your personal information is (i) disclosed with a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized. You may indicate your choice by clicking through the appropriate dialogue box to opt out or by emailing us at privacy@abnormal.ai. Please note that if you decide not to provide us with certain personal information, you may not be able to use our Service.

4a. Opt out of marketing

We may periodically send you marketing communications that promote our products and services consistent with your choices. You may opt-out of receiving such communications by following the unsubscribe instructions in the communication you receive. Please note that we may still send you important service-related communications regarding our products or services, such as communications about your subscription or account, service announcements, or security information.

4b. Additional Information for Certain Jurisdictions

Depending upon your place of residence, you may have rights in relation to your Personal Data. Please review the jurisdiction-specific sections below, including the disclosures for California residents. Depending on applicable data protection laws, those rights may include asking us to provide certain information about our collection and processing of your Personal Data or requesting access, correction, or deletion of your Personal Data. You also have the right to withdraw your consent, to the extent we rely on consent to process your Personal Data.

This section provides additional information about our privacy practices for certain jurisdictions. In the event of any conflict or inconsistency between the Privacy Notice and the DPA, the DPA will control.

California

If you are a California resident, the California Consumer Privacy Act (“CCPA”) requires us to provide you with additional information regarding your rights with respect to your “personal information.”

You may make the following types of requests under the CCPA with respect to personal information that we process on your behalf. Note: if you wish to make a CCPA request concerning Personal Information submitted through or otherwise made available to the Service, please direct your request to the relevant Customer directly, as that data is governed by the terms of our agreement with our Customer.

Request to Know, Correct, and Delete: You may request

• Access to a copy of the specific pieces of personal information that we have collected about you;
• Correction of personal information that we maintain about you if it is inaccurate; and/or
• Deletion of personal information, subject to certain exceptions.

Requests to Opt-Out of Sale or Sharing: You may also opt out of the “sale” or “sharing” of your personal information, as “sale” and “sharing” are defined under CCPA. You may opt out of the “sale” or “sharing” of personal information as described in the “Opt out of marketing” section of this Privacy Notice.

Other US States

Depending on applicable laws in your state of residence, you may request to (1) confirm whether or not we process your personal information; (2) access, correct, or delete the personal information we maintain about you; (3) receive a portable copy of such personal information; and/or (4) restrict or opt out of certain processing of your personal information, such as targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. If we refuse to take action on a request, we will provide instructions on how you may appeal the decision. We will respond to requests consistent with applicable law.

European Economic Area, UK and Switzerland

If you are located in the European Economic Area, United Kingdom, or Switzerland, the controller of your personal information is Abnormal AI, Inc., 8474 Rozita Lee Ave, Suite 420 Las Vegas, NV 89113.

We collect your personal information if we have a legal basis for doing so. The legal basis we rely on depends on the personal information and the specific context in which we collect it. Generally, we collect and process your personal information where:

• We need it to enter into or perform a contract with you, respond to your request, or provide you with customer support;
• We need to process your personal information to comply with a legal obligation (such as to comply with applicable legal, tax, and accounting requirements) or to protect the vital interests of you or other individuals;
• You give us consent, such as to receive certain marketing communications; or
• Where we have a legitimate interest, such as to respond to your requests and inquiries, to ensure the security of the Sites and Service, to detect and prevent fraud, to maintain, customize and improve the Sites and Service, to promote Abnormal and our Service, and to defend our interests and rights.

If you have consented to our use of your personal information for a specific purpose, you have the right to change your mind at any time but this will not affect our processing of your information that has already taken place. You also have the following rights with respect to your personal information:

• The right to access, correct, update, or request deletion of your personal information;
• The right to object to the processing of your personal information;
• The right to withdraw your personal information at any time, if we collected and processed your personal information with your consent; and
• The right to lodge a complaint with your national data protection authority or equivalent regulatory body.

If you wish to exercise any of your rights under data protection laws, please contact us as described under “Your Choices and Rights”.

5. Data Security and Retention

1. Policies and Procedures. Abnormal has implemented and will maintain security, privacy, confidentiality, availability, and code of conduct policies and procedures designed to ensure that the Service and Abnormal’s employees and contractors (“Personnel”) process Customer Data in accordance with this Policy and the Agreement. Abnormal has implemented and will enforce disciplinary measures against Personnel for failure to abide by the aforementioned policies and procedures.

2. Logical Access Controls. Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for Personnel with access to Customer Data, including without limitation, by assigning each Personnel unique authentication credentials for accessing any system on which Customer Data is processed and prohibiting Personnel from sharing their authentication credentials. Abnormal will restrict access to Customer Data solely to those Personnel who need access to Customer Data to perform Abnormal’s obligations under the Agreement.

Further, Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help detect and prevent unauthorized access to its networks, servers, and applications, including but not limited to those that process Customer Data. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers, and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal has implemented and will maintain procedures and policies that are designed to ensure that, upon termination of any Personnel the terminated user access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases, revocation will occur no later than twenty-four (24) hours following such termination.

3. Intrusion Prevention. Abnormal utilizes reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers, and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and firewall rules.

4. Physical Access. Abnormal limits physical access to its office facilities using physical controls (e.g., coded badge access). Abnormal regularly assesses the cloud hosting provider’s ability to provide reasonable assurance that access to their data centers and other areas where Customer Data is stored is limited to authorized individuals. Cloud hosting provider data centers and Abnormal office facilities leverage camera or video surveillance systems at critical internal and external entry points and are monitored by security Personnel.

5. Environmental Protection. Abnormal regularly assesses the cloud hosting provider’s ability to provide reasonable assurance that cloud hosting provider data centers implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.

6. Backup, Disaster Recovery, and Business Continuity. Abnormal will: (a) back up its production file systems and databases according to a defined schedule and conduct regular testing of backups; and (b) maintain a disaster recovery plan for the production data center and maintain business continuity plans designed to manage and minimize the effects of disaster events or unplanned operational disruptions with a stated goal of resuming routine service within forty-eight (48) hours; and (c) conduct regular testing of the effectiveness of such plans.

7. Security Incident Response. For purposes of this Policy, any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data is a “Security Incident”. Abnormal will: (a) take reasonable measures to implement and maintain logging and monitoring technologies designed to identify, alert, and analyze security events; and (b) maintain plans and procedures to be followed in the event of an actual or suspected Security Incident (“Incident Response Plans”). The Incident Response Plans require Abnormal to undertake a root cause analysis of any actual or suspected Security Incident and to document remediation measures.

8. Security Incident Notification. Abnormal will implement and follow procedures that are designed to detect and respond to Security Incidents and will notify Customer of any Security Incident affecting its Customer Data within forty-eight (48) hours of Abnormal becoming aware of the Security Incident, regardless of whether the Security Incident triggers any applicable breach notification law. Such notification will be executed using the contact information provided by Customer under the Records and Validation section of the Agreement.

Notice to a Customer will include: (a) a description of the nature of the Security Incident, including the categories and approximate number of Customer’s data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Incident; (d) a description of the measures taken or proposed to address or mitigate the adverse effects of the Security Incident, to the extent within Abnormal’s reasonable control.

9. Storage and Transmission Security. Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol. Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices or other similar portable electronic media.

10. Data Retention and Secure Disposal. Abnormal will retain and securely dispose of Customer Data in accordance with the Agreement. During the Subscription Term, Customer may, through the features of the Service access, return to itself or delete Customer Data. Following termination or expiration of the Agreement, Abnormal will delete all Customer Data from Abnormal’s systems. Deletion will be in accordance with industry-standard secure deletion practices. Abnormal will issue a certificate of deletion upon Customer’s written request. Notwithstanding the foregoing, Abnormal may retain Customer Data: (a) as required by applicable laws, or (b) in accordance with its standard backup or record retention policies, as governed by the Agreement.

11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and to Customer Data, and determine if existing controls, policies, and procedures are adequate.

12. Subprocessors. Abnormal will authorize third-party service providers to access or process Customer Data (“Subprocessors”) only in accordance with the requirements and procedures specified in the Agreement, and specifically in the DPA. Prior to authorizing Subprocessors, Abnormal security Personnel will conduct a risk assessment of each Subprocessor to seek assurances of its data security practices (e.g., in the form of an independent third-party audit report such as the SOC 2 Type 2, ISO 27001, or a vendor security and risk evaluation). Abnormal enters into written agreements with its Subprocessors with security and data processing obligations substantially the same as those contained in this Policy.

13. Change and Configuration Management. Abnormal has implemented and will maintain processes for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.

14. Release Management. Abnormal follows a continuous release process versus a standard release schedule and does not require a maintenance downtime window for the Service when pushing a new release. No Customer interaction is required to upgrade to the new version; the release is automatically applied to all Customers. Releases follow Abnormal’s change management procedures that are designed to ensure that releases are tested and approved prior to push to production. Abnormal communicates release information using the notification functionality within the Service.

15. Training. Abnormal will undertake the following measures that are designed to ensure that Personnel who will have access to Customer Data are appropriately qualified and trained to handle Customer Data:

15.1. Information Security and Privacy Awareness Training. Upon hire and at minimum annually thereafter, Abnormal will require security and privacy awareness training to all Personnel who will process or have access to Customer Data. Abnormal security and privacy awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and social engineering mechanisms.

15.2. Secure Code Training. Abnormal will require annual training on secure coding principles and their application at minimum annually to all Personnel who develop or handle any Abnormal source code. Abnormal secure code training will cover topics such as: (a) the Open Web Application Security Project list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.

16. Background Checks. Abnormal Personnel will undergo a civil and criminal background check, to the extent permitted by applicable law.

17. Audit and Assessments. Abnormal has implemented and will maintain a Compliance Audit Program including assessments performed by an independent third-party (“Auditor”) and defined Customer audit rights in accordance with the Agreement.

17.1 Independent Security Audit. Abnormal will engage an Auditor to certify compliance with the ISO 27001 standard, and conduct a SOC 2 Type 2 audit with a scoped audit period of a maximum 12 months to demonstrate its compliance with the security requirements of the Security Program. Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability, Confidentiality, and Privacy. Abnormal will make available to Customer publicly available certificates and summary copies of its SOC 2 Type 2 audit report (each, an “Audit Report”) on the Security Hub.

17.2 Customer Audits. Abnormal will make available the information necessary to demonstrate its compliance with the Security Program to support Customer in obtaining the information necessary to complete Customer’s audits, reviews, risk assessments, and security-related questions of Abnormal as Customer’s vendor. Please see the Security Hub for this information. For further details on Customer audit rights, please see your Data Processing Addendum (DPA).

17.3 Penetration Tests. At least once per twelve (12) month period, Abnormal will undertake a network penetration test by an independent third-party. Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data. Abnormal will remediate all vulnerabilities that the penetration test identifies in accordance with the following remediation timelines:

• Critical: 15 days
• High: 30 days
• Medium: 60 days
• Low: Reasonable timeframe based on nature and probability of exploitation

18. Artificial Intelligence Governance.

18.1. Abnormal uses industry standards to adopt, maintain, and adhere to policies and procedures related to the development and use of artificial intelligence (“AI”) in the Service, including but not limited to the design, development, testing, evaluation, validation, verification, and deployment of AI.

18.2. AI used as a part of the Service is designed to: (i) be in compliance with applicable laws and regulations over the use of AI; (ii) be responsible and ethical in its use; (iii) minimize bias; (iv) minimize hallucinations; (v) introduce human involvement where appropriate for corrective action; and (vi) not introduce any action or decision that impact the fundamental rights or safety of natural persons.

18.3. Abnormal will make available to Customer a summary, in plain language, at security.abnormalsecurity.com information about the use of AI in the Service and AI governance so that Customer may perform AI assessments.

All information exchanged between the Parties in the course of the activities described in all Sections above are deemed to be Abnormal Confidential Information.

Please use this Privacy Notice for as long as you use our Service, as may be required by law (for example, to comply with applicable legal tax or accounting requirements), as necessary for other legitimate business or commercial purposes described in this Privacy Notice (for example, to resolve disputes or enforce our agreements), or as otherwise communicated to you. The use and transfer of raw or derived user data received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6. Children’s Data

The Sites and Service are not directed to children under 18 years of age, and Abnormal does not knowingly collect personal information from children under 18. If we learn that we have collected any personal information from children under 18, we will promptly take steps to delete such information. If you are aware that a child has submitted such information, please contact us using the details provided below.

7. Artificial Intelligence Tools

Abnormal’s commitment to transparency and responsible data handling extends to the use of Artificial Intelligence Tools (AI Tools) within our Sites, Service, and Corporate Operations. The AI Tools used by Abnormal AI do not utilize any artificial intelligence within the scope of the EU-AI Act. Our AI Tools may process personal information to enhance user experience, provide personalized recommendations, and improve our overall service delivery. Any data processed by our AI Tools is treated with the utmost confidentiality, and we strictly adhere to data protection regulations.

Changes To Privacy Notice

Abnormal may change this Privacy Notice from time to time. We will post any changes on this page and, if we make material changes, provide a more prominent notice (for example, by adding a statement to the website landing page, providing notice through the Service, or by emailing you). You can see the date on which the latest version of this Privacy Notice was posted above.