Netskope CCPA Compliance Statement

In the performance of Netskope’s cloud security services (“Services”) pursuant to an active master subscription agreement (“Agreement”) executed by Netskope and the end customer (“Customer”), Netskope supports the customer’s compliance for Processing covered by the California Consumer Privacy Act of 2018 (the “CCPA”). To confirm applicable aspects of the CCPA in connection with Customer’s use of the Services, Netskope is providing this Compliance Statement. Terms not defined below have the meanings given to them in the CCPA.

1. Limitations on Processing. Netskope will Process Personal Information only on Customer’s behalf, in the context of Services provided for Customer pursuant to the Agreement.

2. Consumer Requests. To the extent that Netskope stores Personal Information subject to the CCPA, at Customer’s request, Netskope will assist Customer with Customer’s obligation to respond to consumers’ requests to exercise their rights under the CCPA by securely deleting or destroying Personal Information pertaining to a consumer identified by Customer where such Personal Information is within possession or control of Netskope.

3. Deidentification and Aggregation. If the Services involve Processing Deidentified and/or Aggregated information, Netskope will do so only with Personal Information that has been Deidentified and/or Aggregated as those terms are defined below. For Deidentified information, Netskope will implement appropriate safeguards to prevent reidentification.

4. Information Security. Netskope maintains a written comprehensive data security program and maintains appropriate technical and organizational security procedures and practices designed to protect Personal Information against anticipated threats or hazards to its security, confidentiality or integrity. Netskope will ensure that persons authorized to access Personal Information are bound by confidentiality obligations.

5. Security Breach. Netskope will notify Customer without undue delay if Netskope learns that there has been unauthorized access, use, modification, disclosure, loss, or damage to Personal Information in the possession or control of Netskope (“Security Breach”). Netskope will provide reasonable assistance and cooperation in the remediation or investigation of a Security Breach and/or the mitigation of potential damage.

For purposes of the above, the following definitions apply: “Aggregated” information means information that relates to multiple Consumers that fall into the same group or category, from which individual Consumer identities have been removed, that is not linked or reasonably linkable to any Consumer or household, including via a device. “Consumer” means a natural person. “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular Consumer. “Personal Information” means any information provided to Netskope in connection with the Services, in any form, format or media (including paper, electronic and other records) that identifies an individual or relates to an identifiable individual and is subject to the CCPA. “Process” or “Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means. Processing includes the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, retention, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, sale, sharing or other use of Personal Information.