EMAIL SECURITY MSA ADDENDUM

This Security Email Data Processing Addendum (this “Addendum”) supplements and amends the Master Subscription Agreement (the “MSA”) between TeamGuard AI, Inc. d/b/a Adaptive Security (“Adaptive”) and the Customer identified on the applicable Adaptive Order Form, on behalf of itself, its Affiliates, and its Authorized Users (collectively, the “Customer”). Capitalized terms not defined herein have the meanings given in the MSA. In the event of any conflict between this Addendum and the MSA, this Addendum shall control.

  1. Scope. This Addendum applies to Customer’s use of Adaptive’s email data security products and any Adaptive features or services that involve the automated scanning, analysis, or processing of Customer emails (collectively, the “Email Security Products”). Customer acknowledges that the Email Security Products involve the use of artificial intelligence and machine learning technology (collectively, “AI”).

  1. Email Data Processing. Customer acknowledges and agrees that the Email Security Products will access and process emails sent to, from, or within Customer’s connected email environment, including incoming, outgoing, and internal emails (“Email Data”), for the purpose of detecting, analyzing, classifying, and remediating potential security threats and otherwise providing the Email Security Products. 

  1. Data Use Rights. In addition to the rights granted under Section 2 of the MSA, Customer hereby grants Adaptive a non-exclusive, royalty-free, worldwide license to use Aggregated Anonymized Email Data and Derived Data to:

    1. train, develop, and improve Adaptive’s internal AI models and algorithms;
    2. develop and maintain a global threat intelligence database to identify malicious patterns, sender behaviors, and attack techniques across Adaptive’s customer base; and
    3. improve, enhance, and develop Adaptive’s products and services, including Adaptive’s Platform, systems, tools, general threat intelligence, detection efficacy, protection against emerging threats, Email Security Products, and future security offerings.


For the avoidance of doubt, the license granted in this Section 3 does not extend to Raw Email Data (including email bodies, attachments, or metadata identifying individuals). Adaptive’s use of Raw Email Data is limited solely to providing and supporting the Email Security Products as described in Section 2 and subject to the retention limits in Section 6.


Aggregated Anonymized Email Data” means Email Data that has been aggregated and de-identified (including through anonymization and other technical measures) such that it is not intended to identify Customer or any Authorized User and is maintained in a form that does not reasonably permit attribution to Customer or any Authorized User. For avoidance of doubt, Aggregated Anonymized Email Data is not considered Customer Information.


Malicious Email Data” means Email Data that Adaptive (or the Email Security Products) identifies or reasonably suspects to be malicious, suspicious, fraudulent, or otherwise potentially harmful, including phishing, malware, business email compromise, social engineering, and similar attacks. 


Derived Data” means data, signals, features, embeddings, vectors, classifications, scores, indicators, observations, and other data generated from processing Email Data, provided that such data does not identify Customer or any individual and cannot reasonably be used to reidentify Customer or any individual. For avoidance of doubt, Derived Data is not considered Customer Information.


“Raw Email Data” means unprocessed Email Data, including email bodies, headers, metadata, and attachments, prior to aggregation, anonymization, or derivation.

  1. Malicious Email Use for Security and Improvement. Customer acknowledges and agrees that Adaptive may retain, analyze, and use Malicious Email Data as necessary to detect, investigate, remediate, and prevent security threats, and to improve Adaptive’s detection capabilities, including training, developing, and improving Adaptive’s internal AI models and algorithms, and developing threat intelligence, in each case subject to Section 5 of this Addendum.
  1. Data Safeguards
    1. When exercising the rights granted under this Addendum, Adaptive shall:
      1. implement commercially reasonable technical and organizational measures to protect Email Data, including encryption in transit and at rest;
      2. not sell Email Data to third parties;
      3. when using third-party large language model providers, use only services that do not retain Customer data for training purposes (i.e., “zero data retention” providers);
      4. Not use Raw Email Data (including email bodies and attachments) for training AI models, except as expressly permitted for Malicious Email Data under Section 4;
      5. limit internal access to Raw Email Data to personnel with a need-to-know basis for providing and supporting the Email Security Products.
    2. Adaptive may use service providers (including hosting, observability, security operations, and support providers) to process Email Data solely to provide and improve the Email Security Products, subject to appropriate confidentiality and security obligations. Such service providers may include vendors that assist with security analysis and quality assurance, including annotation services. Adaptive’s service providers will process Email Data only on Adaptive’s instructions and not for their own purposes.
  1. Data Retention.
    1. Aggregated Anonymized Email Data and Derived Data. Adaptive may retain Aggregated Anonymized Email Data and Derived Data after the expiration or termination of the Agreement, subject to applicable Data Protection Laws. Because this data cannot reasonably identify Customer or any individual, it is not subject to the deletion or retention limits applicable to Raw Email Data under this Agreement.
    2. Raw Email Data. Adaptive will delete or de-identify Raw Email Data (including email bodies and attachments) within ninety (90) days of processing, unless a longer retention period is required for an active security investigation under Section 6(c) or by applicable law. During the retention period, Raw Email Data will be used solely to provide the Email Security Products and support active security investigations.
    3. Malicious Email Data. Adaptive may retain Malicious Email Data for up to one hundred eighty (180) days following detection to support investigation, remediation, and improvement of security detections. If Customer requests earlier deletion of specific Malicious Email Data, Adaptive will use commercially reasonable efforts to honor such request within thirty (30) days, except where retention is required by applicable law or an active security investigation.
    4. Email Metadata. Adaptive may retain email metadata (e.g., sender/recipient addresses, timestamps, subject lines) for up to one hundred eighty (180) days for security analytics and threat intelligence purposes, after which it will be deleted or de-identified.
  1. Customer Data Deletion Rights.
    1. Deletion Requests. Customer may request deletion of its Raw Email Data and Malicious Email Data at any time by submitting a written request to Adaptive at the designated contact address (or such other method as Adaptive may provide). Adaptive will acknowledge receipt within five (5) business days.
    2. Deletion Timeline. Adaptive will complete deletion of the requested data within thirty (30) days of receiving the request, and will provide written confirmation of deletion upon completion.
    3. Exceptions. Adaptive is not required to delete data to the extent that retention is: (i) required by applicable law, regulation, or legal process; (ii) necessary for an active, documented security investigation; or (iii) technically infeasible (e.g., data already incorporated into Aggregated Anonymized Email Data or Derived Data). If any exception applies, Adaptive will notify Customer of the exception and the basis for it.
    4. Termination. Upon expiration or termination of the Agreement, Adaptive will delete all Raw Email Data and Malicious Email Data within sixty (60) days, subject to the exceptions in Section 7(c). Customer may request written confirmation of such deletion.
  1. Survival. The licenses granted in this Addendum shall survive termination or expiration of the Agreement solely with respect to Aggregated Anonymized Email Data and Derived Data generated prior to such termination or expiration. For the avoidance of doubt, Adaptive’s rights to Raw Email Data and Malicious Email Data terminate upon expiration or termination of the Agreement, subject to Section 7(d).
  2. General. Except as expressly modified by this Addendum, the MSA remains in full force and effect. This Addendum may be executed in counterparts.