ESET Services – Table of Contents

Data Processing Agreement

Effective as of November 26, 2025

According to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (the "GDPR") as well as data protection laws applicable in United Kingdom of Great Britain and Northern Ireland, ESET (the "Processor"), and the Customer (the "Controller") are entering into a data processing contractual relationship to define the terms and conditions for the processing of personal data, the manner of its protection, and to define other rights and obligations of both parties in relation to the processing of personal data of data subjects on behalf of the Controller during the course of performing the subject matter of the Terms as the main contract.

  1. Personal Data. To provide the Services in compliance with the Terms, it may be necessary for the Processor to process information relating to an identified or identifiable natural person (the "Personal Data") on behalf of the Controller.
  2. Authorization. The Controller authorizes the Processor to process Personal Data, including the following instructions:
    1. the “purpose of processing” shall mean provision of ordered Services as defined in the Annexes in compliance with the Terms.
    2. the “processing period” shall mean period during which the Services shall be provided.
    3. the “scope and categories of Personal Data” includes any Personal Data provided or made available by the Controller during the provision of Services, in particular any Personal Data submitted in Service requests or during the process of dealing with any Service requests, or any Personal Data that may be accessible or available to the Processor in case temporary or permanent access was granted by the Controller to their Products or devices over the course of the performance of Services.
    4. the “Data Subject” refers to any natural persons who are authorized users of the Controller’s devices and/or employees or contractors of the Controller, and if applicable, of its affiliated entities, as well as any persons whose data may be provided or made available by the Controller to the Processor over the course of the performance of Services.
    5. the “processing operations” means every operation necessary for the purpose of processing.
    6. the “documented Instructions” shall mean instructions for Personal Data processing described in the Terms, its Annexes, Service documentation, or in requests for provision of the Service.
  3. Obligations of Processor. The Processor shall be obliged to do the following:
    1. to process Personal Data for the purpose of providing the Services in compliance with the Terms and only on the grounds of documented Instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or member state law or UK law; in such cases, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
    2. to instruct the persons authorized to process the Personal Data (hereinafter referred to as the "Authorized Persons") about their rights and duties according to the GDPR, on their liability in case of breach of the duties and ensure that Authorized Persons authorized to process the Personal Data have committed them-selves to confidentiality and to follow the Documented instructions.
    3. To take all measures related to the security of processing as required pursuant to Art. 32 of GDPR, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to ensure a level of security when processing of the Controller's Personal Data that is appropriate to the risk.
    4. Taking into account the nature of processing, to assist the Controller by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of GDPR.
    5. Upon request, to provide reasonable assistance to the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and information available to the Processor. The Processor shall notify the Controller of any breach of personal data processing or personal data security immediately after the discovery. The Processor shall cooperate to a reasonable extent in an investigation and remediation of such breach, and take reasonable measures to limit further negative implications.
    6. At the choice of Controller, to delete or return all the Personal Data processed on behalf of the Controller within 30 (thirty) business days after the end of the provision of Services relating to processing, and delete existing copies unless EU law or EU member state law requires storage of those Personal Data. The Controller undertakes to inform the Processor about its decision within ten (10) days upon the end of Processing Period. This provision shall not affect the Processor's right to keep the Personal Data to the necessary extent for the archival purposes in terms of the special legislation or for the purpose of establishment, exercise or defense of legal claims.
    7. To keep an up-to-date register of all the categories of processing activities that it has carried out on behalf of the Controller.
    8. To make available to the Controller all information necessary to demonstrate compliance as part of the Terms, its Annexes, and Services documentation, and if strictly necessary, allow for audits conducted by the Controller or another auditor mandated by the controller in relation to processing conducted within the scope of this Agreement. In case of the audit or control of the Personal Data processing from the Controller' side, the Controller shall be obliged to inform the Processor in writing at least ten (10) days before the planned audit or control.
  4. Engaging Another Processor. The Processor is generally entitled to engage another processor (the “Subprocessor”) to carry out specific processing activities in compliance with the Terms, mainly this Agreement and the Services documentation. The Processor shall ensure that any such Subprocessor will be bound by the same obligations as set out in this Agreement. Even in this case, the Processor shall remain fully liable to the Controller for the processing of any Personal Data by the Subprocessor. For the purpose of performance of Services, the Processor engages the Distributor as its Subprocessor. The Processor is obliged to inform the Controller of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving the Controller the opportunity to object to such changes. Any objections to a new subprocessor shall be received within seven (7) business days after notification, otherwise the new Subprocessor shall be deemed accepted by the Controller. If the Controller reasonably objects to a new Subprocessor, and the objection cannot be satisfactorily resolved within a reasonable time, the Controller may terminate this Agreement without penalty upon 30 (thirty) days’ written notice to the Processor. If the Controller's objection remains unresolved 30 (thirty) days after it was raised and no notice of termination has been received, the Controller is deemed to accept the new Subprocessor.
  5. Territory of Processing. The Processor will do its best to ensure that processing takes place in the European Economic Area or a country designated as safe by the decision of the European Commission based on the decision of the Controller. Standard Contractual Clauses (available here: Standard Contractual Clauses | ESET Services | ESET Online Help ) shall apply in the case of transfers and processing of Personal Data located outside of the European Economic Area or a country designated as safe by the decision of the European Commission.
  6. Security. The Processor is ISO 27001 certified and uses the ISO 27001 framework to implement a layered defense security strategy when applying security controls on the layers of network, operating systems, databases, applications, personnel, and operating processes. Compliance with the regulatory and contractual requirements is regularly assessed and reviewed similarly to other infrastructure and processes of the Processor, and necessary steps are taken to provide compliance on a continuous basis. The Processor has organized the security of the data using ISMS based on ISO 27001. The security documentation mainly includes policy documents for information security, physical security, and the security of equipment, incident management, handling of data leaks, security incidents, etc.
  7. Technical and Organizational Measures. The Processor shall protect the Personal Data against casual and unlawful damage and destruction, casual loss, change, unauthorized access and disclosure. For this purpose, the Processor shall adopt adequate technical, and organizational measures corresponding to the mode of processing and to the risk that is presented by processing for the rights of the Data Subjects in compliance with the requirements of the GDPR. A detailed description of the technical and organizational measures is stated in the security documentation related to the specific Product.
  8. Processor’s Contact Information. All notifications, requests, demands and other communication concerning personal data protection shall be addressed to ESET, spol. s.r.o., attention of: Data Protection Officer, Einsteinova 24, 85101 Bratislava, Slovak Republic, email: dpo@eset.sk.