Cato Cloud Privacy Policy

KDDI Corporation (hereinafter referred to as the "Company") in order to recognize the importance of personal information and ensure that it is protected, in addition to complying with laws, ordinances, and guidelines, etc., relating to the Company’s business, personal information shall be handled as set forth below.

We handle information, such as customer name, address, email address, IP address, device log information, etc., collected via the services named “Cato Cloud Services” provided by Cato Networks Ltd., organized in Israel (hereinafter referred to as “Services”) through legal and fair means. There may be cases where customer information is not considered personal information due to its nature. We will, however, give due consideration to the handling of such information. In the event that such personal information is not provided, the business functions of the Service may not be available.

In the event that the Company acquires information prescribed by laws and regulations as sensitive personal information, the Company shall obtain such sensitive personal information after taking necessary measures such as obtaining consent in accordance with applicable laws and regulations.

The Company may use the personal information of customers for one or more of the following purposes.

• To provide the Service and enable the customer to use the Service efficiently.
• To process the details of the use of the Service by the customer.
• To notify customers of various services.
• To process the details of personal information voluntarily provided by the customer in relation to the Service.
• To perform, manage and execute agreements executed between the customer and the Company.
• To investigate, analyze, and develop our services and products.
• To notify of information related to the Service and other products of the Company.

The Company may use the personal information of customers in any of the following cases in accordance with applicable laws and regulations.

• When the customer consents
• When necessary based on the legitimate interests of the Company
• When based on laws and regulations
• When necessary to protect the life, body or property of a person
• When particularly necessary for the improvement of public health or the promotion of the sound development of children
• When it is necessary to cooperate with a state agency, local government, or a person entrusted by the same to perform the affairs prescribed by law

The Company shall retain the personal information of customers until the purpose of use is achieved. If the purpose of use is achieved, or if the Service itself is discontinued even though the purpose of use is not achieved, the Company shall delete such personal information without delay.

We may provide your personal data within the scope of the purposes of Article 2 to our affiliates, Group Company, Cato Networks, Ltd., Macnica Co., Ltd., which is the agent of Cato Networks, Ltd., and other third parties whom services are outsourced in providing the Service of customers to any third party. In order to provide the Service, the Company may transfer your personal information to a country other than the country in which you are located. Such countries include Japan and Israel, etc., and these countries may not have the same level of data protection as the country where you are located. When personal data is provided to a third party in a foreign country, necessary measures such as obtaining consent and entering into a data transfer agreement shall be taken in accordance with the provisions of applicable laws and regulations. In the event that detailed information is obtained, such as obtaining a copy of a document used to protect customer information, please contact the [KDDI Corporation Personal Information Disclosure Consultation Office] noted in Article 5.

The Company shall take necessary and appropriate measures for the management of access to personal information, the restriction of the means of taking personal information off-premises, the measures to prevent unauthorized access from the outside, and other measures to prevent leakage, loss, or damage of personal information, as well as for the safety management of personal information (here in after referred to as “Safety Management Measures”) . When implementing safety management measures, the Company will appropriately implement technical protection measures and organizational protection measures as follows, utilizing the framework of related laws and regulations, guidelines, and ISMS (Information Security Management System).

We will manage access to personal information (limitation of access privileges (including measures such as immediately invalidating the account of transferred or retired employees), monitoring of access status (e.g., long-term storage of access logs), periodic password changes, management of access, etc.). We will implement restrictions on the means by which personal information can be taken out (such as prohibition of unauthorized recording on external recording media, and monitoring of emails between internal and external parties by establishing internal rules, etc.). Take measures to prevent unauthorized access from the outside (e.g., installing a firewall).

a) Employees (including temporary employees) Director of

In addition to appointing an "Information Security Manager" as the person responsible for personal information management, we will clearly stipulate the responsibilities and authority of employees concerning the safety management of personal information. We will establish internal rules and manuals related to safety management, ensure that employees comply with them, and conduct appropriate audits of compliance status. We will provide employees with education and training on the safety management of personal information.

b) Supervision of outsourcees

The Company may contract all or part of the handling of personal information. In such a case, the Company shall select a outsourcees that is deemed to handle personal information appropriately, and in the outsourcing agreement, shall appropriately prescribe the matters relating to the handling of personal information, such as the safety management measures, confidentiality, subcontracting conditions, and the return of personal information at the time of the ending of the outsourcing agreement, and shall conduct the necessary and appropriate supervision.

If you or your agent exercise your rights under the applicable law, such as withdrawing consent, access, deletion, objection, or data portability, etc., please contact us via our consultation office below.

In addition, in the event of an objection to the handling of personal information of the Company, the customer may be able to file an objection with the protection authorities of the country or region in which the customer is located, and the dispute resolution organization may resolve the dispute pursuant to the provisions of the "Cato Cloud Terms of Use".

[KDDI Corporation Personal Information Disclosure Consultation Office]

sl-privacy@kddi.com

In addition to the provisions set forth above, personal information of customers residing in the State of California, the United States (refers to information that can directly or indirectly identify, relate, explain, refer to, relate to, or reasonably combine a specific consumer or household. The same shall apply hereinafter in these Supplementary Provisions.) apply to the handling of accordance with the provisions of the California Consumer Privacy Act of 2018(“CCPA”).

The Company has collected from customers the categories of personal information listed below in the past 12 months and will continue to collect the categories of personal information listed below.

The Company shall not collect categories of personal information other than the above without notifying the customer, and shall not use the personal information collected for any materially different, unrelated, or inconsistent purpose.

The Company may share or disclose the personal information of customers to third parties for business or commercial purposes. In the event that personal information is disclosed to a service provider for business or commercial purposes, the Company will state such purpose, and will enter into an agreement with the service provider that requires the confidentiality of personal information and the prohibition of the use of personal information for purposes other than the performance of a contract.

During the past 12 months, the Company has shared or disclosed personal information to the following categories of third parties, depending on business or commercial purposes.

• Group Company
• A service provider, including companies that provide network security services.

We have not sold any personal information in the past 12 months.

The CCPA provides individual rights to personal information to consumers residing in California. The following describes the customer's rights based on the CCPA and explains how to exercise them.

The customer has the right to require the Company to disclose to the customer certain information relating to the Company's collection, sharing, disclosure or use of the personal information of the customer during the past 12 months prior to the time of the customer's request. The Company, in the event of receiving and confirming a verifiable claim from the customer, shall disclose to the customer all or a part of the information stated below.

• Categories of Personal Information Collected by the Company in Relation to Customers
• Category of the source of the personal information collected by the Company in relation to the customer
• For the business or commercial purposes of collecting or selling the personal information
• Category of the third party to which the Company shares or sells the personal information
• Categories of personal information sold by each third party selling personal information
• Category of personal information disclosed for business or commercial purposes
• Specific portions of the personal information collected by the Company in relation to the customer.

The customer, with the exception of certain exceptional circumstances, has the right to demand that the Company delete any part of the customer's personal information collected and retained by the Company from the customer. When the Company receives and confirms the verifiable customer's claim, unless exceptions apply, the Company will delete (and instruct the service provider to delete) the customer's personal information from the Company's records.

The Company, for the following purposes, in the event of the retention of said information being required by the Company or the Company's Service Propider, may reject a request for deletion by the customer.

• To complete transactions in which personal information is collected by the Company, to provide products or services requested by the customer, to take reasonably foreseeable measures within the scope of the status of the ongoing business relationship between the customer and the Company, or to perform other agreements between the customer and the Company.
• To detect security incidents, to protect against malicious intent, fraud, fraudulent acts, or illegal acts, or to prosecute parties responsible for these acts.
• To debug a product to identify and correct errors that interfere with an existing intended function.
• To exercise free speech, to ensure the right of customers to exercise other free speech, or to exercise other rights stipulated by law.
• To comply with the California Electronic Communication Privacy Act (California Code of Penal Code, Article 1546 onwards).
• To engage in public or referential scientific, historical, or statistical research that contributes to the public interest in which all other applicable ethics and privacy laws have been adhered to, and there is a possibility that the implementation of the research will be impossible or significantly impaired if the relevant information is deleted, and if informed consent has been obtained in advance by you.
• To enable only internal use that reasonably conforms to customer expectations based on the relationship between the customer and the Company.
• To comply with legal obligations.
• In addition, in order to legally use such information internally in a manner that conforms with the situation in which it is provided by the customer.

The Company does not sell or will not sell personal information collected from customers.

The Company shall not discriminate against residents of the State of California by exercising their rights based on the CCPA. In addition, except when permitted by CCPA, the Company shall not perform the following.

• refuse to provide the Products or Services to the Customer;
• We will charge different prices or charges to the customer for our products or services, including the case where discounts or other benefits are granted or penalties are imposed.
• Provide customers with products or services of different levels or quality.
• It suggests that the customer may receive products or services at different prices or fees, or products or services with different levels or quality.

In order to exercise the above access rights and right to delete, please contact the above KDDI Personal Data Disclosure Consultation Office and make a verifiable request to the Company.

Only the customer, that is, an entity registered with the State Secretary of State of California to whom the customer has granted authority to act on behalf of the customer in California may make verifiable claims relating to the personal information of the customer. Further, the customer may make verifiable claims on behalf of the customer's minor child.

For verifiable invoices,

• the customer must provide sufficient information for the Company to reasonably confirm that the customer is the person who collected the personal information or authorized agent.
• The customer's claim shall be appropriately understood, evaluated and explained in sufficient detail to the extent that the Company responds to the claim.