SUPPLEMENTAL STATEMENT ON DATA PROCESSING (SUPPLEMENTAL STATEMENT) Supplemental Statement On Data Processing (hereinafter “Statement”) relates to the computer program Kaspersky Anti-Ransomware Tool for Business (hereinafter “Software”). All terms used in this Statement have the same meaning as defined in the “Definitions” clause of the End User License Agreement (EULA). This Statement along with the EULA for the Software, in particular in the Section “Conditions regarding Data Processing,” specifies the conditions, responsibilities, and procedures relating to transmission and processing of the data indicated in this Statement. Please carefully read the terms of the Statement, as well as all documents referred to in the Statement, before accepting it. When the End User uses the Software, the End User is fully responsible for ensuring that the processing of personal data of Data Subjects is lawful, particularly, within the meaning of Article 6 (1) (a) to (1) (f) of Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”) if Data Subject is in the European Union, or applicable laws on confidential information, personal data, data protection, or similar thereto. Data Protection and Processing The Rightholder handles the data it receives from the End User under this Statement in accordance with the Rightholder’s Privacy Policy published at: https://www.kaspersky.com/products-and-services-privacy-policy. Purposes of Processing Data During use of the Software, processing data is necessary to protect the End User from known threats to information security, as described in the User Manual. Processing data under this Statement could lead to an increase in the effectiveness of protection against information and network security threats provided by the Software. The purposes are achieved by: - determining the reputation of scanned objects; - identifying information security threats that are new and challenging to detect, and their sources; - taking prompt measures to increase the protection of the data stored and processed by the End User on the Computer; - reducing the likelihood of false positives; - increasing the efficiency of Software components; - investigating of infection of a user’s computer; - improving the performance of the Rightholder’s products; - receiving reference information about the number of objects with known reputation. Processed Data During use of the Software, the following data will be sent to the Rightholder automatically and on a regular basis under this Statement: - information to check the reputation of the URL from which the checked file was downloaded: the URL of the download page, download protocol identifier and connection port number; - information to check the file's reputation: file’s checksums (MD5, SHA2-256); - information about running applications and their modules: - information about the file of the detected process (the name and the full path to the object on the Computer, anonymized IP address (IPv4 and IPv6) of the blocked object’s host, code of the path template, size of files, checksums (MD5, SHA2-256) of the files being processed, date and time of the file’s first detection in the system, the file’s trusted certificate flag, the file's trusted signature flag, file autorun status, the flag indicating whether the object is a container, the flag indicating whether the file is a critical operating system file, the flag indicating whether the object is an interpreted script, level of the process’s integrity), information about performed scan (identifiers for the anti-virus databases and database record the Software used to make a decision, name of the detected threat according to the Rightholder’s classification, level of danger, the status and method of detection, verdict type, reason for including the file in the analyzed context and the file’s serial number in the context); - information about the number of objects that the user marked as trusted, the number of objects that were blocked; - information about rolling back of malware’s activities: data about the file whose activities are being rolled back (file name, full path to the file, the template code of the path to the file, file's size and checksums (MD5, SHA2-256, SHA1), the URL from which the file was downloaded), the ID, type, and version of the database record by which the threat was detected, verdict name, data about successful and unsuccessful actions to restore (delete, rename, and copy) files and values in the registry (names of registry keys and their values), information about objects changed by malware (file name, full path to the file and the template code of the path to the file or registry value before/after rollback, file's size and checksums (MD5, SHA2-256), the URL from which the file was downloaded); - information about updates of anti-virus databases and Software components: the name, date and time of index files downloaded during the last update and being downloaded during the current update, as well as the date and time of completion of the last update, names of the files of updated categories and its checksums (MD5, SHA2-256, SHA1), anti-virus database release date and time, the date and time of the last reinitialization of the anti-virus databases after their last update, and the total number of anti-virus databases reinitializations; - information about third-party applications that caused the error: name, version and localization, the error code and information about the error from the system application log, the address of the error and memory stack of the third-party application, checksums (MD5, SHA2-256) of the application process image, in which the error occurred, name and path to the application process image and template code of the path, information about application service process (CPU usage, number of active threads, number of idle threads), information about the application module in which the error occurred (error identifier, crash memory address as an offset in the application module, name and version of the module, application operation time before the crash); - information about third-party anti-virus software installed on the user's computer: type, name, manufacturer, product status when the statistics is sent; - information about operation of the updater component: version, number of crashes of the updater component while running update tasks over the component's operation time, ID of the update task type, number of failed attempts of the updater component to complete update tasks, the error code, the status ID of the Software; - information about operation of the system monitoring components: full versions of the components, information about the event which caused queue overflow (code of the event and number of such events), the total number of queue overflow events, information about the file of the event initiator process (file name and its path on the Computer, template code of the file path, checksums (MD5) of the process associated with the file), information about the interception event (identifier of the event interception that occurred, the full version of the interception filter, identifier of the type of the intercepted event), size of the event queue and the number of events between the first event in the queue and the current event, number of overdue events in the queue, duration of the event processing, duration of the event processing in the databases, maximum duration of the event processing, probability of sending statistics, information about the events for which the processing time threshold was exceeded (event code, number of such events, event processing delay duration, date and time when the event was received for processing, total delay of event processing); date and time of starting the system monitoring component, number of processed events, number of events waiting for processing; - information to authenticate digital certificates being used to sign files: the certificate’s fingerprint, the checksums (SHA2-256) of the certificate used to sign the scanned object; - information about the Rightholder’s Software: full version, localization, type, operating mode, Software installation/uninstallation date and time, status (success or failure), installation error code, installation type (new installation or an update), information about the installed updates (patch IDs, Software component versions), the version of the protocol used to connect with the Rightholder’s services, the unique installer identifier, the unique identifier of installation of the Software on the Computer; - information about hardware installed on the Computer: the unique identifier of the Computer with the installed Software; - information about Device type: laptop, desktop, tablet; - information about network connections with the Rightholder's services: external IP address, number of local connection port; - information about the operating system (OS) installed on the Computer: type, full version of the operating system and installed service packs, the bit rate, edition and parameters of the OS run mode, OS start date and time, additional information about the OS; - information about Software rebranding: rebranding partner ID; - feedback on the Software: feedback type, rating, text description, feedback tags; - information about agreement status: indicator showing if the user has accepted the agreement while using the Software, the type of agreement accepted, the version of agreement accepted, the date and time when the agreement was accepted; - information about the Software configuration file: configuration file ID, the result of configuration file request by the Software, request error code; - information about the Software UI platform: platform type, full version of the platform; - information about downloaded in-Software messaging content: content ID. Objects that can be exploited by intruders to harm the User’s computer can be also sent to Kaspersky Lab to be examined additionally: - executable and non-executable files or their parts; - portions of the Computer’s RAM; - sectors involved in the OS booting process; - network traffic data packets; - web pages and emails containing suspicious and malicious objects; - description of the classes and instances of classes of the WMI repository; - application activity reports. Such application activity reports contain the following data about files and processes: - the name, size and version of the file being sent, its description and checksums (MD5, SHA2-256, SHA1), file format identifier, the name of the file’s vendor, the name of the product to which the file belongs, full path on the Computer, template code of the file path, the creation and modification timestamps of the file; - start and end date/time of the validity period of the certificate (if the file has a digital signature), the date and the time of the signature, the name of the issuer of the certificate, information about the certificate holder, the fingerprint, the certificate’s public key and appropriate algorithms, and the certificate’s serial number; - the name of the account under which the process is running; - checksums (MD5, SHA2-256, SHA1) of the name of the Computer on which the process is running; - titles of the process windows; - identifier of the anti-virus databases, name of the detected threat according to Rightholder’s classification; - local time of the Computer at the moment of provision of information; - names and paths of the files that were accessed by the process; - names of registry keys and their values that were accessed by the process; - URLs and IP addresses that were accessed by the process; - URLs and IP addresses from which the executable file was downloaded. Also, in order to achieve the declared purpose with respect to preventing false positives, the Rightholder may receive trusted executable and non-executable files or their parts. © 2019 AO Kaspersky Lab