Adobe Enterprise Offerings & theGeneral Data Protection Regulation (GDPR)The General Data Protection Regulation (GDPR) comes into full effect on May 25, 2018. As part of Adobe's GDPR readiness project, we are enhancing our products, services, and processes, as necessary. With compliance being a shared responsibility, we look forward to partnering with you to address any new obligations for data governance and privacy by design features.

IS ADOBE A CONTROLLER OR PROCESSOR WHEN IT PROVIDES PRODUCTS AND SERVICES TO YOU?When Adobe is providing software and services to an enterprise, Adobe is acting as a data processor for any personal data it processes and stores as part of providing the services. As a data processor, Adobe only processes personal data in accordance with your company’s permission and instructions (for example, as set out in your agreement with Adobe).

WHAT PERSONAL DATA DOES ADOBE PROCESS?As the data controller, you will determine the personal data that Adobe processes and stores on your behalf. If you use Adobe Creative Cloud or Adobe Document Cloud hosted services, you may upload content which includes personal data – for example, forms, contracts, photos and artwork containing people. Adobe's Creative Cloud and Document Cloud hosted services include the storage of this personal data.

If you use Adobe Experience Cloud solutions, Adobe may host personal data for you depending on the solutions you use and the information you choose to send to your Adobe Experience Cloud account. For a detailed list of examples, seehttps://www.adobe.com/privacy/marketing-cloud.html#collect.

WHAT IS ADOBE DOING TOWARDS COMPLIANCE?Adobe either already meets, or is implementing, our obligations as a data processor. For example:

© 2017 Adobe Systems Incorporated. All Rights Reserved.

As we prepare for May 2018, we are also evaluating the addition of new product and service features and functionalities to help you more easily meet your obligations under GDPR. We will continue to update this document as we journey together toward compliance. In the meantime, for any additional questions contact askprivacy@adobe.com.

PRIVACY BY DESIGNWe have a long-standing practice of incorporating Privacy by Design in the development of our products and services. For example, we provide the capability in Adobe Analytics, Adobe Audience Manager, and Adobe Target to obfuscate IP addresses and allow individual level opt-outs.

SECURITY MEASURESWe comply with industry–accepted standards, regulations and certi�cations, and have implemented technical and organizational measures (TOMs), as well as hundreds of security processes and controls.(h�ps://www.adobe.com/content/dam/acom/en/security/pdfs/MasterComplianceList.pdf)

We have developed the Adobe Common Controls Framework, a foundational framework of security processes and controls to protect Adobe infrastructure, applications and services. For more information on Adobe’s Common Controls Framework, see: h�ps://wwwimages2.adobe.com/content/dam/acom/en/security/pdfs/AdobeCloudServices_ComplianceOverview.pdf

DATA TRANSFERAdobe has certified to the EU-US and Swiss-US Privacy Shield frameworks for customer-related data. This provides our customers with the option of relying on these frameworks, or entering into Standard Contractual Clauses (also known as EU Model Clauses), for the transfer of data from the EU to the US. More information on this can be found in our Privacy Center, as well as information on how to request Standard Contractual Clauses.(h�ps://www.adobe.com/privacy/eudatatransfers.html)

CONTRACT TERMS/DATA PROCESSING AGREEMENTWe have updated Adobe's Data Processing Agreement to account for the GDPR requirements.

DATA PROTECTION OFFICERAdobe currently has a Chief Privacy O�cer, an Irish Data Protection O�cer and a dedicated privacy team, and we are continuing to evaluate if we need to take any additional steps in light of the new requirements.

RECORDS OF PROCESSINGWe are working to more formally document the privacy practices we have in place to comply with the enhanced record- keeping requirements.