Proofpoint helps companies protect their people from the ever-evolving threats in the digital ecosystem
Over the last several years, many new data protection laws have gone into force across the globe. Proofpoint is dedicated to keeping up with the shifting privacy frameworks as both your partner in security and as a company that processes personal data. As a data processor, Proofpoint is committed to maintaining the privacy, confidentiality, and transparency of the personal data entrusted to us. As a cybersecurity software provider, Proofpoint’s solutions enable you to meet your compliance requirements.
Maintaining customer trust is an ongoing commitment
Maintaining customer trust is an ongoing commitment at Proofpoint. We strive to inform you of the privacy and data security policies and practices we’ve put in place. Proofpoint is committed to helping our customers protect their people and meet their compliance needs. Our products are designed with data security in mind and already have many features built in to help you meet your compliance goals. We carefully study legislative requirements and enhance our products and services to better assist our customers with their ongoing compliance efforts. Proofpoint continually monitors the evolving privacy regulatory and legislative landscape to identify changes, features and measures our customers might find valuable to achieve their compliance needs.
Through this Trust Site, you can learn more about how Proofpoint’s solutions can help your organization in its compliance journey.
Australia Privacy Act and Privacy Principles
Australia has a sophisticated privacy regime that has continually evolved to keep pace with changing technology and an increasingly detailed body of global data protection laws. Australia addresses an individual’s privacy rights by way of various of federal, state, and territory laws.
The most prominent Commonwealth level data privacy law is the Australian Privacy Act No. 119 (as amended) (the “Privacy Act”). The Privacy Act governs the handling of personal information in terms of the collection, use, storage, and disclosure of personal information and applies to most organizations in the private sector with an annual turnover of at least AU$3 million and government organizations, as well as all Commonwealth Government and Australian Capital Territory Government agencies. Entities governed by the Privacy Act are known as “APP entities.” The Privacy Act applies to any personal data, whether electronic or manual records. First enacted in 1988, the Privacy Act has since been amended from time to time to enhance the privacy protections it offers.
The foundation of the Privacy Act is the 13 Australian Privacy Principles (“APPs”), which replaced the National Privacy Principles and Information Privacy Principles in 2014.
The APPs are principles-based, aiming to protect an individual’s privacy in an open and transparent way without being burdensome or inflexible. The APPs apply to the processing of personal information from start to finish, and establish standards for the collection, use, disclosure, quality, and security of personal information. The APPs also address the obligations that apply to APP entities with respect to an individual’s right to access and to correct their own personal data. One key theme of the APPs is that an organization should only use or disclose personal data for the purpose for which it was collected.
The Privacy Act is enforced by the it the Office of the Australian Information Commissioner (“OAIC”). The OAIC is responsible for investigating complaints made by data subjects, investigating breaches of the APPs and credit reporting provisions. The OAIC's powers include accepting enforceable undertakings, seeking civil penalties, and conducting privacy performance assessments for government agencies and businesses.
Proofpoint understands that our Australian customers, especially those that are APP entities, will want to understand how Proofpoint uses personal data. Generally speaking, Proofpoint retains very few data elements that fall into the category of personal data, most of which relates to the threat actor. Such data elements are only used for the purpose set forth in our agreement – to provide and improve the products and services. The Proofpoint Trust Site is a resource intended to assist with our customers’ due diligence processes and provides additional information.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) was enacted into law on June 28, 2018. The CCPA seeks to ensure California consumers have a certain level of privacy rights. Proofpoint is committed to complying with applicable regulations such as data privacy laws, including California’s CCPA (effective January 2020). As a provider of cybersecurity software, we carefully study and monitor these regulatory requirements to determine how our services can assist our customers with their data privacy/security compliance efforts. The CCPA provides a right for individuals to sue businesses that do not implement and maintain reasonable data security measures. Proofpoint’s product offerings help enterprises secure data such as corporate email and social media accounts, which include personal information as defined by CCPA. These regulations were recently enacted and continue to evolve. Proofpoint continually monitors updates to the regulations and guidance provided by the regulatory authorities and considers such changes to our internal policies and procedures and our products when appropriate.
European Union’s General Data Protection Regulation (GDPR)
The General Data Protection Regulation is an European Union (EU) data privacy legislation that strengthens rules about how the personal data of EU residents should be processed. It came into effect on May 25, 2018. If you have end users, customers and employees in the EU—even if you’re based somewhere else—you (and all your third party processors) must comply with the regulation's new principles.
As a data processor, Proofpoint is committed to maintaining the privacy, confidentiality, and transparency of the personal data entrusted to us. We are publishing an ongoing series of whitepapers that describe how Proofpoint’s solutions enable you to comply with GDPR requirements such as responding to data subjects’ requests.
- Proofpoint’s Commitment to the EU’s GDPR
- Proofpoint Email Protection and the GDPR
- Proofpoint Targeted Attack Protection (TAP) and the GDPR
- Proofpoint Email Fraud Defense (EFD) and the GDPR
- Proofpoint Information Archive and the GDPR
- Proofpoint Cloud App Security and the GDPR
- Proofpoint Essentials and the GDPR
- Proofpoint Security Awareness Training and the GDPR
Additionally, Proofpoint is committed to providing GDPR compliant services to our customers. Our products are designed with data security in mind and already have many GDPR compliant features built in. Additionally, we have carefully studied the GDPR’s requirements and have enhanced our products and services to better assist our customers with their GDPR compliance efforts.
You can learn more about how Proofpoint’s solutions can help your organization in its GDPR compliance journey by visiting our GDPR solutions page.
Data Processing Agreements / Model Clauses (SCCs)
Proofpoint enters into GDPR data processing agreements, which incorporate the 1995 EU Data Protection Directive’s Standard Contractual Clauses(also known as Model Clauses), with our customers. Customers can execute a GDPR data processing agreement with Proofpoint by following this link to Proofpoint’ GDPR Data Processing Agreement page and following the instructions.
Data Transfer Assessment
In a decision commonly referred to as "Schrems II" on 16 July 2020 the Court of Justice of the European Union invalidated the EU-US Privacy Shield Framework. Particularly concerned with United States intelligence agencies' mass surveillance capabilities under FISA Section 702 and Executive Order 12.333 the Court required that companies must conduct a Data Transfer Assessment (also known as a Transfer Impact Assessment) in connection with transferring personal data from the European Union to the United States. Several of Proofpoint's security services require that some amount of personal data be transferred to the United States and so Proofpoint is making its Data Transfer Assessment available to customers in the attached document.
Data Transfer Assessment
Israel Privacy Protection Act and Protection of Privacy Law
In Israel, privacy is a constitutional right under Article 7 of Basic Law: Human Dignity and Liberty. In addition, the Privacy Protection Act (“PPA”) contains additional privacy legislation dealing with data protection and was entered into force in 1981. Further, Israeli law includes an omnibus privacy and data protection statute, the Protection of Privacy Law (5741-1981) (“PPL”), which confers the right to privacy and data protection on individuals. Under the PPL, personal information includes data pertaining to an individual’s: personality; familial status; intimate affairs; health or medical condition; financial status; professional qualifications; opinions or beliefs. Israeli case law interpreting PPL extends regulated data beyond the foregoing definitions by protecting an individual’s name, address, contact information, and other identifiable information such as an IP address.
As a possessor of customer information, as defined under PPA, Proofpoint is subject to confidentiality and security requirements. For detailed information on how Proofpoint ensures confidentiality and security of your personal information, please review the Data Security Policy found on Proofpoint’s Trust site. Under Israeli law, Proofpoint is not considered a “database owner.”
Additionally, from the point of view of the European Union, Israel is a country that has been deemed by the European Commission (on the basis of article 45 of GDPR) to provide adequate protection for personal data flowing from the EU to Israel without any further safeguard (such as Standard Contractual Clauses) being necessary.
Third Party Service Providers and Subprocessors
Personal Health Information Protection Act of Ontario, Canada (PHIPA)
Modern healthcare includes many cutting-edge therapies, treatments, diagnostics, and tools that utilize technology to provide care. Doing so means processing data concerning an individual’s health - arguably the most sensitive and private information relating to a person – in more ways than ever before. The unfortunate reality is that personal health information (“PHI”) can be a high value target for threat actors, so protecting PHI is critical. Proofpoint products and services can be a key part of an organization’s data security and protection plan.
Many of Proofpoint’s customers in Ontario working in healthcare may be considered to be health information custodians (“HICs”) subject to the Personal Health Information Protection Act (“PHIPA”). PHIPA is a series of rules governing the collection, use, and disclosure of PHI in the course of providing or facilitating healthcare services in Ontario. Health information custodians and their agents are subject to PHIPA anytime PHI is being used, shared, or processed. Part IV of PHIPA, “Collection, Use and Disclosure of Personal Health Information” requires that HICs take “reasonable steps” to protect personal health information against theft, loss, unauthorized use and disclosure, and unauthorized copying, modification, or disposal. Proofpoint products can be an effective component of our customers’ data protection strategies as required by Part IV.
As custodians of PHI, our customers take their due diligence relating to partners like Proofpoint very seriously. To assist in that process, the Proofpoint Trust Site provides the details of how Proofpoint uses data and complies with laws while providing products and services to our customers. It is important to note that for the majority of Proofpoint products, only the minimum amount of data required is used. The exceptions to this are products in the archive line due to the nature of archiving.
PHIPA does not require PHI to remain in Ontario. Proofpoint is unable to keep data solely in Ontario. You can find more details about our subprocessors on the Proofpoint Trust Site. All subprocessors are subject to written agreements that address duties of confidentiality and secure data handling practices.
Proofpoint is not a Managed Service Provider as defined under PHIPA. Proofpoint only provides cybersecurity software and related services that do not include managing our customers’ IT infrastructure.
It may be helpful to know that Proofpoint does not require PHI to provide our products and services. While it is possible that PHI could pass through the products and services, it is unlikely that such information would ever be accessed by a person or retained, as Proofpoint’s focus is on information relating to threats. For certain customers, Proofpoint may be considered to be an agent under PHIPA. We are happy to discuss that possibility with you.
Please note that in the event of a known unauthorized use, disclosure or acquisition by a third party of personal data that compromises the security, confidentiality, or integrity of such data maintained by Proofpoint, Proofpoint will notify the applicable customers in writing within 48 hours of discovery. This is reflected in the Proofpoint Data Security Policy. Furthermore, Proofpoint only uses the data that passes from our customers through our products and services for providing and improving the products and services. We do not sell customer data.
As reflected in the Proofpoint Data Security Policy, many of our products are certified under our SOC 2 Type II Report (“SOC 2”)."
USA’s Health Insurance Portability and Accountability Act (HIPAA) Protection Health Information
Proofpoint is dedicated to protecting our customer’s privacy. We understand that sometimes that protection extends to Personal Health Information (PHI). PHI held by covered entities is protected by the HIPAA Privacy Rule and the Security Rule. Patients have rights under the Privacy Rule and under state law with respect to their PHI. The Security Rule requires that PHI be safeguarded to protect the confidentiality, integrity, and availability of PHI.
Disclosures of PHI are permitted for patient care and other important purposes, including treatment, payment, and healthcare operations. Examples of PHI include 18 data elements, including, but not limited to, the following: name, email address, social security numbers, medical record numbers, biometric identifiers, and phone numbers.
When customers engage Proofpoint as a vendor, it is possible that PHI belonging to our customer’s patients could pass through the Proofpoint Services when the customers use the Services. Proofpoint applies the minimum necessary concept required by HIPAA and only uses the minimum amount of information required to do our work. We also expect that our customers apply the same best practices when it comes to sharing of PHI.
Please keep in mind that if PHI is included in the email that passes through the Proofpoint Services as part of a customer’s use of the Services, it is unlikely Proofpoint personnel will ever access that PHI or even know it is there. The majority of emails pass through the Services in a matter of milliseconds and the email content itself is not retained. If a threat is detected or suspected, the email may be detained longer and certain data elements (e.g. email address of the sender and recipient, date, time, a summary of threats contained in the email) could be retained for up to 18 months.
The insights gained from the use of the Products and Services provided by Proofpoint are used to improve the Products and Services for all of Proofpoint’s customers. For the avoidance of doubt, such use does not include the sale or disclosure of a customer’s PHI.
Certain security Products provided by Proofpoint retain certain data elements used to provide the Service for 18 months following the conclusion of the agreement. Pursuant to the terms of the applicable agreement, Proofpoint shall protect PHI during such time and shall destroy any such PHI after said 18 months.
Business Associate Agreement Addendum
New York SHIELD Act
New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
The New York State Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) is a significant amendment to the state’s data breach notification law and data protection requirements. New York has taken substantial steps toward strengthening the enforcement of consumer privacy and data protection. Violations of the SHIELD Act are considered to be deceptive acts or practices, subject to enforcement by the New York Attorney General. Businesses that fall within the scope of the SHIELD Act could face civil penalties of up to $5,000 dollars per violation.
If you collect, own, or license computerized data that includes private information about New York State residents, you are likely subject to the SHIELD Act and required to develop, implement, and maintain certain measures to protect that private information (i.e., employee and consumer data). The requirements of the SHIELD Act include the implementation of a cybersecurity program, workforce training, and incident response planning and testing.
Proofpoint products and services are valuable components of a robust cybersecurity program and offer administrative and technical safeguards such as identifying and preventing external and insider cyber risks and providing security awareness training for our customers’ workforces. As a cybersecurity company and a business subject to this act, Proofpoint is committed to protecting the private information entrusted to us. Proofpoint is ready to assist customers in meeting their own security needs and compliance goals. For more information about how Proofpoint protects our customers’ data, please see the Data Security Policy on the Proofpoint Trust Site. We invite you to learn more about Proofpoint Security Awareness Training and our other products that can help you with your cybersecurity program and workforce training.
New York DFS Cybersecurity Regulation
The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500) went into effect on March 1, 2017. Applicable to certain businesses in financial services industry, this regulation is in response the ongoing and evolving cyber threats originating from sources such as individual threat actors, terrorists, and nation-states – the very threat sources Proofpoint is dedicated to helping our customers defend against. This regulation establishes a set of cybersecurity requirements applicable to those in the financial services and insurance industries, specifically any financial services business or person that is required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the state’s Banking Law, Insurance Law, or the Financial Services Law. Those falling within the scope of the regulation are required to take certain steps, including:
- Create a cybersecurity program, policy and incident response plan,
- Establish a CISO that interacts with and advises the board of directors, and
- Implement multiple data security measures and reporting requirements.
Such practices are intended to defend against the technological vulnerabilities exploited by cybercriminals to gain access to sensitive electronic data within the financial services industry, while promoting the protection of consumer information and the information technology systems that hold such information. Anyone subject to the regulation should carefully assess their own unique risk profile and implement a responsive plan to both protect their customers, their institution, and to comply with the regulations. It is important to keep pace with technological advancements that can assist in these endeavors. Proofpoint is dedicated to serving our customers who are subject to this regulation and offers many products and services that can assist with achieving compliance.
For certain customers, Proofpoint may be considered to be a Third Party Service Provider under the regulation. In those cases Proofpoint is responsible to: (1) use multi-factor authentication with systems holding Non-Public Information (NPI), (2) use encryption (or compensating controls) for data in transit and at rest, (3) notify our regulated customer of a cybersecurity event that directly and adversely affects its NPI, and (4) represent and warrant our security commitments. The Proofpoint Trust Site is a regularly updated resource that provides information about Proofpoint’s use and protection of customer data. The Proofpoint Security Policy (found on the Trust Site) goes into detail regarding the security practices applied to customer data, breach notification, use of subprocessors, and rights to audit and can help customers and potential customers understand the cybersecurity practices that Proofpoint follows to protect our customer’s data.
On Thursday, July 16, 2020, in a case examining transfers of data from the EU, the Court of Justice for the European Union issued a ruling invalidating the use of Privacy Shield. The EU-US Privacy Shield Framework was developed and agreed to by the European Commission and the US Department of Commerce in 2016. It enabled US organizations certified under the programs to legitimately receive personal data from the EU. In response to the invalidation of Privacy Shield the European Data Protection Board announced it is ready to work with the US to create a replacement data transfer framework.
The Federal Data Protection and Information Commissioner in Switzerland followed in the footsteps of the EU on September 8, 2020, determining the Swiss-U.S. Privacy Shield fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States.
Despite the uncertainty around Privacy Shield, customers can be assured that Proofpoint has been, and will continue to be, committed to complying with applicable data protection law. That commitment had previously included overlapping protections under both the Standard Contractual Clauses and Privacy Shield frameworks as well as robust privacy and security measures in accordance with GDPR, the Australian Privacy Act and most recently, the California Consumer Privacy Act. Proofpoint will also continue to have annual security audits and penetration testing performed by independent auditors and testing organizations. Proofpoint will continue to process all data with all protections required under applicable data protection law. For more detailed information on Proofpoint’s commitment to data protection, please refer to our Trust Site at https://www.proofpoint.com/legal/trust.
As a Privacy Shield-certified organization, Proofpoint understands that existing data processing agreements that relied on Privacy Shield now need to be updated with an alternative mechanism. As the Standard Contractual Clauses remain a valid mechanism for data transfers from the EU to the US, any customer wishing to enter into the Standard Contractual Clauses can do so by signing a Data Protection Agreement including the SCCs, which can be found at: https://www.proofpoint.com/legal/trust/dpa.
Proofpoint is continuing to monitor this topic and will update the Trust Site as new information becomes available.
Certifications and Compliance
As a data processor, Proofpoint is committed to maintaining the privacy and confidentiality of the personal data entrusted to us. We have a documented Information Security Program describing how technical and administrative security controls are implemented to protect personal data and the physical locations in which it is hosted.
Our North American co-location facilities perform annual SOC 1 or SOC 2 audits and European co-location facilities maintain ISO 27001 certifications. Access controls mechanisms are established for physical and logical access to the facilities and the infrastructure hosting the services. All physical and logical access is logged and analyzed for inappropriate access. Physical security controls for the facilities hosting the services include 24x7 on-site security, local and remote security and environmental monitoring, and redundant power and environmental controls. Physical and logical access authentication for Proofpoint personnel is performed using two-factor authentication and is granted based on the employee’s role.
We have built state of the art automation tools, designed to ensure system integrity at the application level. A highly trained team of security professionals is responsible for documenting and deploying security controls. A separate team is responsible for performing Continuous Monitoring to ensure that these controls remain effective and in-place.
The infrastructure hosting the SaaS services is actively monitored with agents collecting hundreds of metrics specific to hardware, networking, and the OS. These metrics are compared against well-established baselines. Alerts are automatically generated when thresholds are crossed and escalation schemes are systematically enforced so that potential issues are addressed in a timely manner. Operations personnel are available 24 hours a day, 7 days a week to respond to any infrastructure issues.
Data Security Policy
Proofpoint’s customers receive the contractual commitments Proofpoint regarding the customer’s data: security, breach notification, use of subprocessors, and rights to audit. These commitments are found in Proofpoint’s Data Security Policy.