Data Privacy Information Sheet:
Proofpoint Spotlight

The purpose of this document is to provide customers of Proofpoint Spotlight with the information necessary to assess how this service can support and enhance their data privacy strategy.

Spotlight – Product Statement

Proofpoint Spotlight, an identity threat detection and response solution available in both on-premises and SaaS versions, automatically discovers, prioritizes, and remediates identity vulnerabilities in a customer’s corporate environment including structure misconfigurations in Active Directory and Azure AD, exposed credentials on customer endpoint devices, and shadow admin threats.

Information Processed by Proofpoint Spotlight                        

Proofpoint Spotlight processes data located in a customer’s corporate environment, collecting, and analyzing information to prevent identity threats and harm to a customer’s corporate systems through exploited credentials.  Personal information processed by Proofpoint Spotlight includes:

• user names
• email addresses
• group membership

Customer Access to Proofpoint Spotlight Data and Privacy Options

Proofpoint Spotlight data may be accessed by customer administrators or other authorized users. Processing results are made available to authorized users through the solution’s comprehensive console and application programming interfaces (APIs).

How Proofpoint Retains Records

To protect organizations and their employees from on-going identity threats, Proofpoint analyzes the data collected through Proofpoint Spotlight and applies the results to its threat detection and identification process. Data collected is retained in an aggregated form until securely deleted.

For the on-premises version, Customers retain and store their own data in Spotlight for up to 12 months.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes subprocessors to provide its SaaS services. A comprehensive list of the subprocessors may be found on the Trust site.

Security

Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53. Security controls include the following:

• Data in transit is protected using HTTPS/TLS.
• Encryption at rest is accomplished using AES 256. 
• Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services for SaaS products.
• Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services.  Please see https://www.proofpoint.com/us/security.
• Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
• Security alerts are automatically directed to on-call staff for triage and review 24x7.
• Proofpoint’s information security program undergoes an annual third-party audit in the form of a SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.