The General Data Protection Regulation is an European Union (EU) data privacy legislation that strengthens rules about how the personal data of EU residents should be processed. It comes into effect on May 25, 2018. If you have end users, customers and employees in the EU—even if you’re based somewhere else—you (and all your third party processors) must comply with the regulation's new principles.
As a data processor, Proofpoint is committed to maintaining the privacy, confidentiality, and transparency of the personal data entrusted to us. We are publishing an ongoing series of whitepapers that describe how Proofpoint’s solutions enable you to comply with GDPR requirements such as responding to data subjects’ requests.
- Proofpoint’s Commitment to the EU’s GDPR
- Proofpoint Email Protection & the GDPR
- Proofpoint Targeted Attack Protection (TAP) & the GDPR
- Proofpoint Email Fraud Defense (EFD) & the GDPR
- Proofpoint Information Archive & the GDPR
- Proofpoint Essentials & the GDPR
Additionally, Proofpoint is committed to providing GDPR compliant services to our customers. Our products are designed with data security in mind and already have many GDPR compliant features built in. Additionally, we have carefully studied the GDPR’s requirements and have enhanced our products and services to better assist our customers with their GDPR compliance efforts.
You can learn more about how Proofpoint’s solutions can help your organization in its GDPR compliance journey by visiting our GDPR solutions page.
CERTIFICATIONS AND COMPLIANCE
As a data processor, Proofpoint is committed to maintaining the privacy and confidentiality of the personal data entrusted to us. We have a documented Information Security Program describing how technical and administrative security controls are implemented to protect personal data and the physical locations in which it is hosted.
Our North American co-location facilities perform annual SOC 1 or SOC 2 audits and European co-location facilities maintain ISO 27001 certifications. Access controls mechanisms are established for physical and logical access to the facilities and the infrastructure hosting the services. All physical and logical access is logged and analyzed for inappropriate access. Physical security controls for the facilities hosting the services include 24x7 on-site security, local and remote security and environmental monitoring, and redundant power and environmental controls. Physical and logical access authentication for Proofpoint personnel is performed using two-factor authentication and is granted based on the employee’s role.
We have built state of the art automation tools, designed to ensure system integrity at the application level. A highly trained team of security professionals is responsible for documenting and deploying security controls. A separate team is responsible for performing Continuous Monitoring to ensure that these controls remain effective and in-place.
The infrastructure hosting the SaaS services is actively monitored with agents collecting hundreds of metrics specific to hardware, networking, and the OS. These metrics are compared against well-established baselines. Alerts are automatically generated when thresholds are crossed and escalation schemes are systematically enforced so that potential issues are addressed in a timely manner. Operations personnel are available 24 hours a day, 7 days a week to respond to any infrastructure issues.
DATA PROCESSING AGREEMENTS / MODEL CLAUSES (SCCs)
Proofpoint enters into GDPR data processing agreements, which incorporate the 1995 EU Data Protection Directive’s Standard Contractual Clauses(also known as Model Clauses), with our customers. Customers can execute a GDPR data processing agreement with Proofpoint by following this link to Proofpoint’ GDPR Data Processing Agreement page and following the instructions.
Proofpoint is part of the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks that facilitate transfers of personal data between the US and the EU and between the US and Switzerland.
Data Security Policy
Proofpoint’s customers receive the contractual commitments Proofpoint regarding the customer’s data: security, breach notification, use of subprocessors, and rights to audit. These commitments are found in Proofpoint’s Data Security Policy.