The purpose of this document is to provide customers of Proofpoint Archive with the information necessary to assess how the product can support and enhance their data privacy strategy.
Proofpoint Archive – Product Statement
Legal, compliance, and security pressures are evolving in the face of today’s data growth. That’s why customers need a new secure approach to enterprise archiving challenges. Proofpoint Archive is a cloud-based archiving solution that simplifies legal discovery, and end-user data access. Archive provides customers with a secure and searchable central repository of a wide range of content types without the challenges of managing in-house.
Information Processed by Proofpoint Archive
Archive processes and stores communications (both internal and external) of various types. The complete composition of the original content and its metadata are preserved for the period defined by the customer in the customer’s retention configuration. To facilitate attribution of items to users, the system stores and maintains a historical record of employees and their key attributes, including their name, business phone number, email addresses, job function, and department.
As the full content of all messages is preserved, all types of potentially sensitive data may exist within Archive, including:
- Personal financial information (sometimes known as PCI data), including, but not limited to, credit card numbers and bank account numbers
- Personal healthcare information, including, but not limited to, national identifiers and insurance numbers
- Personal identifiable information (PII), including, but not limited to, names and email addresses
Customer Access to Archived Data and Privacy Options
Access to Archive data may be controlled by policies set by customer security administrators. Access can be assigned to specific users and groups. Data is made available to authorized users and groups through the solution’s user interface.
How Proofpoint Retains Records
Proofpoint customers can select a retention period (in months) for which the data is retained. Once items have achieved this policy-based retention period, the customer can authorize disposition of the data (or the system can do so automatically if so configured).
Proofpoint’s Use of Subprocessors
Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site at https://www.proofpoint.com/us/legal/trust/subprocessors.
Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:
- Data in transit is protected using HTTPS/TLS.
- Encryption at rest is accomplished using a combination of RSA 2048 and AES 256.
- Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
- Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see https://www.proofpoint.com/us/security.
- Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
- A network operation center receives and responds to security alerts, escalating to on-call security personnel.
- Proofpoint’s information security program undergoes an annual SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.
© 2023. All rights reserved. The content on this site is intended for informational purposes only.
Last updated August 10, 2023.