Data Privacy Information Sheet:
Proofpoint Automate

The purpose of this document is to provide customers of Proofpoint Automate (formerly, NexusAI for Compliance) with the information necessary to assess how the product can support and enhance their data privacy strategy.

Proofpoint Automate – Product Statement

Legal, compliance, and security pressures are evolving in the face of today’s data growth. That’s why customers need a new secure approach to enterprise archiving challenges. Proofpoint Archive is a cloud-based archiving solution that simplifies legal discovery and end-user data access. It provides customers with a secure and searchable central repository of a wide range of content types without the challenges of managing in-house. With Proofpoint Supervision, an add-on to Proofpoint Archive, customers can streamline SEC, FINRA, and IIROC compliance. Customers can take advantage of easy monitoring and the review and reporting of data across email, social, and enterprise collaboration as it is added to Proofpoint Archive. Proofpoint Automate, an add-on to Proofpoint Supervision, allows customers to use machine learning to significantly reduce low-value supervision content which helps focus on meaningful content and reduce human error.

Information Processed by Proofpoint Automate

Proofpoint Supervision processes and stores communications (both internal and external) of various types. The complete composition of the original content and its metadata are preserved for the period defined by the customer in the customer’s retention configuration. Items are flagged by a policy engine as they are recorded, and these policy classifications, along with subsequent reviewer determinations, are stored for the life of the message. To facilitate attribution of items to users, the system stores and maintains a historical record of employees and their key attributes, including their name, business phone number, email addresses, job function, and department.

Proofpoint Automate processes the textual content and metadata of the messages flagged by the Proofpoint Supervision policy engine to produce either a score indicating how closely it matches a given machine learning model or a set of suggestions on how to refine customers policy configuration.

As the full content of all messages is preserved, all types of potentially sensitive data may exist within the Archive, including:

  • Personal financial information (sometimes known as PCI data), including, but not limited to, credit card numbers and bank account numbers
  • Personal healthcare information, including, but not limited to, national identifiers and insurance numbers
  • Personal identifiable information (PII), including, but not limited to, names and email addresses


Customer Access to Archived Data and Privacy Options

Access to Archive data, including those assigned to review queues within Proofpoint Supervision, may be controlled by policies set by customer security administrators. Access can be assigned to specific users and groups. Data is made available to authorized users and groups through the solution’s user interface.

How Proofpoint Retains Records

Proofpoint customers can select a retention period (in months) for which the data is retained. Once items have achieved this policy-based retention period, the customer can authorize disposition of the data (or the system can do so automatically if so configured). The scores and policy suggestions produced by Proofpoint Automate are sent back to Proofpoint Supervision for storage – no data is retained (beyond temporary processing queues) within Proofpoint Automate.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site at


Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

  • Data in transit is protected using HTTPS/TLS.
  • Encryption at rest is accomplished using AES 256.
  • Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
  • Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see
  • Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
  • A network operation center receives and responds to security alerts, escalating to on-call security personnel.

© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Last updated May 15, 2024.

Proofpoint Trust

Proofpoint helps companies protect their people from the ever-evolving threats in the digital ecosystem.