Data Privacy Information Sheet:
Proofpoint Isolation

The purpose of this document is to provide customers of Proofpoint Isolation (“Isolation”) with the information necessary to assess how the product can support and enhance their data privacy strategies.

Isolation – Product Statement

Isolation runs on the cloud-native Information and Cloud Security Platform ("Platform") and is a secure cloud-based container that helps protect organizations from URL and web-based attacks. It solves the problem of having to choose between a too-restrictive ’block” policy and a too-risky "allow" policy by providing a third option that allows users to safely click and view high-risk sites in isolation.

Isolation sanitizes web pages by stripping them of any active content then re-renders those pages on the local browser using static/safe content. When in an isolated browsing session, the user can see and interact with the page as normal; however, the site cannot escalate privileges, gain root access, execute malicious code, make persistent unauthorized system changes, and alter critical system files. Isolation protects companies from malware infections, phishing threats, credential theft, email fraud, and data loss.

Isolation has an anonymous usage feature that, when enabled, hashes the email address of the user before it is stored in an encrypted manner. If the feature is not enabled, the email address of the user is stored at registration in an unhashed form. Anonymous usage is not supported in the URL Isolation integration with TAP.

Information Processed by Isolation

Collected data includes:

• Personal identifiable information (PII), including, but not limited to, names and email addresses;
• Browsing history correlated with email addresses;
• Browser site cookies, which are stored in an encrypted manner;
• Browser registration event information, including the following
  • Datacenter location (currently US, EU, Asia),
  • Browser user-agent string,
  • Date/Time,
  • Registration type (Self-registration, IP Registration),
  • Customer ID - captured when a browser is registered, and
  • IP address;
• Browser User-Agent String

Isolation does not collect, or store user entered data. Isolation does not collect or store passwords or logins.

Customer Access to Isolation Data and Privacy Options

Organizational and user activity is available to the customer's administrators through the Isolation console, which is accessed using a standard web browser.

How Proofpoint Retains Records

Customer activity data is retained for up to 365 days, at which time it is securely deleted.

Proofpoint's Use of Subprocessors

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site at https://www.proofpoint.com/us/legal/trust/subprocessors.

Security

Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

• Data in transit is protected using HTTPS/TLS.
• Encryption at rest is accomplished using AES 256.
• Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
• Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see https://www.proofpoint.com/us/security.
• Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
• Security alerts are directed automatically to on-call security personnel 24x7.
• Proofpoint’s information security program undergoes an annual SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.