Data Privacy Information Sheet:
Proofpoint Cloud App Security Broker

Data Privacy Information Sheet: Proofpoint Cloud App Security Broker

The purpose of this document is to provide customers of Proofpoint’s Cloud App Security Broker (“CASB”) with the information necessary to assess how the product can support and enhance their data privacy strategy.

CASB – Product Statement

CASB extends Proofpoint’s Information and Cloud Security platform (the “Platform”) to cloud-based applications with people-centric threat protection, data security (including inline data loss prevention (DLP)), and cloud application governance. CASB protects users from cloud threats, safeguards sensitive data, governs cloud and OAuth (Open Authorization) applications, and helps users to remain compliant with applicable privacy and data security requirements.

CASB provides the following key capabilities:

• Protects users and data from cloud account compromise and advanced threats in the cloud,
• Monitors and controls cloud access (logins) via user behavior analytics and threat intelligence,
• Provides DLP for cloud applications and files in the cloud,
• Provides visibility into cloud application usage and control of third-party applications, and
• Discovers cloud infrastructure risks and evaluates one’s security posture.

CASB runs on the Platform.

Information Processed by CASB

CASB monitors and processes some personal data elements as users utilize their organization’s cloud services that are connected to CASB. Collected data can include the following:

• Personal identifiable information (PII), including, but not limited to, names and business email addresses;
• File metadata which includes file owner, last modified date, versions, creation date, and permissions;
• Cloud account access and activity logs; and
• Snippets of file and message content that matches customer DLP specifications.

Customer Access to CASB Data and Privacy Options

Access to CASB data may be controlled by policies set by customer security administrators. Administrative access can be assigned to specific users and groups. Data is made available to authorized users and groups through the solution’s Console dashboard, which is accessed using a standard web browser. 

How Proofpoint Retains Records

Data is securely retained in the Platform for a period of 180 days and is deleted afterward (except for file metadata). Customers can purchase add-on SKUs to have their data retained for up to 1 year.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes sub-processors to provide its services. A comprehensive list of the sub-processors may be found on the Proofpoint Trust Site (https://www.proofpoint.com/legal/trust/subprocessors).

Security

Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

• Data in transit is protected using HTTPS/TLS.
• Encryption at rest is accomplished using AES 256 or stronger ciphers. 
• Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
•  Proofpoint is implementing secure development lifecycle best practices and uses OWASP Top 10 and other frameworks to protect its systems.
• Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
• Proofpoint’s information security program undergoes an annual SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.