Data Privacy Information Sheet:
Human Risk Explorer

Data Privacy Information Sheet: Human Risk Explorer

The purpose of this document is to provide customers of Proofpoint’s Human Risk Explorer with the information necessary to assess how the product can support and enhance their human risk management strategy. 

Human Risk Explorer – Product Statement 

Proofpoint’s Human Risk Explorer provides organizations with a holistic view of human risk by integrating insights from different security tools, thus significantly reducing the manual effort required to assess human risk. By automatically correlating risk signals from various sources and automating risk profiling, it helps security teams pinpoint where risk is concentrated.

Information Processed by Proofpoint’s Human Risk Explorer 

• User email addresses
• User names, phone numbers, departments, location 
• Manager name, title, email, location 
• Usage reported by Proofpoint Email Protection, Proofpoint Cloud App Security Broker, Proofpoint Targeted Attack Protection, Proofpoint Endpoint Data Loss Prevention (DLP) and Proofpoint Insider Threat Management, and ZenGuide.

Customer Access to Proofpoint Human Risk Explorer and Privacy Options 

Access to Proofpoint Human Risk Explorer data may be controlled by policies set-up by security administrators. Access can be assigned to specific users and groups. Data is made available to authorized users and groups through the solution’s dashboard. More specifically: 

• The Proofpoint Data Security Platform implements industry-standard encryption and security controls for data at rest, data in motion and API access. 
• A highly restricted number of people within the operations team are responsible for deployment, configuration and maintenance of the production environment through Infrastructure-as-Code automation. 
• Proofpoint has an access control policy that restricts access to Customer Data. Any access by Proofpoint personnel is heavily scrutinized, controlled and audited. 
• Data Security Platform APIs and Applications implement an advanced set of Attribute-Based Access Controls (ABAC) for customer and Proofpoint personnel access, provisioned according to the least-privilege access model. Furthermore, Customers also have the ability and full control to add or remove privileges for Proofpoint personnel through the Administration Application ("Personas"), including granting non-operations Proofpoint personnel access to Customer Data and Personal Data recorded from the monitored activities of Users including captured visual screen content or file content. 

How Proofpoint Retains Records 

Proofpoint Human Risk Explorer retains customer information for up to 12 months after which it is securely deleted. 

Proofpoint’s Use of Subprocessors 

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site at  https://www.proofpoint.com/us/legal/trust/subprocessors. 

Security

Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following: 

• Data in transit is protected using HTTPS/TLS.
• Encryption at rest is accomplished using AES 256 or stronger ciphers. 
• Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
• Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see https://www.proofpoint.com/us/security. 
• Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
• Proofpoint’s information security program undergoes an annual SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.