Information Disclosure & Law Enforcement Statement

Information Disclosure & Law Enforcement Statement: Subpoenas, Warrants, Orders, and Other Government Requests for Customer Information

Who Is Proofpoint, Inc.?

Proofpoint, Inc., together with its subsidiaries (collectively, “Proofpoint”), is a cybersecurity company that specializes in helping organizations protect against advanced cybersecurity threats and compliance risks. Proofpoint is not an email service provider, meaning that we do not provide customers with the ability to send or receive emails. We are also not a domain host and do not manage domain names.

Proofpoint’s email threat protection solutions sit between the email service provider and customer, acting as a filter to stop harmful content from reaching its customers. Proofpoint processes mail flow in real time – scanning messages for threats, spam, data loss, and other risks.  Proofpoint only retains limited portions of the emails identified as potential threats and cannot reproduce emails that flow through our cybersecurity solutions.  For information about emails sent / received by a data subject or organization, please contact the applicable email service provider.

Is Proofpoint an email service provider, providing its customer with the ability to send or receive emails?

No — Proofpoint is not a traditional email service provider. It does not host mailboxes or allow customers to send and receive emails directly. Instead, it provides email security and compliance solutions.  For information about email accounts, individual user account information, email content, email usage, and emails sent and received by individuals, and other information related to email accounts please contact the applicable email service provider.  

Why does a company’s email address or domain appear to route to or through a Proofpoint IP address?

An email address or domain may appear to route through a Proofpoint IP address due to the operation of Proofpoint’s secure email gateway, which filters and relays messages on behalf of the customer’s domain. This functionality is part of Proofpoint’s threat protection process and does not mean Proofpoint is the customer’s email provider.

How does Proofpoint handle requests for information?

• Strict legal review: Every request undergoes in-depth assessment by our legal team to verify its legitimacy, scope, and proportionality.
• Challenging overreach requests: If a request is overly broad, unsupported, or inconsistent with established privacy protections, we challenge it through all available legal and procedural avenues, including seeking judicial review and contesting the scope to ensure it meets strict legal standards.
• Data minimization: Only the specific data explicitly named in a valid legal order will ever be considered for disclosure.
• Customer notification: Whenever permitted by law (including if we believe a request is unlawful), we promptly notify affected customers, including in cases involving nondisclosure orders. We actively work to lift or limit such orders to allow customers to exercise their rights under their own national laws.

Does FISA Section 702 and Executive Order 12333 apply to Proofpoint?  

Concerned with the mass surveillance capabilities afforded U.S. intelligence agencies under FISA Section 702 and EO 12333, the Schrems II court mandated that all companies must conduct a Data Transfer Assessment in connection with the transfer of personal data from the European Union to the United States. Proofpoint has assessed the potential risks and believes it is unlikely that it would be subject to FISA Section 702 or EO 12333 in connection with its products and services and its processing of customer data. Proofpoint concludes this for the following reasons:

• Proofpoint is not the appropriate party to receive a FISA Section 702 Order. Proofpoint is a cybersecurity company that specializes in helping organizations protect against advanced cybersecurity threats and compliance risks. Proofpoint’s products and services reside between the email service provider and customer, acting as a filter to stop harmful content from reaching Proofpoint’s customers. Proofpoint is not an email service provider, meaning we do not provide customers with the ability to send or receive emails. The appropriate party to a FISA 702 Order is the customer and/or the customer’s email service provider, not Proofpoint.
• Proofpoint does not possess the type of data sought by U.S. intelligence agencies. On September 28, 2020, the United States’ Department of Commerce issued a whitepaper clarifying the limited data types of interest to US intelligence agencies, specifically stating that “[c]ompanies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.” The type of information collected and maintained by Proofpoint in the provision of its products and services is identified in its Product Processing document.
• Executive Order 12333 does not grant the U.S. government the authority to mandate that private companies disclose data. To the extent that Proofpoint receives a third party information disclosure request, Proofpoint follows this Information Disclosure Statement.

What is Proofpoint’s Position on the U.S. CLOUD Act?

The U.S. CLOUD Act enables U.S. law-enforcement authorities to request data from U.S.-based companies, but only under strict and clearly defined legal conditions. Such requests require valid judicial authorization (such as a warrant) and must be narrowly targeted to specific individuals or accounts, not broad data sets or full customer environments.

At Proofpoint, we want to make one point absolutely clear: Proofpoint does not grant U.S. authorities direct, unrestricted access to customer data.

Any request is handled through our legal department and reviewed carefully to ensure compliance with applicable law and protection of customer privacy wherever possible.

Maximum Protection for European Customers

We apply a multilayer protection approach that reflects both U.S. legal standards and the privacy expectations of the European Union.  

We defend our customers’ data through:

• Strict legal review: Every request undergoes in-depth assessment by our legal team to verify its legitimacy, scope, and proportionality.
• Challenging overreach requests: If a request is overly broad, unsupported, or inconsistent with established privacy protections, we challenge it through all available legal and procedural avenues, including seeking judicial review and contesting the scope to ensure it meets strict legal standards.
• Data minimization: Only the specific data explicitly named in a valid legal order will ever be considered for disclosure.
• Customer notification: Whenever permitted by law (including if we believe a request is unlawful), we promptly notify affected customers, including in cases involving nondisclosure orders. We actively work to lift or limit such orders to allow customers to exercise their rights under their own national laws.

Commitment to European Standards

Although Proofpoint must comply with applicable U.S. laws, we operate according to EU-aligned principles of data minimization, proportionality, and transparency. Data does not leave its region unless required by a valid order and fully reviewed through our legal processes.  Further, Proofpoint has ever received a valid CLOUD Act request for customer data. This underscores the very narrow and exceptional circumstances in which such requests occur for non-email mailbox providers.

Our commitment remains firm:  We are dedicated to safeguarding customer data across borders and upholding privacy rights worldwide.

Does Proofpoint offer an archive solution for the retention and supervision of emails?

Yes, Proofpoint offers an enterprise archive solution typically utilized by regulated entities such as banks or other financial institutions to meet email retention requirements. Please contact the regulated user directly regarding their use of the Proofpoint Enterprise Archive. Proofpoint does not have access to the content stored by the customer in the Enterprise Archive.

Where do I serve a subpoena, warrant, order, or other request for information?

Please submit your requests to lawenforcement@proofpoint.com.