Data Privacy and Security Information Sheet:
Proofpoint Insider Threat Management

The purpose of this document is to provide customers of Proofpoint’s Insider Threat Management (ITM) with the information necessary to assess how the product can support and enhance their data privacy strategy.

Insider Threat Management – Product Statement

The growth in remote work from anywhere and everywhere has redefined the security perimeter to one based on people, increasing the risk of insider-led data loss for organizations. At the same time, the frequency and volume of insider threats keeps rising, placing a significant burden on security teams to keep pace.

Proofpoint’s ITM solution provides visibility, context, and analysis to help security teams quickly detect and prevent insider-led data breaches, while accelerating incident investigations and response to mitigate damage. Endpoint DLP, a subset of ITM, focuses on the detection and prevention of risky file activity by everyday users while ITM focuses on identifying and monitoring the riskiest users.

Information Processed by Proofpoint’s Insider Threat Management

ITM filters and processes some personal data elements as users use their organization-issued endpoints to complete their job responsibilities. This is done to protect against insider threats and endpoint data loss. The types of data include:

  • Personal financial information (sometimes known as PCI data) including but not limited to credit card numbers, bank account numbers
  • Personal healthcare information including but not limited to national identifiers, insurance numbers
  • Personal identifiable information (PII) including but not limited to names, email addresses
  • Personal data included on the user’s screen when visual capture is enabled

Customer Access to ITM Data and Privacy Options

Access to ITM data may be controlled by policies set-up by security administrators. Access can be assigned to specific users and groups. Data is made available to authorized users and groups through the solution’s dashboard.

How Proofpoint Retains Records

Proofpoint customers can select a retention period (30 days, 90 days, 120 days or 366 days) for which the data is retained in the Platform after which the data is securely deleted on a rolling basis.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site.


Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

  • Data in transit is protected using HTTPS/TLS.
  • Encryption at rest is accomplished using AES 256.
  • Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
  • Proofpoint has a secure development lifecycle that is aligned with the OWASP Top 10 framework.
  • Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
  • A network operation center receives and responds to security alerts, escalating to on-call security personnel. [ITM does not integrate with the NOC today, managed by engineering team]
  • Proofpoint’s information security program undergoes an annual third-party audit for the Availability, Confidentiality, and Security trust services principles.

© 2022. All rights reserved. The content on this site is intended for informational purposes only.
Last updated April 27, 2022.