Proofpoint Product Processing

This table includes certain details of the Processing of Customer’s Personal Data as required by Article 28(3) GDPR (or as applicable, equivalent provisions of any other Data Protection Law).

Product

Browser, E-mail Isolation and TAP URL Isolation

Data Subjects

Employees and contractors.

Categories of Personal Data Processed

E-mail addresses, user site cookies, and browser history, and browser registration information (data center location, browser user-agent string).

Processing Operations

Isolation is a remote, web-based browser that protects against URL threats by stripping all active content from requested sites and rendering a safe version of the page back to the end user. Isolation policies determine what users and URLs are isolated and what content and user actions are allowed in Isolation.

Retention Period

Up to 365 days after collection.

 

Product

CAD/CASB

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Cloud account holder metadata (e-mail addresses, names, position), file metadata and cloud account access logs.

Processing Operations

Cloud Account Defense helps Customer detect suspicious activities around Customer’s cloud accounts and identify compromised cloud accounts.

 

Cloud App Security Broker uses policies to prevent the loss of Customer’s sensitive or confidential data contained in Customer’s cloud accounts. CASB IaaS Protection helps customer identify its IaaS resources, protect sensitive data within IaaS storage, and monitor and stop unauthorized logins to Customer’s Cloud accounts.

Retention Period

Up to 180 days from the end of Controller’s subscription maximum except for Threat Analytics, which is retained for up to 18 months after collection.

 

Product

Cloudmark Active Filter, Authority, Content Categories, Insight Server, and Sender Intelligence; Cloudmark Spam Reporting Service

Data Subjects

Employees, contractors, customers.

Categories of Personal Data Processed

Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers.

Processing Operations

Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.

Retention Period

30 days for messages reported by recipient as potentially harmful.

 

30 days for messages reported by recipient as not harmful.

 

Product

Cloudmark Safe Messaging Cloud, Cloudmark Safe Messaging Cloud Hybrid

Data Subjects

Employees, contractors, customers.

Categories of Personal Data Processed

Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers.

Processing Operations

Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.

Retention Period

30 days for messages reported by recipient as potentially harmful.

 

30 days for messages reported by recipient as not harmful.

 

Otherwise as negotiated by Controller.

 

Product

Continuity

Data Subjects

Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system.

Categories of Personal Data Processed

Any Personal Data included in an e-mail.

Processing Operations

Continuity provides temporary storage of Customer inbound and outbound email within the on-demand, Web-based email. Continuity serves only as a secondary, emergency failover option in the event of failure of Customer’s email service, and not as a primary email archive solution or a primary failover solution.

Retention Period

Messages expire after 30 days.

 

Product

Digital Discover, Digital Protection, and Digital Compliance.

Data Subjects

Employees, contractors, customers, or any other individuals posting to Customer’s social media accounts.

Categories of Personal Data Processed

Corporate social media user account IDs, social media content, and option biographical information if included in corporate users’ account profile.

Processing Operations

Scanning of social media platforms to find accounts affiliated with a customer for fake, fraudulent, and defamatory accounts related to the customer.

 

Analysis of static and interactive content. Connectors to the Archive service of social media as required for compliance.

Retention Period

Up to 90 days from the end of Controller’s subscription, maximum.

 

Product

Email Data Loss Prevention (DLP)

Data Subjects

Employees, contractors, and any other individuals sending or receiving e-mails via Customer’s corporate e-mail system.

Categories of Personal Data Processed

Any Personal Data included in an e-mail.

Processing Operations

Email DLP utilizes policies to prevent the loss of Customer’s sensitive or confidential data through email.

Retention Period

Up to 366 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

 

Product

Email Encryption

Data Subjects

Employees, contractors, customers and any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Categories of Personal Data Processed

Any Personal Data included in an e-mail.

Processing Operations

Email Encryption provides a fully integrated message encryption and decryption solution.

Retention Period

Encrypted message content is retained as determined by the Controller (up to 366 days).

 

Product

Email Fraud Defense (EFD)

Data Subjects

Employees, contractors, customers and any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Categories of Personal Data Processed

Email hdr information, including email addresses, IP addresses, sender and recipient names.

Processing Operations

EFD processes Domain-based Message Authentication, Reporting & Conformance (DMARC) aggregate reports and DMARC forensic message sample traffic for customer domains and evaluates the authenticity of senders based on sender authentication information, and to highlight traffic sent from unauthenticated and unauthorized sources.

Retention Period

Cloudmark forensic data is retained for 30 days after collection.

 

DMARC forensic data is retained for 90 days after collection.

 

Product

Email Protection

Data Subjects

Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system.

Categories of Personal Data Processed

Any Personal Data included in an e-mail.

Processing Operations

Email Protection includes functions such as spam detection functions to identify and classify spam messages; virus protection functions to detect and filter messages containing known viruses; zero-hour anti-virus functions to detect and filter messages containing suspicious content; a quarantine folder to analysis and disposition of suspicious content.

Retention Period

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

 

Product

Endpoint Data Loss Protection (Endpoint DLP)

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, Application information such as application name, executable name, and window title.

Processing Operations

Endpoint Data Loss Prevention deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. These Agents capture metadata recorded from the activities of licensed Users and the telemetry and screen capture data is stored on Proofpoint’s multi-tenant Information and Cloud Security storage.

Retention Period

As in accordance with Controller’s selected retention period up to a maximum period of 366 days.

 

Product

Essentials

Data Subjects

Employees, contractors, customers.

Categories of Personal Data Processed

Any Personal Data included in an e-mail.

Processing Operations

  • Scanning, filtering, and routing in transit of e-mails sent to and received from parties external to the customer, via the customer’s corporate e-mail system.
  • If archive functionality is used, then see "Archive" above.
  • If TAP sandboxing is used, see TAP below.

Retention Period

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

 

Product

Insider Threat Management SaaS

Data Subjects

Employees, contractors:

  1. ITM SaaS Administrators or analysts, using the web portal.
  2. Endpoint users, using data exporter’s endpoints on which the ITM SaaS agent has been installed.

Categories of Personal Data Processed

Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, Application information such as application name, executable name, and window title. Additionally, ITM has the capability to capture screen content, which is configured and controlled by the customer. Screen capture could include any additional personal data displayed on the user’s screen.

Processing Operations

ITM deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. The agents collect telemetry data about the activities of the device users, the data subjects. If enabled by data controller the agents can also capture screenshots of the users’ device activities. Customer solely determines whether to enable the screen capture capabilities, and the data retention period of such content. The telemetry and screen capture data is stored on Proofpoint’s multi-tenant ITM SaaS storage.

Retention Period

As In accordance with Controller’s selected retention period up to a maximum period of 366 days.

 

-->

 

Product

Internal Mail Defense (IMD)

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Any Personal Data included in an e-mail.

Processing Operations

IMD leverages Email Protection and TAP features to protect Customer’s internal email communications against spam and malicious content.

Retention Period

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

 

Product

Nexus People Risk Explorer

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Names, e-mail addresses, any Personal Data contained in Threat Analytics.

Processing Operations

Proofpoint Nexus People Risk Explorer leverages people centric security data from Proofpoint’s Targeted Attack Protection, Security Awareness Training, Cloud Account Defense and Cloud Account Security Broker to provide insights into the types, severity and frequency of threats targeted at Customer and its employees.

Retention Period

Up to 90 days from the end of Controller’s subscription, maximum.

 

Product

Anti-Phishing Suite: includes PhishAlarm and PhishAlarmAnalyzer:

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Name, e-mail address, any Personal Data included in an e-mail.

Processing Operations

Routing and scanning suspicious emails reported by the end users with the PhishAlarm button. PhishAlarm Analyzer delivers highly responsive identification of phishing attacks in real time. Emails reported via PhishAlarm & PhishAlarm Analyzer are accessed and categorized and they are immediately available to Customer’s response teams.

Retention Period

Up to 30 days from the end of Controller’s subscription maximum; with the exception of Threat Analytics, which are retained for up to 18 months after collection.

 

Product

Proofpoint Archive (previously, Enterprise Archive)

Data Subjects

Employees, contractors, and customers.

Categories of Personal Data Processed

Any Personal Data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments).

Processing Operations

Archive is a cloud-based archiving solution designed for legal discovery, regulatory compliance and data access for Customer’s end users, and it provides a central, searchable repository that supports a wide range of content types.

Retention Period

As determined by the Controller.

 

Product

Proofpoint Automate (previously, NexusAI for Compliance)

Data Subjects

Employees, contractors, and customers.

Categories of Personal Data Processed

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments).

Processing Operations

NexusAI for Compliance uses machine learning to evaluate supported archived messages (such as email, social media, collaboration platforms, and mobile messages) flagged for Customer’s review by Proofpoint’s Supervision (previously Intelligent Supervision) product.

Retention Period

Up to 24 hours from the end of Controller’s subscription, maximum.

 

Product

Proofpoint Capture (previously, Content Capture)

Data Subjects

Employees, contractors and customers.

Categories of Personal Data Processed

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments.

Processing Operations

Content Capture captures content from supported messaging and Cloud storage platforms and delivers it compliance services such as e-discovery, archive and supervision.

Retention Period

Up to 90 days from the end of Controller’s subscription, maximum.

 

Product

Proofpoint Patrol (previously, Content Patrol)

Data Subjects

Employees, contractors and customers.

Categories of Personal Data Processed

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments.

Processing Operations

Content Patrol allows Customers to capture, monitor, remediate and generate compliance reports about their end users’ activities on Customer controlled social media accounts.

Retention Period

Up to 90 days from the end of Controller’s subscription, maximum.

 

Product

Proofpoint Security Awareness Training (PSAT)

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Name, e-mail address, and additional data fields selected by the customer for upload to PSAT from customer’s Active Directory.

Processing Operations

Personal data is used for the rollout of employee Cyber Security Awareness training and employee security assessments and reporting.

Retention Period

Up to 90 days from the end of Controller’s subscription maximum; however, during Controller’s subscription, Controller’s admins may make changes to and delete users.

 

Product

Proofpoint Track (previously, Compliance Gateway)

Data Subjects

Employees, contractors and customers.

Categories of Personal Data Processed

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments.

Processing Operations

Compliance Gateway acts as a central hub to filter and route message content to Customer’s archive, supervision and analytic systems.

Retention Period

Up to 14 days from the end of Controller’s subscription, maximum.

 

Product

Secure E-Mail Relay (SER)

Data Subjects

Employees, contractors, any recipients of bulk e-mails sent via Customer’s corporate e-mail system.

Categories of Personal Data Processed

Name, e-mail address, any Personal Data included in an e-mail.

Processing Operations

Secure Email Relay (SER) is a hosted, multi-tenant solution that puts Customer in control of applications that send email using Customer’s owned or controlled domains. It adds a layer of security to each application and distributes the email to the Internet in a DMARC-compliant fashion after Proofpoint AS/AV checks are performed. SER may only be used for delivery of emails that comply with applicable bulk or unsolicited message laws.

Retention Period

Up to 30 days from the end of Controller’s subscription, maximum.

 

Product

SecureShare

Data Subjects

Employees, contractors, any other individual invited to view a shared file.

Categories of Personal Data Processed

Name, e-mail addresses.

Processing Operations

SecureShare is a secure method for the sharing of files and temporary storage of such files.

Retention Period

Up to 180 days after collection.

 

Product

Targeted Attack Protection (TAP)

Data Subjects

Employees, contractors, customers, any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Categories of Personal Data Processed

Name, e-mail address, any Personal Data included in an e-mail.

Processing Operations

TAP identifies and protects against malicious URLs and malicious attachments in emails using a dynamic malware analysis engine.

Retention Period

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

 

Product

Threat Response Auto-pull (TRAP)

Data Subjects

Employees, contractors, customers, any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Categories of Personal Data Processed

Name, e-mail address, any Personal Data included in an e-mail.

Processing Operations

TRAP is an incident management platform that includes automation to analyze and remove unwanted emails.

Retention Period

Retention of closed incidents is established by Controller.

 

Full message MIME data purged every 30 days for closed incidents.

 

Product

ThreatSimulator

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

Name, e-mail address.

Processing Operations

Personal data is used for simulated phishing campaigns. Customer may only conduct simulated phishing emails to domains owned or controlled by the Customer.

Retention Period

Upon customer request and within 90 days following such request.

 

Product

Zero Trust Network Access (formerly Meta)

Data Subjects

Employees, contractors.

Categories of Personal Data Processed

User email address and name and (optional phone number) and intranet traffic events such as accept/drop events and DNS queries (customer has the option to enable or disable logging internet traffic events).

Processing Operations

Meta overlays a zero-trust network on top of customer’s corporate network. Users access the corporate network by connecting to the Meta network layer through a VPN with their login credentials. Once logged into the Meta network each user is assigned a unique identity that connects to the data exporter’s underlying corporate network and access to assets within the data exporter’s corporate network is accessed based on the user’s unique identity.

Retention Period

Up to 90 days from the end of Controller’s subscription, maximum.

Product

Data Subjects

Categories of Personal Data Processed

Processing Operations

Retention Period

Browser, E-mail Isolation and TAP URL Isolation

Employees and contractors.

E-mail addresses, user site cookies, and browser history, and browser registration information (data center location, browser user-agent string).

Isolation is a remote, web-based browser that protects against URL threats by stripping all active content from requested sites and rendering a safe version of the page back to the end user. Isolation policies determine what users and URLs are isolated and what content and user actions are allowed in Isolation.

Up to 365 days after collection.

CAD/CASB

Employees, contractors.

Cloud account holder metadata (e-mail addresses, names, position), file metadata and cloud account access logs.

Cloud Account Defense helps Customer detect suspicious activities around Customer’s cloud accounts and identify compromised cloud accounts.

 

Cloud App Security Broker uses policies to prevent the loss of Customer’s sensitive or confidential data contained in Customer’s cloud accounts. CASB IaaS Protection helps customer identify its IaaS resources, protect sensitive data within IaaS storage, and monitor and stop unauthorized logins to Customer’s Cloud accounts.

Up to 180 days from the end of Controller’s subscription maximum except for Threat Analytics, which is retained for up to 18 months after collection.

Cloudmark Active Filter, Authority, Content Categories, Insight Server, and Sender Intelligence; Cloudmark Spam Reporting Service

Employees, contractors, customers.

Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers.

Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.

30 days for messages reported by recipient as potentially harmful.

 

30 days for messages reported by recipient as not harmful.

Cloudmark Safe Messaging Cloud, Cloudmark Safe Messaging Cloud Hybrid

Employees, contractors, customers.

Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers.

Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.

30 days for messages reported by recipient as potentially harmful.

 

30 days for messages reported by recipient as not harmful.

 

Otherwise as negotiated by Controller.

Continuity

Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system.

Any Personal Data included in an e-mail.

Continuity provides temporary storage of Customer inbound and outbound email within the on-demand, Web-based email. Continuity serves only as a secondary, emergency failover option in the event of failure of Customer’s email service, and not as a primary email archive solution or a primary failover solution.

Messages expire after 30 days.

Digital Discover, Digital Protection, and Digital Compliance

Employees, contractors, customers, or any other individuals posting to Customer’s social media accounts.

Corporate social media user account IDs, social media content, and option biographical information if included in corporate users’ account profile.

Scanning of social media platforms to find accounts affiliated with a customer for fake, fraudulent, and defamatory accounts related to the customer.

 

Analysis of static and interactive content. Connectors to the Archive service of social media as required for compliance.

Up to 90 days from the end of Controller’s subscription, maximum.

Email Data Loss Prevention (DLP)

Employees, contractors, and any other individuals sending or receiving e-mails via Customer’s corporate e-mail system.

Any Personal Data included in an e-mail.

Email DLP utilizes policies to prevent the loss of Customer’s sensitive or confidential data through email.

Up to 366 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

Email Encryption

Employees, contractors, customers and any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Any Personal Data included in an e-mail.

Email Encryption provides a fully integrated message encryption and decryption solution.

Encrypted message content is retained as determined by the Controller (up to 366 days).

Email Fraud Defense (EFD)

Employees, contractors, customers and any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Email hdr information, including email addresses, IP addresses, sender and recipient names.

EFD processes Domain-based Message Authentication, Reporting & Conformance (DMARC) aggregate reports and DMARC forensic message sample traffic for customer domains and evaluates the authenticity of senders based on sender authentication information, and to highlight traffic sent from unauthenticated and unauthorized sources.

Cloudmark forensic data is retained for 30 days after collection.

 

DMARC forensic data is retained for 90 days after collection.

Email Protection

Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system.

Any Personal Data included in an e-mail.

Email Protection includes functions such as spam detection functions to identify and classify spam messages; virus protection functions to detect and filter messages containing known viruses; zero-hour anti-virus functions to detect and filter messages containing suspicious content; a quarantine folder to analysis and disposition of suspicious content.

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

Endpoint Data Loss Protection (Endpoint DLP)

Employees, contractors.

Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, Application information such as application name, executable name, and window title.

Endpoint Data Loss Prevention deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. These Agents capture metadata recorded from the activities of licensed Users and the telemetry and screen capture data is stored on Proofpoint’s multi-tenant Information and Cloud Security storage.

As in accordance with Controller’s selected retention period up to a maximum period of 366 days.

Essentials

Employees, contractors, customers.

Any Personal Data included in an e-mail.

  • Scanning, filtering, and routing in transit of e-mails sent to and received from parties external to the customer, via the customer’s corporate e-mail system.
  • If archive functionality is used, then see "Archive" above.
  • If TAP sandboxing is used, see TAP below.

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

Insider Threat Management SaaS

Employees, contractors:

  1. ITM SaaS Administrators or analysts, using the web portal.
  2. Endpoint users, using data exporter’s endpoints on which the ITM SaaS agent has been installed.

Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, Application information such as application name, executable name, and window title. Additionally, ITM has the capability to capture screen content, which is configured and controlled by the customer. Screen capture could include any additional personal data displayed on the user’s screen.

ITM deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. The agents collect telemetry data about the activities of the device users, the data subjects. If enabled by data controller the agents can also capture screenshots of the users’ device activities. Customer solely determines whether to enable the screen capture capabilities, and the data retention period of such content. The telemetry and screen capture data is stored on Proofpoint’s multi-tenant ITM SaaS storage.

As In accordance with Controller’s selected retention period up to a maximum period of 366 days.

Internal Mail Defense (IMD)

Employees, contractors.

Any Personal Data included in an e-mail.

IMD leverages Email Protection and TAP features to protect Customer’s internal email communications against spam and malicious content.

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

Nexus People Risk Explorer

Employees, contractors.

Names, e-mail addresses, any Personal Data contained in Threat Analytics.

Proofpoint Nexus People Risk Explorer leverages people centric security data from Proofpoint’s Targeted Attack Protection, Security Awareness Training, Cloud Account Defense and Cloud Account Security Broker to provide insights into the types, severity and frequency of threats targeted at Customer and its employees.

Up to 90 days from the end of Controller’s subscription, maximum.

Anti-Phishing Suite: includes PhishAlarm and PhishAlarmAnalyzer:

Employees, contractors.

Name, e-mail address, any Personal Data included in an e-mail.

Routing and scanning suspicious emails reported by the end users with the PhishAlarm button. PhishAlarm Analyzer delivers highly responsive identification of phishing attacks in real time. Emails reported via PhishAlarm & PhishAlarm Analyzer are accessed and categorized and they are immediately available to Customer’s response teams.

Up to 30 days from the end of Controller’s subscription maximum; with the exception of Threat Analytics, which are retained for up to 18 months after collection.

Proofpoint Archive (previously, Enterprise Archive)

Employees, contractors, and customers.

Any Personal Data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments).

Archive is a cloud-based archiving solution designed for legal discovery, regulatory compliance and data access for Customer’s end users, and it provides a central, searchable repository that supports a wide range of content types.

As determined by the Controller.

Proofpoint Automate (previously, NexusAI for Compliance)

Employees, contractors, and customers.

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments).

NexusAI for Compliance uses machine learning to evaluate supported archived messages (such as email, social media, collaboration platforms, and mobile messages) flagged for Customer’s review by Proofpoint’s Supervision (previously Intelligent Supervision) product.

Up to 24 hours from the end of Controller’s subscription, maximum.

Proofpoint Capture (previously, Content Capture)

Employees, contractors and customers.

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments.

Content Capture captures content from supported messaging and Cloud storage platforms and delivers it compliance services such as e-discovery, archive and supervision.

Up to 90 days from the end of Controller’s subscription, maximum.

Proofpoint Patrol (previously, Content Patrol)

Employees, contractors and customers.

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments.

Content Patrol allows Customers to capture, monitor, remediate and generate compliance reports about their end users’ activities on Customer controlled social media accounts.

Up to 90 days from the end of Controller’s subscription, maximum.

Proofpoint Security Awareness Training (PSAT)

Employees, contractors.

Name, e-mail address, and additional data fields selected by the customer for upload to PSAT from customer’s Active Directory.

Personal data is used for the rollout of employee Cyber Security Awareness training and employee security assessments and reporting.

Up to 90 days from the end of Controller’s subscription maximum; however, during Controller’s subscription, Controller’s admins may make changes to and delete users.

Proofpoint Track (previously, Compliance Gateway)

Employees, contractors and customers.

Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments.

Compliance Gateway acts as a central hub to filter and route message content to Customer’s archive, supervision and analytic systems.

Up to 14 days from the end of Controller’s subscription, maximum.

Secure E-Mail Relay (SER)

Employees, contractors, any recipients of bulk e-mails sent via Customer’s corporate e-mail system.

Name, e-mail address, any Personal Data included in an e-mail.

Secure Email Relay (SER) is a hosted, multi-tenant solution that puts Customer in control of applications that send email using Customer’s owned or controlled domains. It adds a layer of security to each application and distributes the email to the Internet in a DMARC-compliant fashion after Proofpoint AS/AV checks are performed. SER may only be used for delivery of emails that comply with applicable bulk or unsolicited message laws.

Up to 30 days from the end of Controller’s subscription, maximum.

SecureShare

Employees, contractors, any other individual invited to view a shared file.

Name, e-mail addresses.

SecureShare is a secure method for the sharing of files and temporary storage of such files.

Up to 180 days after collection.

Targeted Attack Protection (TAP)

Employees, contractors, customers, any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Name, e-mail address, any Personal Data included in an e-mail.

TAP identifies and protects against malicious URLs and malicious attachments in emails using a dynamic malware analysis engine.

Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.

Threat Response Auto-pull (TRAP)

Employees, contractors, customers, any other individual sending or receiving e-mails via Customer’s corporate e-mail system.

Name, e-mail address, any Personal Data included in an e-mail.

TRAP is an incident management platform that includes automation to analyze and remove unwanted emails.

Retention of closed incidents is established by Controller.

 

Full message MIME data purged every 30 days for closed incidents.

ThreatSimulator

Employees, contractors.

Name, e-mail address.

Personal data is used for simulated phishing campaigns. Customer may only conduct simulated phishing emails to domains owned or controlled by the Customer.

Upon customer request and within 90 days following such request.

Zero Trust Network Access (formerly Meta)

Employees, contractors.

User email address and name and (optional phone number) and intranet traffic events such as accept/drop events and DNS queries (customer has the option to enable or disable logging internet traffic events).

Meta overlays a zero-trust network on top of customer’s corporate network. Users access the corporate network by connecting to the Meta network layer through a VPN with their login credentials. Once logged into the Meta network each user is assigned a unique identity that connects to the data exporter’s underlying corporate network and access to assets within the data exporter’s corporate network is accessed based on the user’s unique identity.

Up to 90 days from the end of Controller’s subscription, maximum.

Sign up to be notified about changes to Proofpoint’s Product Processing Operations

Please fill out the form below with a business email address to be notified of any changes to the list on the Proofpoint's Product Processing Operations. If a change occurs, you will receive an email to the email address provided below.  By submitting your email address you consent to Proofpoint’s use of it to send you notices regarding changes to Proofpoint’s list of subprocessors.

If at any time you wish to unsubscribe from this list you may do so by clicking on the following link. 

Unsubscribe

Thank you for your submission.

© 2023. All rights reserved. The content on this site is intended for informational purposes only.
Last updated January 17, 2023.