Data Privacy and Security Information Sheet:
Proofpoint Secure Email Relay

View Data Map

The purpose of this document is to provide customers of Proofpoint’s cloud-based Secure Email Relay (SER) with the information necessary to assess how the product can support and enhance their data privacy strategy.

Secure Email Relay – Product Statement

Ensuring security and compliance for transactional emails is a challenge. SaaS applications controlled by third parties rarely offer sufficient email security measures, and emails originating from applications your company controls can be as much of a liability for compliance reasons. Expanding on Proofpoint’s distinctive email security capabilities, SER streamlines security and compliance for transactional emails via a complete, integrated solution. Sender authentication, DMARC compliance, and content scanning are core to what SER provides out-of-the-box. For teams with additional security requirements, Encryption, Data Loss Prevention, and Archiving can also be enabled for emails relayed through SER.

Information Processed by Proofpoint’s Secure Email Relay

SER scans and processes outbound transactional emails originating from senders configured to relay through SER, collecting and analyzing data in those emails to stop harmful or sensitive content from being delivered to recipients. This includes limited personal data embedded in the emails.

Customer Access to Secure Email Relay and Privacy Options

SER may be accessed by the customer’s administrator or authorized users. Processed data is made available to authorized users via API reporting and SIEM applications (Splunk and QRadar). Detailed reporting can be accessed through the Email Protection administrator console.

How Proofpoint Retains Records

Proofpoint does not use data from emails relayed through SER for enhancing Proofpoint’s threat detection capabilities. All data collected is retained in an aggregated form, and is encrypted-at-rest, until securely deleted.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site


Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

  • Data in transit is protected using HTTPS/TLS.
  • Encryption at rest is accomplished using AES 256.
  • Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
  • Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see
  • Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
  • A 24-7 network operation center receives and responds to security alerts, escalating to on-call security personnel.
  • Proofpoint’s information security program undergoes an annual third-party audit in the form of a SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.

© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Last updated November 10, 2023.