The purpose of this document is to provide customers of Proofpoint’s cloud-based Secure Email Relay (SER) with the information necessary to assess how the product can support and enhance their data privacy strategy.
Secure Email Relay – Product Statement
Ensuring security and compliance for transactional emails is a challenge. SaaS applications controlled by third parties rarely offer sufficient email security measures, and emails originating from applications your company controls can be as much of a liability for compliance reasons. Expanding on Proofpoint’s distinctive email security capabilities, SER streamlines security and compliance for transactional emails via a complete, integrated solution. Sender authentication, DMARC compliance, and content scanning are core to what SER provides out-of-the-box. For teams with additional security requirements, Encryption, Data Loss Prevention, and Archiving can also be enabled for emails relayed through SER.
Information Processed by Proofpoint’s Secure Email Relay
SER scans and processes outbound transactional emails originating from senders configured to relay through SER, collecting and analyzing data in those emails to stop harmful or sensitive content from being delivered to recipients. This includes limited personal data embedded in the emails.
Customer Access to Secure Email Relay and Privacy Options
SER may be accessed by the customer’s administrator or authorized users. Processed data is made available to authorized users via API reporting and SIEM applications (Splunk and QRadar). Detailed reporting can be accessed through the Email Protection administrator console.
How Proofpoint Retains Records
Proofpoint does not use data from emails relayed through SER for enhancing Proofpoint’s threat detection capabilities. All data collected is retained in an aggregated form, and is encrypted-at-rest, until securely deleted.
Proofpoint’s Use of Subprocessors
Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site
Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:
- Data in transit is protected using HTTPS/TLS.
- Encryption at rest is accomplished using AES 256.
- Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
- Proofpoint has a secure development lifecycle that is aligned with the OWASP Top 10 framework.
- Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
- A 24-7 network operation center receives and responds to security alerts, escalating to on-call security personnel.
- Proofpoint’s information security program undergoes an annual third-party audit in the form of a SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.
© 2022. All rights reserved. The content on this site is intended for informational purposes only.
Last updated July 19, 2022.