Data Privacy and Security Information Sheet:
Proofpoint Security Awareness Training

View Data Maps

The purpose of this document is to provide customers of Proofpoint Security Awareness Training with the information necessary to assess how the product meets the requirements of their data privacy strategy.

Proofpoint Security Awareness Training – Product Statement

Proofpoint Security Awareness Training is an integrated product set which incorporates self-paced training modules, simulated phishing, and malicious email reporting. The product is hosted in one of three geographically dispersed multi-tenant Amazon Web Services environments that allows the performant access around the world.

The product includes simulated phishing attacks, knowledge assessments, interactive training, email reporting and analysis, and administrative tools that include comprehensive reporting.

Simulated phishing attacks send simulated phishing emails to a customer’s employees to determine their vulnerability to attacks.  Knowledge assessments are accomplished through a predefined or configurable multiple-choice question which determines the level of understanding of various aspects of security.  Interactive training includes a host of administrator selected content delivered as dynamic interactive web activities and videos.  Email reporting and analysis allows employees to self-report suspicious emails from their email client or web browser and can provide analysis of the email to aid the customer’s security team in identifying and prioritizing potential attacks.

Information Processed by Proofpoint Security Awareness Training

As part of the rollout of Proofpoint Security Awareness Training and employee security assessments and reporting, Proofpoint processes limited amounts of personal data, including first and last name, e-mail addresses, and additional data fields selected by the customer for upload to the Proofpoint Security Awareness Training from the customer’s active directory.

As part of the analysis of suspicious emails, Proofpoint processes limited amounts of personal data including sender and recipient e-mail addresses and sender and recipient IP addresses.  Other data processed by Proofpoint includes the e-mail headers, subject lines, attachment names, and URL’s.

Customer Access to Proofpoint Security Awareness Training Data and Privacy Options

Proofpoint Security Awareness Training data may be accessed by the customer administrators or authorized users.  Processing results are made available to authorized users through the product’s comprehensive dashboard.

How Proofpoint Retains Records

Results of customer employee security awareness training and phishing simulation are available to the customer for the term of the agreement.

To protect organizations from those on-going threats, Proofpoint analyzes the email directed to PhishAlarm Analyzer and applies the results to its scanning and filtering process. Emails directed to PhishAlarm Analyzer are retained for 30 days and the results of analysis are retained for 18 months.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site.

Security

Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

  • Data in transit is protected using HTTPS/TLS.
  • Encryption at rest is accomplished using AES 256.
  • Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
  • Proofpoint has a secure development lifecycle that is aligned with the OWASP Top 10 framework.
  • Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
  • A 24-7 network operation center receives and responds to security alerts, escalating to on-call security personnel.
  • Proofpoint’s information security program undergoes an annual third-party audit in the form of a SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.

© 2022. All rights reserved. The content on this site is intended for informational purposes only.
Last updated April 27, 2022.