Data Privacy and Security Information Sheet:
Proofpoint Threat Response Auto-Pull

The purpose of this document is to provide customers of Proofpoint’s Threat Response Auto-Pull (TRAP) with the information necessary to assess how the service can support and enhance their data privacy strategy.

TRAP – Product Statement

TRAP is an email security solution used to respond to threats through automated and manual processes. TRAP ingests threat information from multiple alert sources and integrates with the customer’s mail server (Exchange, Office 365, G Suite, or Domino) to retrieve and move messages and optionally with the customer’s identity and access management solution (Microsoft Active Directory or Okta). The most common use cases are the following:

  • Using threat detection data obtained from Proofpoint TAP, TRAP removes copies of malicious emails from user mailboxes and implements business logic to find and remove internal copies of the message that were forwarded to others in your company. Additionally, TRAP can act on Indicators of confirmed interaction with the message such as permitted clicks on malicious URLs to reset the user’s password/lock a user account in Microsoft Active Directory/Okta if configured to do so.
  • Removal of malicious/unwanted messages from user mailboxes based on uploads of custom CSV files or search exports into the console by the customer’s security team.
  • Monitoring end-user submissions to an internal abuse mailbox email address typically monitored by customer security teams. TRAP provides automation benefit by analyzing messages sent to the customer’s abuse mailbox and provides security teams with a disposition on the contents of the message; messages found to be malicious can be subsequently removed from end user mailboxes.


Email Data Processed by TRAP

TRAP helps to prevent email attacks by effectively processing and analyzing the information it receives from the alert sources. This includes limited personal data.

The following is an example of a dangerous email that could be sent to your employees. Utilizing data aggregated by alert sources, TRAP would identify the malicious content found in the email and remove it from the original recipient’s mailbox as well as any mailboxes to which it was forwarded. The text in the blue boxes is representative of the steps taken by TRAP using information received from any source of alerts. It is not a comprehensive review.

Figure 1: Proofpoint Threat Response Auto-Pull

Customer Access to TRAP Data and Privacy Options

Organizational, user, and threat specific analysis results are available to the customer’s authorized users through the Threat Response Dashboard.

How Proofpoint Retains Records

TRAP is an on-premises solution deployed by the customer on their own VMWare or AWS infrastructure. Records are maintained in TRAP based on the customer’s data retention policies. Telemetry and diagnostic data can optionally be reported to Proofpoint to monitor the health of the appliance and diagnose configuration problems and is retained in an aggregated form until securely deleted.

Proofpoint’s Use of Subprocessors

Proofpoint utilizes subprocessors to provide its services. A comprehensive list of the subprocessors may be found on the Trust site.


Proofpoint maintains a documented information security program that is aligned with the requirements of NIST 800-53 and ISO 27001. Security controls include the following:

  • Data in transit is protected using HTTPS/TLS.
  • Encryption at rest is accomplished using AES 256.
  • Access control mechanisms are present for physical and logical access to the facilities and the infrastructure hosting the services.
  • Proofpoint has implemented policies and procedures for the identification and remediation of vulnerabilities in its products and services. Please see
  • Proofpoint leverages a distributed security monitoring infrastructure to monitor for and alert on security incidents.
  • A 24-7 network operation center receives and responds to security alerts, escalating to on-call security personnel.
  • Proofpoint’s information security program undergoes an annual third-party audit in the form of a SOC 2 Type II audit for the Availability, Confidentiality, and Security trust services principles.

© 2023. All rights reserved. The content on this site is intended for informational purposes only.
Last updated September 19, 2022.