This table includes certain details of the Processing of Customer’s Personal Data as required by Article 28(3) GDPR (or as applicable, equivalent provisions of any other Data Protection Law).
Product
Data Subjects
Categories of Personal Data Processed
Processing Operations
Retention Period
Adaptive Email Security
Employees, contractors
Email sender and recipient names, subject line, header data, email addresses, IP addresses, all personal information contained in body of email and attachments.
Cloud-based email protection solution that employs a fully integrated layer of behavioral AI to help detect and prevent inbound business email compromise and lateral phishing while providing end-users with in-moment warning banners to help them decide whether an email is safe.
Categories of data retained for term of contract plus 35 days, except for Threat Analytics, which are retained for up to 18 months after collection.
As applicable, full body email content is retained for 6 months from processing.
Browser, E-mail Isolation and TAP URL Isolation
Employees, contractors
Email addresses, user site cookies, and browser history, and browser registration information (data center location, browser user-agent string).
Isolation is a remote, web-based browser that protects against URL threats by stripping all active content from requested sites and rendering a safe version of the page back to the end user. Isolation policies determine what users and URLs are isolated and what content and user actions are allowed in Isolation.
Up to 365 days after collection.
CASB / Proofpoint Account Takeover Protection
Employees, contractors
Cloud account holder metadata (e-mail addresses, names, position), file metadata and cloud account access logs, cloud application usage data.
Cloud Account Defense helps Customer detect suspicious activities around Customer’s cloud accounts and identify compromised cloud accounts.
Cloud App Security Broker uses policies to prevent the loss of Customer’s sensitive or confidential data contained in Customer’s cloud accounts. CASB IaaS Protection helps customer identify its IaaS resources, protect sensitive data within IaaS storage, and monitor and stop unauthorized logins to Customer’s Cloud accounts.
Proofpoint Account Takeover Protection helps Customer detect and remediate cloud account takeover attacks and identity suspicious activities around Customer’s cloud accounts.
As in accordance with Controller’s selected retention period and up to a maximum period of 366 days.
Threat Analytics, data is retained for up to 18 months after collection.
File metadata for sensitive files is retained for 36 months after collection.
Cloud Threat Response (SaaS Version of TRAP)
Employees, contractors, customers any other individual sending or receiving emails via Customer’s corporate email system
Email attachment file name, URLs in email, sender / receiver names, subject line, header data, email addresses, IP addresses
Cloud Threat Response is a SaaS incident management platform that includes automation to analyze and remove unwanted emails post-delivery.
Full message MIME data from user-reported emails only purged every 90 days from processing.
The retention of Threat Response Data is contingent on the Customer’s use of PhishAlarm / PhishAlarm Analyzer.
Cloudmark Active Filter, Authority, Content Categories, Insight Server, and Sender Intelligence; Cloudmark Spam Reporting Service
Employees, contractors, customers
Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers
Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.
30 days for messages reported by recipient as potentially harmful.
30 days for messages reported by recipient as not harmful.
Cloudmark Safe Messaging Cloud, Cloudmark Safe Messaging Cloud Hybrid
Employees, contractors, customers
Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers
Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.
30 days for messages reported by recipient as potentially harmful.
30 days for messages reported by recipient as not harmful.
Otherwise as negotiated by Controller.
Continuity
Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system
Any Personal Data included in an email
Continuity provides temporary storage of Customer inbound and outbound email within the on-demand, Web-based email. Continuity serves only as a secondary, emergency failover option in the event of failure of Customer’s email service, and not as a primary email archive solution or a primary failover solution
Messages expire after 30 days.
Digital Discover, Digital Protection, and Digital Compliance
Employees, contractors, customers, or any other individuals posting to Customer’s social media accounts
Corporate social media user account IDs, social media content, and option biographical information if included in corporate users’ account profile
Scanning of social media platforms to find accounts affiliated with a customer for fake, fraudulent, and defamatory accounts related to the customer. Analysis of static and interactive content. Connectors to the Archive service of social media as required for compliance
Up to 90 days from the end of Controller’s subscription, maximum
Email Data Loss Prevention (DLP)
Employees, contractors, and any other individuals sending or receiving e-mails via Customer’s corporate e-mail system
Any Personal Data included in an email
Email DLP utilizes policies to prevent the loss of Customer’s sensitive or confidential data through email.
Up to 366 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Email Encryption
Employees, contractors, customers and any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Any Personal Data included in an e-mail
Email Encryption provides a fully integrated message encryption and decryption solution.
Encrypted message content is retained as determined by the Controller (up to 366 days).
Email Fraud Defense (EFD)
Employees, contractors, customers, and any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Email header information, including email addresses, IP addresses, sender and recipient names.
EFD processes Domain-based Message Authentication, Reporting & Conformance (DMARC) aggregate reports and DMARC forensic message sample traffic for customer domains and evaluates the authenticity of senders based on sender authentication information, and to highlight traffic sent from unauthenticated and unauthorized sources.
Cloudmark forensic data is retained for 30 days after collection.
DMARC forensic data is retained for 90 days after collection.
DMARC non-PII aggregate data is retained indefinitely for analysis and quality control purposes.
Email Exfiltration Protection
Employees, contractors
Email sender and recipient names, subject line, header data, email addresses, email attachment key words, IP addresses, all personal information contained in body of email.
Cloud-based email protection service that prevents exfiltration to unauthorized accounts, and potential loss of proprietary data and intellectual property without predefined rules or deny lists.
Categories of data retained for term of contract plus 35 days.
As applicable, full body email content retained for 6 months from processing.
Email Protection
Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system
Any Personal Data included in an e-mail
Email Protection includes functions such as spam detection functions to identify and classify spam messages; virus protection functions to detect and filter messages containing known viruses; zero-hour anti-virus functions to detect and filter messages containing suspicious content; a quarantine folder to analysis and disposition of suspicious content.
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Email Protection Supernova Engine
Employees, contractors, and customers
Email sender and recipient names, subject line, header data, email addresses, IP addresses. Also limited message body content if Customer has configured its cluster to send to Proofpoint.
Engine that identifies and detects email patterns of its customers that fall outside of the normal email flow. Used to improve detection of all types of malicious or fraudulent emails or content including credential phishing, business email compromise, and other email attacks.
90 days from date of processing.
Email Threat Defense
Employees and contractors
Email sender and recipient names, subject line, header data, email addresses, email attachment key words, IP addresses, all personal information contained in body of email
Cloud-based email defense service which uses machine learning to detect and prevent inbound email attacks, while providing end-users with in-moment contextual warning banners to help them decide whether an email is safe.
Categories of data retained for term of contract plus 35 days, except for Threat Analytics, which are retained for up to 18 months after collection.
Full body email content retained for 6 months from processing.
Endpoint Data Loss Protection (Endpoint DLP)
Employees, contractors
Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, information such as application name, executable name, and window title.
Endpoint Data Loss Prevention deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. These Agents capture metadata recorded from the activities of licensed Users and the telemetry data is stored on Proofpoint’s multi-tenant Information and Cloud Security storage.
As in accordance with Controller’s selected retention period up to a maximum period of 366 days.
Essentials
Employees, contractors, customers
Any Personal Data included in an e-mail
Scanning, filtering, and routing in transit of e-mails sent to and received from parties external to the customer, via the customer’s corporate e-mail system.
If archive functionality is used, then see “Archive” above.
If TAP sandboxing is used, see TAP below.
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Insider Threat Management SaaS
Employees, contractors
Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, Application information such as application name, executable name, and window title. Additionally, ITM has the capability to capture screen content, which is configured and controlled by the customer. Screen capture could include any additional personal data displayed on the user’s screen.
ITM deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. The agents collect telemetry data about the activities of the device users, the data subjects. If enabled by data controller the agents can also capture screenshots of the users’ device activities. Customer solely determines whether to enable the screen capture capabilities, and the data retention period of such content. The telemetry and screen capture data is stored on Proofpoint’s multi-tenant ITM SaaS storage.
As In accordance with Controller’s selected retention period up to a maximum period of 366 days.
Internal Mail Defense (IMD)
Employees, contractors
Any Personal Data included in an e-mail
IMD leverages Email Protection and TAP features to protect Customer’s internal email communications against spam and malicious content.
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Misdirected Email Protection
Employees, contractors
Email sender and recipient names, subject line, header data, email addresses, email attachment key words, IP addresses, all personal information contained in body of email.
Cloud-based email protection service that prevents accidental data loss from misdirected emails and misattached files, preventing sensitive information being inadvertently sent to an unintended recipient.
Categories of data retained for term of contract plus 35 days.
As applicable, full body email content is retained for 6 months from processing.
Nexus People Risk Explorer (NPRE)
Employees, contractors
Names, e-mail addresses, any Personal Data contained in Threat Analytics.
Cloud application usage and user data is collected for NPRE customers owning CASB and TAP.
Proofpoint Nexus People Risk Explorer leverages people centric security data from Proofpoint’s Targeted Attack Protection, Security Awareness Training, Cloud Account Defense and Cloud Account Security Broker to provide insights into the types, severity and frequency of threats targeted at Customer and its employees.
Up to 12 months after collection.
Anti-Phishing Suite: includes PhishAlarm and PhishAlarmAnalyzer:
Employees, contractors
Name E-mail address Any Personal Data included in an e-mail
Routing and scanning suspicious emails reported by the end users with the PhishAlarm button. PhishAlarm Analyzer delivers highly responsive identification of phishing attacks in real time. Emails reported via PhishAlarm & PhishAlarm Analyzer are accessed and categorized and they are immediately available to Customer’s response teams.
Up to 30 days from the end of Controller’s subscription maximum; with the exception of Threat Analytics, which are retained for up to 18 months after collection
Proofpoint Archive (previously, Enterprise Archive)
Employees, contractors, and customers
Any Personal Data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments)
Archive is a cloud-based archiving solution designed for legal discovery, regulatory compliance and data access for Customer’s end users, and it provides a central, searchable repository that supports a wide range of content types.
As determined by the Controller
Proofpoint Automate (previously, NexusAI for Compliance)
Employees, contractors, and customers
Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments)
NexusAI for Compliance uses machine learning to evaluate supported archived messages (such as email, social media, collaboration platforms, and mobile messages) flagged for Customer’s review by Proofpoint’s Supervision (previously Intelligent Supervision) product.
Up to 24 hours from the end of Controller’s subscription, maximum
Proofpoint Capture (previously, Content Capture)
Employees, contractors and customers
Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments
Content Capture captures content from supported messaging and Cloud storage platforms and delivers it compliance services such as e-discovery, archive and supervision.
Up to 90 days from the end of Controller’s subscription, maximum
Proofpoint Certification Exam
Individual exam takers, customers, employees, contractors, and partners
Name, email address, training and/or exam completion status including pass/fail and scores
Proofpoint Certification Exam allows individuals to take exams covering different Proofpoint products and technologies. Exam takers will receive a Proofpoint subject matter certification for each individual exam they pass.
Indefinite unless otherwise agreed upon by the parties.
Proofpoint Certification Exam Training
Individual exam takers, customers, employees, contractors, and partners
Name, email address, training and/or exam completion status including pass/fail and scores
Proofpoint Certification Exam Training provides access to live instructor-led and online self-paced training courses to prepare exam takers for the Proofpoint Certification Exam.
Learning transcripts are retained for the term of contract with Proofpoint.
Proofpoint Intelligent Classification and Protection
Employees, contractors, customers and any individual viewing the document.
Any Personal Data included in a document.
Automatically locates and identifies sensitive and business-critical data to enhance existing data protection solutions such as labelling, encryption, access Control, data loss prevention, CASB and suggests protection rules and/or policies to the Customer
Up to 90 days from the end of Controller’s subscription, maximum
Proofpoint Patrol (previously, Content Patrol)
Employees, contractors and customers
Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments
Content Patrol allows Customers to capture, monitor, remediate and generate compliance reports about their end users’ activities on Customer controlled social media accounts.
Up to 90 days from the end of Controller’s subscription, maximum
Proofpoint Security Awareness (also known as PSAT)
Employees, contractors
Name, e-mail address, and additional data fields selected by the customer for upload to PSAT from customer’s Active Directory
Comprehensive approach to cybersecurity education, leveraging diverse learning methods to enhance organizational security.
Up to 90 days from the end of Controller’s subscription maximum; however, during Controller’s subscription, Controller’s admins may make changes to and delete users.
Proofpoint Shadow (On-premises)
Employees, contractors, and customers
The on-premises product processes source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login. If forensics is enabled, the product also processes file names users created, edited or removed, processes logged in users run and screenshots of users triggered incidents (by default not fetched. Fetched only if customer opted in)
An identity threat detection and response solution that stops bad actors from moving laterally through a customer’s environment by transforming endpoints into deceptions. Threat detection is accelerated by identifying the bad actor’s interaction with the endpoint deceptions.
Customers retain and store their own data pursuant to their record retention policies and/or guidelines.
Proofpoint Shadow (SaaS)
Employees, contractors, and customers
Source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login. If forensics is enabled, the product also processes file names users created, edited or removed, processes logged in users run and screenshots of users triggered incidents (by default not fetched. Fetched only if customer opted in).
An identity threat detection and response solution that stops bad actors from moving laterally through a customer’s environment by transforming endpoints into deceptions. Threat detection is accelerated by identifying the bad actor’s interaction with the endpoint deceptions.
Up to 12 months after collection.
Proofpoint Spotlight (On-premises)
Employees, contractors, and customers
The on-premises product processes source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login.
An identity threat detection and response solution that automatically discovers, prioritizes, and remediates identity vulnerabilities in a customer’s corporate environment including structure misconfigurations in Active Directory and Azure AD, exposed credentials on customer endpoint devices, and shadow admin threats.
Customers retain and store their own data in Spotlight for up to 12 months.
Proofpoint Spotlight (SaaS)
Employees, contractors, and customers
Source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login.
An identity threat detection and response solution that automatically discovers, prioritizes, and remediates identity vulnerabilities in a customer’s corporate environment including structure misconfigurations in Active Directory and Azure AD, exposed credentials on customer endpoint devices, and shadow admin threats.
Up to 6 months after collection.
Proofpoint Takedown
Employees, contractors
Email header information, including email addresses, IP addresses, sender and recipient names.
Proofpoint Takedown helps Customers safeguard against URL and domain-based attacks. Customers submit a takedown request to initiate the process of mitigating malicious domain and URL activity targeting Customer.
Takedown submissions retained indefinitely
Proofpoint Track (previously, Compliance Gateway)
Employees, contractors, and customers
Any personal data included in captured content including emails, instant messages, social media content, associated message telemetry and attachments.
Compliance Gateway acts as a central hub to filter and route message content to Customer’s archive, supervision, and analytic systems.
Up to 14 days from the end of Controller’s subscription.
Secure E-Mail Relay (SER)
Employees Contractors, any recipients of bulk emails sent via Customer’s corporate email system
Name, email address, any Personal Data included in an email.
Secure Email Relay (SER) is a hosted, multi-tenant solution that puts Customer in control of applications that send email using Customer’s owned or controlled domains. It adds a layer of security to each application and distributes the email to the Internet in a DMARC-compliant fashion after Proofpoint AS/AV checks are performed. SER may only be used for delivery of emails that comply with applicable bulk or unsolicited message laws.
Up to 30 days from the end of Controller’s subscription
Targeted Attack Protection (TAP)
Employees, contractors, customers any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Name, e-mail address, any Personal Data included in an e-mail.
TAP identifies and protects against malicious URLs and malicious attachments in emails using a dynamic malware analysis engine.
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Threat Response Auto-pull (TRAP) (on-premises version of Cloud Threat Response)
Employees, contractors, customers, and any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Name, email address, any Personal Data included in an email.
TRAP is an on-premises incident management platform that include automation to analyze and remove unwanted emails.
Retention of closed incidents is established by Controller.
Full message MIME data purged every 30 days for closed incidents.
Web Security
Employees, contractors
User email address and name and (optional phone number) and web traffic events selected by customers
Web Security deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. The agents directs web traffic of the device users to a cloud proxy. The proxy decrypts the SSL connection and inspect traffic to enforce policies set by the customer admins.
Up to 90 days from the end of Controller’s subscription.
Zero Trust Network Access (formerly Meta)
Employees, contractors
User email address and name and (optional phone number) and intranet traffic events such as accept/drop events and DNS queries (customer has the option to enable or disable logging internet traffic events)
Meta overlays a zero-trust network on top of customer’s corporate network. Users access the corporate network by connecting to the Meta network layer through a VPN with their login credentials. Once logged into the Meta network each user is assigned a unique identity that connects to the data exporter’s underlying corporate network and access to assets within the data exporter’s corporate network is accessed based on the user’s unique identity
Product
Adaptive Email Security
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email sender and recipient names, subject line, header data, email addresses, IP addresses, all personal information contained in body of email and attachments.
Processing Operations
Cloud-based email protection solution that employs a fully integrated layer of behavioral AI to help detect and prevent inbound business email compromise and lateral phishing while providing end-users with in-moment warning banners to help them decide whether an email is safe.
Retention Period
Categories of data retained for term of contract plus 35 days, except for Threat Analytics, which are retained for up to 18 months after collection.
As applicable, full body email content is retained for 6 months from processing.
Product
Browser, E-mail Isolation and TAP URL Isolation
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email addresses, user site cookies, and browser history, and browser registration information (data center location, browser user-agent string).
Processing Operations
Isolation is a remote, web-based browser that protects against URL threats by stripping all active content from requested sites and rendering a safe version of the page back to the end user. Isolation policies determine what users and URLs are isolated and what content and user actions are allowed in Isolation.
Retention Period
Up to 365 days after collection.
Product
CASB / Proofpoint Account Takeover Protection
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Cloud account holder metadata (e-mail addresses, names, position), file metadata and cloud account access logs, cloud application usage data.
Processing Operations
Cloud Account Defense helps Customer detect suspicious activities around Customer’s cloud accounts and identify compromised cloud accounts.
Cloud App Security Broker uses policies to prevent the loss of Customer’s sensitive or confidential data contained in Customer’s cloud accounts. CASB IaaS Protection helps customer identify its IaaS resources, protect sensitive data within IaaS storage, and monitor and stop unauthorized logins to Customer’s Cloud accounts.
Proofpoint Account Takeover Protection helps Customer detect and remediate cloud account takeover attacks and identity suspicious activities around Customer’s cloud accounts.
Retention Period
As in accordance with Controller’s selected retention period and up to a maximum period of 366 days.
Threat Analytics, data is retained for up to 18 months after collection.
File metadata for sensitive files is retained for 36 months after collection.
Product
Cloud Threat Response (SaaS Version of TRAP)
Data Subjects
Employees, contractors, customers any other individual sending or receiving emails via Customer’s corporate email system
Categories of Personal Data Processed
Email attachment file name, URLs in email, sender / receiver names, subject line, header data, email addresses, IP addresses
Processing Operations
Cloud Threat Response is a SaaS incident management platform that includes automation to analyze and remove unwanted emails post-delivery.
Retention Period
Full message MIME data from user-reported emails only purged every 90 days from processing.
The retention of Threat Response Data is contingent on the Customer’s use of PhishAlarm / PhishAlarm Analyzer.
Product
Cloudmark Active Filter, Authority, Content Categories, Insight Server, and Sender Intelligence; Cloudmark Spam Reporting Service
Data Subjects
Employees, contractors, customers
Categories of Personal Data Processed
Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers
Processing Operations
Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.
Retention Period
30 days for messages reported by recipient as potentially harmful.
30 days for messages reported by recipient as not harmful.
Product
Cloudmark Safe Messaging Cloud, Cloudmark Safe Messaging Cloud Hybrid
Data Subjects
Employees, contractors, customers
Categories of Personal Data Processed
Telemetry data associated with E-mail, SMS, MMS, and RCS, including email addresses, IP addresses, phone numbers
Processing Operations
Cloudmark products leverage intelligent threat analysis to provide email and mobile messaging security against spam and malware.
Retention Period
30 days for messages reported by recipient as potentially harmful.
30 days for messages reported by recipient as not harmful.
Otherwise as negotiated by Controller.
Product
Continuity
Data Subjects
Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system
Categories of Personal Data Processed
Any Personal Data included in an email
Processing Operations
Continuity provides temporary storage of Customer inbound and outbound email within the on-demand, Web-based email. Continuity serves only as a secondary, emergency failover option in the event of failure of Customer’s email service, and not as a primary email archive solution or a primary failover solution
Retention Period
Messages expire after 30 days.
Product
Digital Discover, Digital Protection, and Digital Compliance
Data Subjects
Employees, contractors, customers, or any other individuals posting to Customer’s social media accounts
Categories of Personal Data Processed
Corporate social media user account IDs, social media content, and option biographical information if included in corporate users’ account profile
Processing Operations
Scanning of social media platforms to find accounts affiliated with a customer for fake, fraudulent, and defamatory accounts related to the customer. Analysis of static and interactive content. Connectors to the Archive service of social media as required for compliance
Retention Period
Up to 90 days from the end of Controller’s subscription, maximum
Product
Email Data Loss Prevention (DLP)
Data Subjects
Employees, contractors, and any other individuals sending or receiving e-mails via Customer’s corporate e-mail system
Categories of Personal Data Processed
Any Personal Data included in an email
Processing Operations
Email DLP utilizes policies to prevent the loss of Customer’s sensitive or confidential data through email.
Retention Period
Up to 366 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Product
Email Encryption
Data Subjects
Employees, contractors, customers and any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Categories of Personal Data Processed
Any Personal Data included in an e-mail
Processing Operations
Email Encryption provides a fully integrated message encryption and decryption solution.
Retention Period
Encrypted message content is retained as determined by the Controller (up to 366 days).
Product
Email Fraud Defense (EFD)
Data Subjects
Employees, contractors, customers, and any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Categories of Personal Data Processed
Email header information, including email addresses, IP addresses, sender and recipient names.
Processing Operations
EFD processes Domain-based Message Authentication, Reporting & Conformance (DMARC) aggregate reports and DMARC forensic message sample traffic for customer domains and evaluates the authenticity of senders based on sender authentication information, and to highlight traffic sent from unauthenticated and unauthorized sources.
Retention Period
Cloudmark forensic data is retained for 30 days after collection.
DMARC forensic data is retained for 90 days after collection.
DMARC non-PII aggregate data is retained indefinitely for analysis and quality control purposes.
Product
Email Exfiltration Protection
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email sender and recipient names, subject line, header data, email addresses, email attachment key words, IP addresses, all personal information contained in body of email.
Processing Operations
Cloud-based email protection service that prevents exfiltration to unauthorized accounts, and potential loss of proprietary data and intellectual property without predefined rules or deny lists.
Retention Period
Categories of data retained for term of contract plus 35 days.
As applicable, full body email content retained for 6 months from processing.
Product
Email Protection
Data Subjects
Employees, contractors, and any other individuals sending or receiving e-mails via Controller’s corporate e-mail system
Categories of Personal Data Processed
Any Personal Data included in an e-mail
Processing Operations
Email Protection includes functions such as spam detection functions to identify and classify spam messages; virus protection functions to detect and filter messages containing known viruses; zero-hour anti-virus functions to detect and filter messages containing suspicious content; a quarantine folder to analysis and disposition of suspicious content.
Retention Period
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Product
Email Protection Supernova Engine
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
Email sender and recipient names, subject line, header data, email addresses, IP addresses. Also limited message body content if Customer has configured its cluster to send to Proofpoint.
Processing Operations
Engine that identifies and detects email patterns of its customers that fall outside of the normal email flow. Used to improve detection of all types of malicious or fraudulent emails or content including credential phishing, business email compromise, and other email attacks.
Retention Period
90 days from date of processing.
Product
Email Threat Defense
Data Subjects
Employees and contractors
Categories of Personal Data Processed
Email sender and recipient names, subject line, header data, email addresses, email attachment key words, IP addresses, all personal information contained in body of email
Processing Operations
Cloud-based email defense service which uses machine learning to detect and prevent inbound email attacks, while providing end-users with in-moment contextual warning banners to help them decide whether an email is safe.
Retention Period
Categories of data retained for term of contract plus 35 days, except for Threat Analytics, which are retained for up to 18 months after collection.
Full body email content retained for 6 months from processing.
Product
Endpoint Data Loss Protection (Endpoint DLP)
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, information such as application name, executable name, and window title.
Processing Operations
Endpoint Data Loss Prevention deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. These Agents capture metadata recorded from the activities of licensed Users and the telemetry data is stored on Proofpoint’s multi-tenant Information and Cloud Security storage.
Retention Period
As in accordance with Controller’s selected retention period up to a maximum period of 366 days.
Product
Essentials
Data Subjects
Employees, contractors, customers
Categories of Personal Data Processed
Any Personal Data included in an e-mail
Processing Operations
Scanning, filtering, and routing in transit of e-mails sent to and received from parties external to the customer, via the customer’s corporate e-mail system.
If archive functionality is used, then see “Archive” above.
If TAP sandboxing is used, see TAP below.
Retention Period
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Product
Insider Threat Management SaaS
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email address, device identifier such as IP address, user information such as name and user ID, website information such as URL and page name, Application information such as application name, executable name, and window title. Additionally, ITM has the capability to capture screen content, which is configured and controlled by the customer. Screen capture could include any additional personal data displayed on the user’s screen.
Processing Operations
ITM deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. The agents collect telemetry data about the activities of the device users, the data subjects. If enabled by data controller the agents can also capture screenshots of the users’ device activities. Customer solely determines whether to enable the screen capture capabilities, and the data retention period of such content. The telemetry and screen capture data is stored on Proofpoint’s multi-tenant ITM SaaS storage.
Retention Period
As In accordance with Controller’s selected retention period up to a maximum period of 366 days.
Product
Internal Mail Defense (IMD)
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Any Personal Data included in an e-mail
Processing Operations
IMD leverages Email Protection and TAP features to protect Customer’s internal email communications against spam and malicious content.
Retention Period
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Product
Misdirected Email Protection
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email sender and recipient names, subject line, header data, email addresses, email attachment key words, IP addresses, all personal information contained in body of email.
Processing Operations
Cloud-based email protection service that prevents accidental data loss from misdirected emails and misattached files, preventing sensitive information being inadvertently sent to an unintended recipient.
Retention Period
Categories of data retained for term of contract plus 35 days.
As applicable, full body email content is retained for 6 months from processing.
Product
Nexus People Risk Explorer (NPRE)
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Names, e-mail addresses, any Personal Data contained in Threat Analytics.
Cloud application usage and user data is collected for NPRE customers owning CASB and TAP.
Processing Operations
Proofpoint Nexus People Risk Explorer leverages people centric security data from Proofpoint’s Targeted Attack Protection, Security Awareness Training, Cloud Account Defense and Cloud Account Security Broker to provide insights into the types, severity and frequency of threats targeted at Customer and its employees.
Retention Period
Up to 12 months after collection.
Product
Anti-Phishing Suite: includes PhishAlarm and PhishAlarmAnalyzer:
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Name E-mail address Any Personal Data included in an e-mail
Processing Operations
Routing and scanning suspicious emails reported by the end users with the PhishAlarm button. PhishAlarm Analyzer delivers highly responsive identification of phishing attacks in real time. Emails reported via PhishAlarm & PhishAlarm Analyzer are accessed and categorized and they are immediately available to Customer’s response teams.
Retention Period
Up to 30 days from the end of Controller’s subscription maximum; with the exception of Threat Analytics, which are retained for up to 18 months after collection
Product
Proofpoint Archive (previously, Enterprise Archive)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
Any Personal Data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments)
Processing Operations
Archive is a cloud-based archiving solution designed for legal discovery, regulatory compliance and data access for Customer’s end users, and it provides a central, searchable repository that supports a wide range of content types.
Retention Period
As determined by the Controller
Product
Proofpoint Automate (previously, NexusAI for Compliance)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments)
Processing Operations
NexusAI for Compliance uses machine learning to evaluate supported archived messages (such as email, social media, collaboration platforms, and mobile messages) flagged for Customer’s review by Proofpoint’s Supervision (previously Intelligent Supervision) product.
Retention Period
Up to 24 hours from the end of Controller’s subscription, maximum
Product
Proofpoint Capture (previously, Content Capture)
Data Subjects
Employees, contractors and customers
Categories of Personal Data Processed
Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments
Processing Operations
Content Capture captures content from supported messaging and Cloud storage platforms and delivers it compliance services such as e-discovery, archive and supervision.
Retention Period
Up to 90 days from the end of Controller’s subscription, maximum
Product
Proofpoint Certification Exam
Data Subjects
Individual exam takers, customers, employees, contractors, and partners
Categories of Personal Data Processed
Name, email address, training and/or exam completion status including pass/fail and scores
Processing Operations
Proofpoint Certification Exam allows individuals to take exams covering different Proofpoint products and technologies. Exam takers will receive a Proofpoint subject matter certification for each individual exam they pass.
Retention Period
Indefinite unless otherwise agreed upon by the parties.
Product
Proofpoint Certification Exam Training
Data Subjects
Individual exam takers, customers, employees, contractors, and partners
Categories of Personal Data Processed
Name, email address, training and/or exam completion status including pass/fail and scores
Processing Operations
Proofpoint Certification Exam Training provides access to live instructor-led and online self-paced training courses to prepare exam takers for the Proofpoint Certification Exam.
Retention Period
Learning transcripts are retained for the term of contract with Proofpoint.
Product
Proofpoint Intelligent Classification and Protection
Data Subjects
Employees, contractors, customers and any individual viewing the document.
Categories of Personal Data Processed
Any Personal Data included in a document.
Processing Operations
Automatically locates and identifies sensitive and business-critical data to enhance existing data protection solutions such as labelling, encryption, access Control, data loss prevention, CASB and suggests protection rules and/or policies to the Customer
Retention Period
Up to 90 days from the end of Controller’s subscription, maximum
Product
Proofpoint Patrol (previously, Content Patrol)
Data Subjects
Employees, contractors and customers
Categories of Personal Data Processed
Any personal data included in captured content (including e-mails, instant messages, social media content, associated message telemetry and attachments
Processing Operations
Content Patrol allows Customers to capture, monitor, remediate and generate compliance reports about their end users’ activities on Customer controlled social media accounts.
Retention Period
Up to 90 days from the end of Controller’s subscription, maximum
Product
Proofpoint Security Awareness (also known as PSAT)
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Name, e-mail address, and additional data fields selected by the customer for upload to PSAT from customer’s Active Directory
Processing Operations
Comprehensive approach to cybersecurity education, leveraging diverse learning methods to enhance organizational security.
Retention Period
Up to 90 days from the end of Controller’s subscription maximum; however, during Controller’s subscription, Controller’s admins may make changes to and delete users.
Product
Proofpoint Shadow (On-premises)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
The on-premises product processes source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login. If forensics is enabled, the product also processes file names users created, edited or removed, processes logged in users run and screenshots of users triggered incidents (by default not fetched. Fetched only if customer opted in)
Processing Operations
An identity threat detection and response solution that stops bad actors from moving laterally through a customer’s environment by transforming endpoints into deceptions. Threat detection is accelerated by identifying the bad actor’s interaction with the endpoint deceptions.
Retention Period
Customers retain and store their own data pursuant to their record retention policies and/or guidelines.
Product
Proofpoint Shadow (SaaS)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
Source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login. If forensics is enabled, the product also processes file names users created, edited or removed, processes logged in users run and screenshots of users triggered incidents (by default not fetched. Fetched only if customer opted in).
Processing Operations
An identity threat detection and response solution that stops bad actors from moving laterally through a customer’s environment by transforming endpoints into deceptions. Threat detection is accelerated by identifying the bad actor’s interaction with the endpoint deceptions.
Retention Period
Up to 12 months after collection.
Product
Proofpoint Spotlight (On-premises)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
The on-premises product processes source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login.
Processing Operations
An identity threat detection and response solution that automatically discovers, prioritizes, and remediates identity vulnerabilities in a customer’s corporate environment including structure misconfigurations in Active Directory and Azure AD, exposed credentials on customer endpoint devices, and shadow admin threats.
Retention Period
Customers retain and store their own data in Spotlight for up to 12 months.
Product
Proofpoint Spotlight (SaaS)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
Source IPs, user names, email addresses, group membership, physical addresses for any address configured in Active Directory, employment information (e.g., start date, title) in the customer’s environment. In addition, the product processes connections to on-prem hosts (using hostnames or IPs) and external hosts (using IPs only), using various protocols like FTP, SSH, RDP, Telnet, Share (SMB), OS login.
Processing Operations
An identity threat detection and response solution that automatically discovers, prioritizes, and remediates identity vulnerabilities in a customer’s corporate environment including structure misconfigurations in Active Directory and Azure AD, exposed credentials on customer endpoint devices, and shadow admin threats.
Retention Period
Up to 6 months after collection.
Product
Proofpoint Takedown
Data Subjects
Employees, contractors
Categories of Personal Data Processed
Email header information, including email addresses, IP addresses, sender and recipient names.
Processing Operations
Proofpoint Takedown helps Customers safeguard against URL and domain-based attacks. Customers submit a takedown request to initiate the process of mitigating malicious domain and URL activity targeting Customer.
Retention Period
Takedown submissions retained indefinitely
Product
Proofpoint Track (previously, Compliance Gateway)
Data Subjects
Employees, contractors, and customers
Categories of Personal Data Processed
Any personal data included in captured content including emails, instant messages, social media content, associated message telemetry and attachments.
Processing Operations
Compliance Gateway acts as a central hub to filter and route message content to Customer’s archive, supervision, and analytic systems.
Retention Period
Up to 14 days from the end of Controller’s subscription.
Product
Secure E-Mail Relay (SER)
Data Subjects
Employees Contractors, any recipients of bulk emails sent via Customer’s corporate email system
Categories of Personal Data Processed
Name, email address, any Personal Data included in an email.
Processing Operations
Secure Email Relay (SER) is a hosted, multi-tenant solution that puts Customer in control of applications that send email using Customer’s owned or controlled domains. It adds a layer of security to each application and distributes the email to the Internet in a DMARC-compliant fashion after Proofpoint AS/AV checks are performed. SER may only be used for delivery of emails that comply with applicable bulk or unsolicited message laws.
Retention Period
Up to 30 days from the end of Controller’s subscription
Product
Targeted Attack Protection (TAP)
Data Subjects
Employees, contractors, customers any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Categories of Personal Data Processed
Name, e-mail address, any Personal Data included in an e-mail.
Processing Operations
TAP identifies and protects against malicious URLs and malicious attachments in emails using a dynamic malware analysis engine.
Retention Period
Up to 30 days after collection except for Threat Analytics, which are retained for up to 18 months after collection.
Product
Threat Response Auto-pull (TRAP) (on-premises version of Cloud Threat Response)
Data Subjects
Employees, contractors, customers, and any other individual sending or receiving e-mails via Customer’s corporate e-mail system
Categories of Personal Data Processed
Name, email address, any Personal Data included in an email.
Processing Operations
TRAP is an on-premises incident management platform that include automation to analyze and remove unwanted emails.
Retention Period
Retention of closed incidents is established by Controller.
Full message MIME data purged every 30 days for closed incidents.
Product
Web Security
Data Subjects
Employees, contractors
Categories of Personal Data Processed
User email address and name and (optional phone number) and web traffic events selected by customers
Processing Operations
Web Security deploys an endpoint agent onto designated laptop, desktop and server devices owned or controlled by data controller. The agents directs web traffic of the device users to a cloud proxy. The proxy decrypts the SSL connection and inspect traffic to enforce policies set by the customer admins.
Retention Period
Up to 90 days from the end of Controller’s subscription.
Product
Zero Trust Network Access (formerly Meta)
Data Subjects
Employees, contractors
Categories of Personal Data Processed
User email address and name and (optional phone number) and intranet traffic events such as accept/drop events and DNS queries (customer has the option to enable or disable logging internet traffic events)
Processing Operations
Meta overlays a zero-trust network on top of customer’s corporate network. Users access the corporate network by connecting to the Meta network layer through a VPN with their login credentials. Once logged into the Meta network each user is assigned a unique identity that connects to the data exporter’s underlying corporate network and access to assets within the data exporter’s corporate network is accessed based on the user’s unique identity
Retention Period
Sign up to be notified about changes to Proofpoint’s Product Processing Operations
Please fill out the form below with a business email address to be notified of any changes to the list on the Proofpoint's Product Processing Operations. If a change occurs, you will receive an email to the email address provided below. By submitting your email address you consent to Proofpoint’s use of it to send you notices regarding changes to Proofpoint’s list of subprocessors.
If at any time you wish to unsubscribe from this list you may do so by clicking on the following link.
Thank you for your submission.
© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Ultimo aggiornamento November 12, 2024.