Transcription
CUSTOMER-PROOFPOINTDATA PROCESSING AGREEMENTThis Data Processing Agreement (this “DPA”), effective as of the signature date below,is made by and between the customer identified below (“Customer”) and Proofpoint,Inc., a company incorporated under the laws of the state of Delaware and having its placeof business at 925 W. Maude Avenue, Sunnyvale, CA 94085, USA (“Proofpoint”).This DPA supplements and is incorporated into by reference: (1) the Proofpoint MasterSubscription Agreement or the General Terms and Conditions and the applicable ProductExhibit(s), (2) an end user license agreement (including the online Customer Agreement,an EULA, and if any, a clickwrap or clickthrough agreement) accepted by Customer uponits initial access to Proofpoint products or services, or (3) any other written and signedlicense agreement between the parties under which Proofpoint’s products or services areprovided to Customer (collectively the “Services Agreements”), to the extent relevant tothe processing of Personal Information related to each such Services Agreement.This DPA sets forth the terms and conditions under which Proofpoint may receivePersonal Information (as defined below) from Customer and process it for certainpurposes. The parties covenant and warrant that they have the right and authority toenter into this DPA on behalf of itself and its affiliated companies. The parties furtheragree to be bound by the terms and conditions in the attached Schedules and Exhibit,which shall form integral parts of this DPA. This DPA has been pre-signed byProofpoint. For this DPA to be effective, Customer must:1. Complete and sign the information block below with Customer’s full legalentity name, address, and signatory information; and2. Submit the completed and signed DPA to Proofpoint via email toprivacy@proofpoint.com.If Customer makes any deletions or other revisions to this DPA, those deletions orrevisions are hereby rejected and invalid, unless expressly agreed in writing byProofpoint. This DPA will terminate automatically upon termination of all the ServicesAgreements, or as earlier terminated pursuant to the terms of this DPA.Customer:Proofpoint, Inc.Signature:Signature:Name:Name:Date:Address:
SCHEDULE 1DATA PROCESSING TERMS1.Definitions.“Anti-Social Forces” means an organized crime group (boryokudan), anorganized crime group member (boryokudan in) or an associated member of an organizedcrime group (boryokudan jun koseiin), a corporation related to an organized crime group(boryokudan kankei kigyo) or an organization related to an organized crime group(boryokudan kankei dantai), a corporate racketeer (sokaiya), a group engaging in criminalactivities under the pretext of conducting social or political campaigns (shakai undo tohyobo goro), a crime group specialized in intellectual crimes (tokushu chinoboryokushudan), or any other similar person, entity or organization.“APPI” means the Act on the Protection of Personal Information of Japan (ActNo. 57 of 2003), including all regulations enacted in connection therewith, as the samemay be amended, supplemented, or replaced from time to time.“Customer Data” means company information, Personal Data, PersonalInformation, and customer information that relates to Customer’s relationship withProofpoint and/or a Partner including the names or contact information of authorizedsupport and administrative contacts with access to Customer’s accounts and billinginformation, information needed to verify user identities, and/or information needed toperform legal obligations under such relationship.“Data Protection Laws” means all laws and regulations applicable to theprocessing of Personal Information under this Agreement, including the APPI.“Data Subject” means the identified or identifiable person to whom PersonalInformation relates.“Partner” means Proofpoint’s distributors, resellers, MSPs (managed serviceproviders), and any other persons or entities that are contracted by Proofpoint and provideservices related to Proofpoint’s products or services for or on behalf of Proofpoint.“Personal Information” means information that identifies, relates to, describes,is capable of being associated with, or could reasonably be linked, directly or indirectly,with a particular individual, and any other information that is defined as “PersonalInformation (kojin joho)” under the APPI.“Personal Data” means Personal Information that constitutes or is part of adatabase, and any other Personal Information that is defined as “Personal Data (kojin deta)” under the APPI.2
“Security Breach” means any breach of security leading to the accidental orunlawful destruction, loss, alteration, or unauthorized disclosure or access to PersonalInformation.“Service(s)” means, collectively, Proofpoint products and services offered byProofpoint, including though a Partner, to Customer.“Sub-processor” means any person or entity appointed by Proofpoint to process(including to collect) Personal Information provided to Proofpoint by Customer orotherwise made available to Proofpoint during the course of provision of the Servicesunder this DPA.“Supervisory Authority” means any governmental, regulatory, or supervisorybody that has authority to regulate and supervise the processing of Personal Informationunder this DPA.2. Processing of Personal Information.2.1. The nature and purposes of the processing of Personal Information byProofpoint, the types of Personal Information processed, and the categories ofData Subjects concerned are set forth in Exhibit A to this DPA, depending onthe Service provided. The details of the subject matters and the duration ofthe processing of Personal Information shall be set out in the relevant ServicesAgreements. Proofpoint shall not process any Personal Information for anyother purposes, unless otherwise agreed by Customer or required by applicableData Protection Laws, or the relevant Data Subject authorizes such processing.2.2. Customer is responsible for the accuracy, quality, and legality of the PersonalInformation provided or otherwise made available to Proofpoint or itsaffiliates (or its or its affiliates’ Sub-processors), and the means by whichCustomer acquires, provides or makes available such Personal Information.Customer represents and warrants to Proofpoint, at each time when it providesor otherwise makes available to Proofpoint or its affiliates (or its or itsaffiliates’ Sub-processors) any Personal Information, (a) that the relevantPersonal Information is true and accurate, has been lawfully obtained, and isbeing lawfully provided, (b) that all approvals and consents and otherprocedures required under Data Protection Laws to provide or make availablesuch Personal Information have been duly obtained or completed, and (c) thatCustomer has taken all other steps required under applicable Data ProtectionLaws in connection with the handling of such Personal Information, includingthe publication or notice to the Data Subject of the purposes of use of suchPersonal Information.2.3. The Services Agreements and this DPA hereby form Customer’s instructionsto Proofpoint regarding (a) the processing of Personal Information, and (b) thetransfer of such Personal Information to any country or territory, whenreasonably necessary for the provision of the Service.3
2.4. Proofpoint undertakes to process Personal Information in accordance withapplicable Data Protection Laws, and refrain from any use of PersonalInformation that would result in or induce any unlawful or improper act inrelation to Personal Information.3. Data Protection Impact Assessment and Cooperation with SupervisoryAuthorities. Proofpoint shall provide reasonable assistance to Customer inconnection with any data protection impact assessment, to the extent Customerdoes not otherwise have access to the relevant information, and to the extent thatsuch information is available to Proofpoint.Proofpoint shall, in theperformance of the Services, provide reasonable assistance to Customer in thecooperation or consultation by Customer with a Supervisory Authority.4. Rights of Data Subjects. Customer shall be solely responsible for respondingto (a) a request from a Data Subject to exercise the Data Subject’s right of access,right to rectification, restriction of processing, right to be forgotten, dataportability, objection to the processing, or right not to be subject to an automateddecision making (to the extent available under the relevant Data ProtectionLaws), or any other statutory right as a Data Subject, in respect of his or herPersonal Information obtained in relation to the Services, and (b) a complaintfrom a Data Subject about the processing of his or her Personal Information inconnection with the Services. Proofpoint shall, to the extent legally permitted,promptly notify Customer if they receive any such request or complaint.Taking into account the nature of the processing of Personal Information byProofpoint, and in accordance with the applicable Date Protection Laws,Proofpoint shall provide reasonable assistance to Customer by appropriatetechnical and organizational measure on the fulfilment of Customer’s obligationto respond to such request or complaint.5. Limited use of Personal Information; Personnel.5.1. Limited use of Personal Information. Except as otherwise set forth in theServices Agreements, and except with respect to any Personal Informationwhich Proofpoint obtained directly from Data Subjects with their consent tothe use thereof for purposes not related to the Services, Proofpoint shall notacquire any rights in or to the Personal Information and Personal Dataprovided to it by Customer or made available to it in the course of provisionsof the Services, and therefore no such Personal Information or Personal Datashall constitute Retained Personal Data (hoyu kojin de-ta) (as defined in theAPPI) of Proofpoint. In respect of such Personal Information or PersonalData, Customer shall be solely responsible for performing the obligationsimposed by the APPI on holders of Retained Personal Data.5.2. Personnel.Proofpoint shall take reasonable steps (a) to ensure thereliability of any employee, agent, or contractor of Proofpoint and any Subprocessor who may have access to such Personal Information or PersonalData, ensuring in each case that access is strictly limited to those individuals4
who need to know / access the relevant Personal Information and PersonalData, as strictly necessary for the purposes of the Services Agreements, and(b) to comply with applicable Date Protection Laws, ensuring that all suchindividuals are notified of the confidential nature of such Personal Informationor Personal Data and are subject to confidentiality undertakings orprofessional or statutory obligations of confidentiality.6.Sub-processors6.1. Appointment of Sub-processors.Customer hereby provides generalconsent to Proofpoint to use Sub-processors. Customer acknowledges andagrees that (a) Proofpoint’s affiliates may be retained as Sub-processors, and(b) Proofpoint and its affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. Proofpoint or itsaffiliate(s) engaging a Sub-processor shall enter into a written agreement witheach such Sub-processor containing data protection obligations not lessprotective than those in this DPA with respect to the protection of CustomerData to the extent applicable depending on the nature of the Service providedby such Sub-processor.Proofpoint shall remain fully responsible toCustomer for the performance of Sub-processors’ obligations in accordancewith its contract with Proofpoint or its affiliate(s).6.2. List. The current list of Proofpoint’s Sub-processors for the Service proofpoint.com/us/legal/trust. In the event Proofpoint makesany changes or additions to such list, to the extent Customer has subscribed toreceive notifications on the Proofpoint Trust Site, Proofpoint shall providenotice of such changes by e-mail.6.3. Objection. Customer may object to Proofpoint’s use of a new Sub-processorby notifying Proofpoint promptly in writing to privacy@proofpoint.com. Inthe event Customer objects to a new Sub-processor, Proofpoint will (afterreceipt of Customer’s written objection as stated in the previous sentence)reasonably determine whether accommodations can be made available toCustomer to avoid processing of Personal Information by the objected-to newSub-processor without unduly burdening Customer.If Proofpointdetermines that such accommodations are not possible, or is unable to makesuch accommodations within a period of thirty (30) days after receiving suchobjection (the “Accommodation Period”), Customer may terminate theapplicable ordering document with respect only to the Service which cannotbe provided by Proofpoint without the use of the objected-to new Subprocessor by providing written notice to Proofpoint within thirty (30) days ofProofpoint’s determination not to make such accommodations or theexpiration of the Accommodation Period.5
6.4. Provision of Personal Data to Third Parties. Proofpoint shall not provideany Personal Data provided to it by Customer or made available to it in thecourse of provisions of the Services to any third party without the consent ofthe Data Subject, except as set forth in Section 5 or 6, or as required orpermitted under applicable Data Protection Laws.7. Special Categories of Personal Information. Customer and its affiliates shallbe solely responsible for compliance with applicable Data Protection Laws, asapplicable to Customer and its affiliates, with respect to any Personal Informationthat requires special handling or special categories of Personal Information suchas, without limitation, that which relates to an individual’s race or ethnicity,political opinions, religious or philosophical beliefs, trade-union membership,health, sex life, or personal finances, and “Special Care-Required PersonalInformation (yohairyo kojin joho)” under the APPI .8. Security of Personal Information.Proofpoint shall at a minimum implement the organizational, personnel,physical, and technical security control measures specified in Exhibit B toensure the security of Personal Information. These measures includeprotecting Personal Information against a Security Breach. In assessing theappropriate level of security, the parties shall take due account of the state ofthe art, the costs of implementation, the nature, scope, context and purposes ofprocessing, and the risks involved for the Data Subjects.9. Security Breach.9.1. In the event that Proofpoint finds that any Security Breach has occurred, or isreasonably suspected to have occurred, Proofpoint shall notify Customer inwriting of such Security Breach within forty-eight (48) hours and provideperiodic updates afterwards.9.2. Such notification shall contain, at least:9.2.1. a description of the nature of the Security Breach (including, wherepossible, the type of Personal Information or Personal Data affected, and thecategories and approximate number of Data Subjects affected and datarecords concerned);9.2.2. the details of a contact point where more information concerning theSecurity Breach can be obtained; and9.2.3. its likely consequences and the measures taken or proposed to be taken toaddress the Security Breach, including to mitigate its possible adverse effectsand to prevent recurrence of such Security Breach;provided that where, and insofar as, it is not possible to provide all of thisinformation at the same time, the initial notification shall contain theinformation then available and further information shall, as it becomesavailable, subsequently be provided without undue delay.6
9.3. In the event of a Security Breach, Proofpoint shall take reasonable steps to (a)prevent loss or damage arising out of such Security Breach from furtherexpanding, (b) investigate and specify the cause(s) for such Security Breach,(c) identify the extent of Personal Information, Personal Data, and/or DataSubjects affected, (d) establish and implement measures to prevent recurrenceof such Security Breach, and (e) as required by applicable Data ProtectionLaws, notify the Data Subjects concerned and the relevant SupervisoryAuthority of the Security Breach.10. Transfer of Personal Data. Proofpoint shall abide by the requirements ofapplicable Data Protection Laws regarding the international transfer of PersonalInformation (including, where applicable, the requirement to disclose relevantinformation to the Data Subject and obtain the Data Subject’s consent). Solelyfor the provision of the Service to Customer under the Services Agreements,Personal Information may be transferred to and stored and/or processed in anycountry in which Proofpoint, its affiliates, or its or their Sub-processors operate,which may include third party countries.10.1. Exclusion of Anti-Social Forces. Each party represents and warrants asof the date hereof, and covenants during the term of this DPA, that such partyand its officers, directors, and major shareholders:10.1.1. are not Anti-Social Forces; and10.1.2. do not have any socially criticized relationship with any Anti-SocialForces such as by providing funding or other support or conductingcontinuous business transactions.10.2. Termination. Each party shall be entitled to terminate this DPA withoutprior notice if the other party breaches any of the representations, warranties,and covenants in Section 10.1.11. Verification and Audit.11.1. Proofpoint shall make available to Customer, upon reasonable writtenrequest and subject to the execution of a dedicated non-disclosure agreement,information related to the processing of Personal Information provided to it byCustomer or otherwise made available to it in the course of provision of theServices that is reasonably necessary for Customer to verify Proofpoint’scompliance with the obligations under this DPA. Proofpoint shall allow foron-site inspection requests by Customer or an independent auditor appointedby it upon prior written notice, in relation to the processing of PersonalInformation to verify that Proofpoint is in compliance with this DPA, if (a)there is any reasonable ground for Customer to believe that Proofpoint is notin compliance with this DPA; (b) a Security Breach has occurred; (c) aninspection is officially requested by a Supervisory Authority; or (d) applicableData Protection Law provides Customer with a mandatory on-site inspectionright; and provided that (i) Customer shall consult with Proofpoint in advance7
on the timing and scope of such inspection, (ii) shall enter into a dedicatednon-disclosure agreement with Proofpoint, and (iii) shall not exercise this rightmore than once per year unless mandatory Data Protection Laws require morefrequent inspections. Such on-site inspections shall be conducted in amanner that does not impact the ongoing safety, security, confidentiality,integrity, availability, continuity, and resilience of the inspected facilities orthe operations of Proofpoint’s business, nor otherwise expose or compromiseany confidential information processed therein.11.2.Each party shall bear its own cost associated with any audit or inspection.12. Termination. Customer acknowledges and agrees that in the event of asuspension or termination of any data processing under this DPA, the timeframefor Proofpoint’s cessation of all processing and deletion of personal data shall begoverned by the Services Agreements.13. Governing Law and Jurisdiction.13.1. Governing Law. This DPA shall be governed by the governing law ofthe Services Agreements. If more than one Services Agreements designatemore than one sets of governing laws, this DPA shall be governed by thegoverning law of each such Services Agreement, to the extent this DPA isincorporated into each such Services Agreement.13.2. Jurisdiction. Any dispute arising out of or in connection with this DPAshall be resolved exclusively by the dispute resolution proceedings specifiedin the relevant Services Agreements.8
EXHIBIT A TO THE DPA: DETAILS OF PROCESSING1. This Exhibit A includes certain details of the processing of Personal Informationprovided to Proofpoint by Customer or otherwise made available to Proofpointduring the course of provision of the Services.ProductData SubjectsCategories of Personal DataProcessing stomersandAny Personal Data included inArchive is a cloud-based archiving solutioncaptured content (including e-designedmails, instant messages, socialcompliance and data access for the customer’smediaend users, and it provides a central, ryandforlegaldiscovery,regulatoryrepository that supports a wide range of contentattachments)types.Employees,Cloud account holder metadataCloud Account Defense helps the customercontractors(e-maildetect suspicious activities around the andcloud account access logscloud accounts and identify compromised cloudaccounts.Cloud App Security Broker uses policies toprevent the loss of the customer’s sensitive orconfidential data contained in the customer’scloud accounts. CASB IaaS Protection helpscustomer identify its IaaS resources, protectsensitive data within IaaS storage, and monitorand stop unauthorized logins to the customer’scloud accountsCloudmarkEmployees,Telemetry data associated withActive Filter,contractors,E-mail, SMS, MMS, and RCS,Authority,customersincluding email addresses, IPaddresses, phone numbersContentCategories,Cloudmark products leverage intelligent threatanalysis to provide email and mobile messagingsecurity against spam and malware.InsightServer,andSenderIntelligence;9
lemetry data associated withCloudmark products leverage intelligent threatSafecontractors,email, SMS, MMS, and RCS,analysis to provide email and mobile messagingMessagingcustomersincluding email addresses, IPsecurity against spam and malware.addresses, phone numbersCloud,CloudmarkSafeMessagingCloud tomersAny personal data included inCompliance Gateway acts as a central hub to filtercaptured content (including e-and route message content to the customer’smails, instant messages, socialarchive, supervision and analytic ustomersAny personal data included inContent Capture captures content from supportedcaptured content (including e-messaging and Cloud storage platforms andmails, instant messages, socialdelivers it compliance services such as e-mediadiscovery, archive and tomersAny personal data included inContent Patrol allows customers to capture,captured content (including e-monitor, remediate and generate compliancemails, instant messages, socialreports about their end users’ activities onmediacustomer controlled social media chmentsContinuityEmployees,Any personal data included in anContinuitycontractors, and anye-mailcustomer inbound and outbound email within mand, Web-based email. Continuity servessending or receivingonly as a secondary, emergency failover option ine-mailsthe event of failure of the customer’s emailvia10
customer’s corporateservice, and not as a primary email archivee-mail systemsolution or a primary failover solutionDigitalEmployees,Corporate social media userScanning of social media platforms to findDiscover,contractors,accountmediaaccounts affiliated with a customer for fake,Digitalcustomers,content, and option biographicalfraudulent, and defamatory accounts related toProtection,otherinformationthe customer.andposting to fsocialincludedincorporate users’ account profilesocial media accountsAnalysis of static and interactive content.Connectors to the Archive service of social mediaas required for complianceEmailDataEmployees,Any Personal Data included inEmail DLP utilizes policies to prevent the loss ofLosscontractors, and anyan e-mailthe customer’s sensitive or confidential dataPreventionother(DLP)sending or receivingindividualse-mailsthrough email.viacustomer’s corporatee-mail systemEmail FraudEmployees,EmailDefensecontractors,including email addresses, IPcustomers and anyaddresses, sender and nding or n, Reporting & Conformance(DMARC)aggregatereportsandDMARCforensic message sample traffic for customerdomains and evaluates the authenticity ofviae-mailsEFDsenderscustomer’s corporatebasedonsenderauthenticationinformation, and to highlight traffic sent frome-mail systemunauthenticated and unauthorized sources.EmailEmployees,Any Personal Data included inEmail Encryption provides a fully integratedEncryptioncontractors,an e-mailmessage encryption and decryption solution.customers and anyotherindividualsending or receivinge-mailsviacustomer’s corporatee-mail system11
EmailEmployees,Any Personal Data included inEmail Protection includes functions such as spamProtectioncontractors, and anyan e-maildetection functions to identify and classify spamotherindividualsmessages; virus protection functions to detectsending or receivingand filter messages containing known viruses;e-mailsthezero-hour anti-virus functions to detect and filtercustomer’s corporatemessages containing suspicious content; ae-mail systemquarantine folder to analysis and disposition ofviasuspicious stomer’s usersLossrecordedfortheEndpoint Data Loss Prevention deploys software(an Agent) onto customer owned or latforms.These Agents capture metadatarecorded from the activities of licensed Users andstore this data in Proofpoint’s Endpoint Data LossPrevention archive.EssentialsEmployees,Any Personal Data included incontractors,an e-mailInsiderEmployees,Email address, device identifierScanning, filtering, and routing in transitof e-mails sent to and received fromparties external to the customer, via thecustomer’s corporate e-mail system. If archive functionality is used, then see“Archive” above If TAP sandboxing is used, see TAPbelowITM deploys an endpoint agent onto designatedThreatcontractors:suchlaptop, desktop and server devices owned orcustomersManagementSaaSa)ITMSaaSAdministrators oranalysts,usingthe web portal.b) Endpoint users,usingdataexporter’sendpointsonwhich the ITMSaaS agent hasbeen installed.asIPaddress,user information such as name andcontrolled by the customer.user ID, website informationtelemetry data about the activities of the devicesuch as URL and page name,users, the data subjects.application information such ascustomerapplication name, executablescreenshots of the users’ device activities.name,title.Customer solely determines whether to enablethethe screen capture capabilities, and the dataandAdditionally,windowITMhastheagentsThe agents collectIf enabled by thecanalsocapturecapability to capture screenretention period of such content.content, which is configured andand screen capture data is stored on Proofpoint’scontrolledmulti-tenant ITM SaaS storage.bythecustomer.The telemetryScreen capture could includeany additional personal datadisplayed on the user’s screen.IntelligentEmployees,Any Personal Data included in aAutomatically locates and identifies sensitive tical data to enhance existing datacustomers and anyprotection solutions such as labelling, encryption,access Control, data loss prevention, CASB and12
andindividual viewing thesuggests protection rules and/or policies to theProtectiondocument.customerInternal MailEmployees,Any Personal Data included inIMD leverages Email Protection and TAP featuresDefensecontractorsan cations against spam and malicious(IMD)content.Browser resses,siteBrowser and Email Isolation products establish ancookies, and browser history, andisolated remote web browser or web emailisolationenvironment to protect the customer fromcontaineruserdatacenterlocation.potential threats when Users connect to theInternetorweb-basedcustomer owned devices.emailaccountsonCustomer will notallow Users to transmit through (or post on)Isolation any infringing, defamatory, threateningor offensive ,customersandAny personal data included inNexusAI for Compliance uses machine learning tocaptured content (including e-evaluate supported archived messages (such asmails, instant messages, socialemail, social media, collaboration platforms, andmediamobile messages) flagged for customer’s reviewcontent,messageassociatedtelemetryandby Proofpoint’s Intelligent Supervision product.attachments)NexusEmployees,Names, e-mail addresses, anyProofpoint Nexus People Risk Explorer leveragesPeople RiskcontractorsPersonalpeople centric security data from Proofpoint’sExplorerDatacontainedinThreat AnalyticsTargeted Attack Protection, Security AwarenessTraining, Cloud Account Defense and CloudAccount Security Broker to provide insights intothe types, severity and frequency of threatstargeted at customer and its includesPhishAlarmandPhishAlarmAnalyzer:NameE-mail addressAny Personal Data included inan e-mailRouting and scanning suspicious emails reportedby the end users with the PhishAlarm button.PhishAlarm Analyzer delivers highly responsiveidentification of phishing attacks in real time.Emails reported via PhishAlarm & PhishAlarmAnalyzer are accessed and categorized and
Proofpoint shall, to the extent legally permitted, promptly notify Customer if they receive any such requestor complaint. Taking into account the nature of the processing of by Personal Information Proofpoint, and in accordance with the applicable Date Protection Laws, Proofpoint shall provide reasonable ance to Customer by appropriate assist
