At CyberArk, we pride ourselves on being an organization that has a privacy-minded culture consistent with legal requirements. We will ensure that your personal data processed by CyberArkis:
- processed lawfully, fairly and transparently;
- only collected for clear and legitimate purposes;
- limited in scope and time to only the extent necessary for the purpose of that processing;
- kept accurate and up to date; and
- secured against unauthorized or unlawful processing and against accidental loss, destruction or damage.
References to “we”, “us” or “CyberArk” in this statement mean CyberArk Software Ltd, CyberArk Software, Inc., Cyber-Ark Software (UK) Limited or one or more of their affiliated entities. Our contact details for these entities and their respective office locations can be found here. The CyberArk entity that will be responsible for processing your personal data will depend on how you use CyberArk services and your geographical location, but may include CyberArk’s headquarters in Israel, United States incorporated entity in Newton, MA, and United Kingdom incorporated entity in London, as CyberArk’s principal places of business.
References to “you” or “your” mean the corporation or individual person (as appropriate in the circumstances) who has or may in the future enter into a relationship with CyberArk as a customer, vendor, authorized channel partner, employee or otherwise uses the CyberArk website or service.
You can contact CyberArk at any time to request more information about the way we process personal data via by contacting [email protected]. We will respond to your request in the timescales prescribed by the relevant local laws.
The personal data that CyberArk processes will vary based on your relationship with CyberArk, but may include:
- where you are a third party with whom CyberArk has, has had or may have a business relationship, certain business contact information (e.g. business email addresses, business telephone numbers and names) in relation to performance of any contract with you or to pursue our legitimate business interests;
- where you are an existing customer of CyberArk services, so that we can provide you and your company with the CyberArk services (such as maintenance and support services) that you have purchased and meet our contractual obligations and exercise any contractual rights (for example, invoicing you for payment);
- where you are an authorized channel partner, to manage your account for the Partner Portal and your use of the Partner Portal, including responding to questions you have raised;
- where you are any other third party with whom CyberArk currently has, in the past had, or may in the future have a contractual relationship (for example a supplier of goods or services to CyberArk), to provide you with, receive from you or jointly pursue with you any relevant goods or services where you have expressed an interest in CyberArk services, attended a CyberArk hosted or sponsored conference or event, or downloaded any know-how from our website, so that we can explore potential solutions for you and your business;
- to notify you about developments, improvements or issues relating to CyberArk services or related events, or otherwise where we process business contact information about you for our legitimate business interests in maintaining records regarding how our customers use our products/services;
- to operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting;
- to provide you with marketing communications, in accordance with your preferences;
- where you use our website, certain identity information (e.g. names, usernames or similar identifiers) and technical information (e.g. IP address, login credentials, browser type and version, location data and relevant plug-ins, operating systems and platforms employed by your device) to administer our website or pursue our legitimate business interests;
- from time to time we may use publicly accessible sources – such as corporate websites and social networking platforms – to obtain business contact information (as defined above), or purchase databases containing business contact information from third parties, where we reasonably believe that such companies or persons may be interested in hearing more about CyberArk services and where this is permitted by local law;
- data to monitor electronic communications sent or received by our networks in order to protect our business and verify compliance with our policies and relevant legal requirements. Any personal information contained or referred to within such electronic communications will be processed in accordance with this policy;
- where you use our website, certain identity information (e.g. names, usernames or similar identifiers) and technical information (e.g. IP address, login credentials, browser type and version, location data and relevant plug-ins, operating systems and platforms employed by your device), to administer our website or pursue our legitimate business interests;
- data to provide you with relevant website content and advertisements and measure the effectiveness of such content in your use of the website and resulting products/services, as well as to improve our understanding of your needs and interests, organize a meeting with one of our representatives if you request this and accelerate our engagement with you based on your selections;
- through the use of data analytics to improve such content and advertisements, your use of our products/services and other aspects of our business and your overall customer experience; and
- to undertake “know-your-client” and anti-fraud checks to help prevent any illegal activity, comply with applicable laws and requests from regulators and other enforcement bodies, or otherwise administer and protect our business and this website.
To opt-out of receiving communications relating to marketing, events or promotions from CyberArk, you can contact us at any time at [email protected]. Please note that if you are an existing customer then we may need to retain business contact information in order to provide you with CyberArk services, however this will not be used for marketing purposes. Please note that revoking your consent to our use of your business contact information could prevent us from providing you with certain CyberArk services.
If you are a CyberArk customer, CyberArk will store your personal data for the period that you continue to receive CyberArk services.
If you are not yet a CyberArk customer, then CyberArk will store your personal data for the duration of any pre-sales activities, or to record the fact that you are not interested in purchasing any CyberArk services (to avoid you receiving unwanted communications from CyberArk).
In each of these and all other cases, we will store data for an appropriate period of time after the above or other relevant time periods, which enables CyberArk to comply with applicable laws (for example, in respect of any financial or transactional data where you have a business relationship with us for tax and audit purposes) as well as our internal data retention policy (for example, for the purposes of complying with any audit or accounting processes, or complying with the terms of any legal action).
We will maintain administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of your personal data processed by us as part of your use of our products/services, this website and any other aspects of our business as described in this policy; and will not materially decrease the overall security of such items.
Where you have entered into a written agreement with CyberArk which describes in more detail how CyberArk will process, store, handle or retain any such information, that agreement will prevail over this policy.
Where you are one of CyberArk’s authorized channel partners, we will process information (including certain personal data) that you upload to the Partner Portal. For example, when you register on the Partner Portal, we will collect your account name, contact details and job function.
If you submit a Deal Registration Form via the Partner Portal, we will also collect the following information: corporate name of end customer and contact details for your point of contact within the end customer (including name, job title and address). Where you provide CyberArk with such personal data, you agree that you have first sought all necessary consents and authorizations from relevant individuals to enable CyberArk to comply with all applicable laws.
Further details regarding information that is not personal data but may be required in order to effectively use the Partner Portal and complete a Deal Registration Form can be located on the Partner Portal.
Any marketing consents, opt-ins/opt-outs or other preference details provided to us in connection with another website or service operated by us (such as the CyberArk community or our transactional websites) will be recorded and administered separately from any preferences or consents provided in connection with the Partner Portal. You have the option to change your preferences registered in connection with any of our sites or services at any time.
If you are an authorized channel partner and no longer want us to contact you related to marketing events or information, please contact us at [email protected].
Certain CyberArk services are for business users only and are provided and administered to you by your employer (or customer, if you are an independent contractor) (“Employer”) which contracts directly with CyberArk. In these circumstances, you are an “end user” of CyberArk services and we will collect and process your personal data on behalf of your Employer. Since we act on the instructions, and on the behalf, of your Employer, CyberArk is a data processor and your Employer is a data controller for the purposes of the EU General Data Protection Regulation (GDPR) and/or the UK Data Protection Act 2018 (and other applicable data protection laws in the UK).
Please consult the policies of your Employer for information on how your Employer collects and processes your personal data relating to CyberArk services. If you have privacy related questions or concerns about your personal data including with regard to your rights to your personal data (such as rights to rectification, erasure, blocking, accessing your personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making) please contact your Employer.
We may collect the following personal data of end users:
- First and last name and title;
- Employer and position;
- Contact information (email, username, cell phone/ mobile number, physical business address);
- Device identification data (Device ID);
- Electronic identification data (IP address; MAC address);
- Technical data (operating system information; software logs; crash reports);
- user name and password to CyberArk services;
- in relation to certain CyberArk services, including the CyberArk® Alero™ Application, photo; or
- in relation to certain CyberArk services, including the CyberArk® Alero™ Application, location data (using a mobile device’s built-in GPS in order for the Employer to set policies for the services).
We will share your data with your Employer and with our third party service providers. For more information on how we share your data, including where this involves a data transfer outside the EEA and UK, see the section above: Will CyberArk share your personal data with third parties?
If your Employer uses Alero™, our cloud-based remote access authentication solution, and you install and use the Alero™ Application for mobile (Android or iOS version), you understand that (i) the section above Additional terms which apply where you are an end user of CyberArk Services applies to you and (ii) your Employer or your Employer’s administrator, will have control over certain aspects of the services including:
- Setting password and authentication policies for the services, including whether to use biometric authentication data (e.g. finger print, facial recognition etc.) and whether a profile photo is required in the app. Please note that while your biometric fingerprint and/or biometric facial scan may be used to enable fingerprint and/or facial recognition as part of our authentication services, we will never access the underlying authentication data stored on your mobile device. We will only receive a result indicating authentication success or failure. We will not capture, collect, store or process any biometric information;
- Requiring you to undergo the Alero™ onboarding process in the App, where you will be asked to confirm your identity (including in the event of repeated failed authentications or if your device is lost or stolen);
- Disconnecting your account from your Employer’s for the Alero™ services in certain scenarios (including in the event your device is lost or stolen or you are no longer an employee or contractor of your Employer).
You may contact us at any time at [email protected] to request access to your personal data, to correct any information which CyberArk’s holds on you that contains an error or to request that we erase some or all of the personal data that we hold relating to you, or exercise any other of your legal rights in respect of your personal data. We will respond to your request in the timescales prescribed by the relevant local laws. Please note that if you are an existing CyberArk customer, revoking your consent to our use of business contact information could prevent us from providing you with certain CyberArk services.
While we would always appreciate the chance to deal with your concerns before you approach an external regulator, you can also contact a data protection supervisory authority in any of the countries in which CyberArk is established and you are based, such as the Information Commissioner’s Office in the United Kingdom.
Last Updated: July 9, 2020