CYBERARK PRIVACY AND COOKIE STATEMENT
Introduction and Overview: CyberArk’s Approach to Data Protection and Privacy
References to “We”, “us” or “CyberArk” in this statement mean CyberArk Software Ltd, CyberArk Software, Inc., Cyber-Ark Software (UK) Limited or one of their affiliated entities. Our contact details for these entities and their respective office locations can be found here. References to “You” or “your” mean the corporation or individual person (as appropriate in the circumstances) who has or may in the future enter into a relationship with CyberArk as a customer, vendor, authorized channel partner, employee or otherwise uses the CyberArk website.
At CyberArk, we pride ourselves on being an organization that has a privacy-minded culture consistent with legal requirements. We will ensure that your personal data is: (a) processed by CyberArk lawfully, fairly and transparently; (b) only collected for clear and legitimate purposes; (c) limited in scope and time to only the extent necessary for the purpose of that processing; (d) kept accurate and up-to-date; (e) secured against unauthorized or unlawful processing and against accidental loss, destruction or damage.
What CyberArk entity is responsible for processing your personal data?
The CyberArk entity that will be responsible for processing your personal data will depend on how you use CyberArk Services and your geographical location, but will most likely include CyberArk’s headquarters in Israel and United States incorporated entity in Newton, MA, as CyberArk’s principal places of business.
The relevant CyberArk entity will be referred to as “CyberArk” in this policy. A full list of CyberArk’s entities and contact information can be found here.
You can contact CyberArk at any time to request more information about the way we process personal data via [email protected]. We will respond to your request in the timescales prescribed by the relevant local laws.
What personal data does CyberArk process?
The personal data that CyberArk processes will vary based on your relationship with CyberArk, but may include:
- Where you are a third party with whom CyberArk has, has had or may have a business relationship, certain business contact information (e.g. business email addresses, business telephone numbers and names) in relation to performance of any contract with you or to pursue our legitimate interests;
- where you are an existing customer of CyberArk Services, so that we can provide you and your company with the CyberArk Services (such as maintenance and support services) that you have purchased and meet our contractual obligations and exercise any contractual rights (for example, invoicing you for payment);
- where you are an authorized channel partner, to manage your account for the Partner Portal and your use of the Partner Portal, including responding to questions you have raised;
- where you are any other third party with whom CyberArk currently has, in the past had, or may in the future have a contractual relationship (for example a supplier of goods or services to CyberArk) to provide you with, receive from you or jointly pursue with you any relevant goods or services where you have expressed an interest in CyberArk Services, attended a CyberArk hosted or sponsored conference or event, or downloaded any know-how from our website, so that we can explore potential solutions for you and your business;
- to notify you about developments, improvements or issues relating to CyberArk Services or related events, or otherwise where we process business contact information about you for our legitimate interests in maintaining records regarding how our customers use our products/services;
- to operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting; or
- to undertake “know-your-client” and anti-fraud checks to help prevent any illegal activity, comply with applicable laws and requests from regulators and other enforcement bodies, or otherwise administer and protect our business and this website.
To opt-out of receiving communications relating to marketing, events or promotions from CyberArk, you can contact us at any time via [email protected]. We will record the fact that you have opted-out of receiving marketing or promotional communications from us, unless you ask us to erase all personal data that CyberArk holds on you. Please note that if you are an existing customer then we may need to retain business contact information in order to provide you with CyberArk Services. Where you have entered into a written agreement with CyberArk which describes in more detail how CyberArk will process, store, handle or retain any such information, then that agreement will prevail.. Please note that revoking your consent to our use of your business contact information could prevent us from providing you with certain CyberArk Services.
- Where you use our website, certain identity information (e.g. names, usernames or similar identifiers) and technical information (e.g. IP address, login credentials, browser type and version, location data and relevant plug-ins, operating systems and platforms employed by your device(s)) to administer our website or pursue our legitimate interests
- to provide you with relevant website content and advertisements and measure the effectiveness of such content in your use of the website and resulting products/services
- through the use of data analytics to improve such content and advertisements, your use of our products/services and other aspects of our business and your overall customer experience
- Where you are applying for a role with CyberArk Personal details (including your home address, telephone number and work history) to administer such application, perform certain legal obligations and to pursue our legitimate interests
- in order to process your application for a specific job vacancy and keep you updated in relation to any changes to such vacancies
- to notify you about upcoming jobs or other information concerning your application or job search.
From time to time we may use publicly accessible sources – such as corporate websites and social networking platforms – to obtain business contact information (as defined above), or purchase databases containing business contact information from third parties, where we reasonably believe that such companies or persons may be interested in hearing more about CyberArk Services. If CyberArk contacts you as a result of this activity and you are not interested in CyberArk Services then we will record your preference on our internal systems to ensure that we minimize the possibility of contacting you again in the future.
Will CyberArk share your personal data with third parties?
CyberArk won’t sell or provide any third parties with your personal data without first obtaining your consent.
The only exception to this general rule is where we use a third party to host certain information for us which may include your personal data, are required to share your personal data with third parties so that we can comply with certain legal obligations, or to make sure we comply with our own audit and security requirements, internal policies and procedures or other legal and contractual obligations.
CyberArk may also share anonymized or aggregated data containing your personal data to third parties in order to improve our services and internal practices, but in any case where a third party is involved that third party will only have access to anonymized data and will not be able to identify you as an individual.
If you are based in the European Economic Area (“EEA”), your information might be accessed by other CyberArk companies within our corporate group which are based outside of the EEA. All transfers of personal data within the CyberArk group are subject to adequate safeguards, normally in the form of the European Commission’s Standard Contractual Clauses (or “Model Clauses”).
We will also disclose your information to third parties in and outside your country only to the extent allowed by applicable law, including:
- to a buyer or prospective buyer that acquires all or substantially all of us or our business;
- to a third party in the event that we sell or buy any business or undergo a merger, in which case we may disclose your information to the prospective buyer or buyer of such business; and
- to a third party if we sell, buy, merge or partner with other companies or businesses, undergo a reorganisation, bankruptcy, or liquidation; or otherwise undertake a business transaction or sell some or all of our assets. In such transactions, your information may be among the transferred assets.
How will CyberArk store your personal data?
If you are a CyberArk customer, CyberArk will store your personal data for the period that you continue to receive CyberArk Services and for an appropriate period of time thereafter, which enables CyberArk to comply with applicable laws (for example, for a period of 6 years in respect of any financial or transactional data where you have a business relationship with us for tax and audit purposes) as well as its internal data retention policy, a copy of which is available from us on request (for example, for the purposes of complying with any audit or accounting processes, or complying with the terms of any legal action).
If you are not yet a CyberArk customer, then CyberArk will store your personal data for the duration of any pre-sales activities, or to record the fact that you are not interested in purchasing any CyberArk Services (to avoid you receiving unwanted communications from CyberArk).
If you are applying for a role with CyberArk, we will store your personal data for no more than 24 months. At the end of that period we will remove all of your personal data from our systems. By submitting your application and CV, you consent to CyberArk storing your data in the ways and for the period of time described in this statement. For more detail on how we will process your personal data in connection with an application to work at CyberArk, please visit our careers webpage.
You may contact us at any time via privacy-req[email protected] to request access to your personal data, to correct any information which CyberArk’s holds on you that contains an error or to request that we erase some or all of the personal data that we hold relating to you, or to request a copy of our retention policy. If you are an existing CyberArk customer then revoking your consent to our use of business contact information could prevent us from providing you with certain CyberArk Services.
We will maintain administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of your personal data processed by us as part of your use of our products/services, this website and any other aspects of our business as described in this policy; and will not materially decrease the overall security of such items.
Where you are a partner using CyberArk’s Partner Portal
Where you are one of CyberArk’s authorized channel partners, we will process information (including certain personal data) that you upload to the Partner Portal. For example, when you register on the Partner Portal, we will collect your account name, contact details and job function.
If you submit a Deal Registration Form via the Partner Portal, we will also collect the following information: corporate name of end customer and contact details for your point of contact within the end customer (including name, job title and address). Where you provide CyberArk with such personal data, you agree that you have first sought all necessary consents and authorizations from relevant individuals to enable CyberArk to comply with all applicable laws.
Further details regarding information that is not personal data but may be required in order to effectively use the Partner Portal and complete a Deal Registration Form can be located on the Partner Portal.
Any marketing consents, opt-ins/opt-outs or other preference details provided to us in connection with another website or service operated by us (such as the CyberArk community or our transactional websites) will be recorded and administered separately from any preferences or consents provided in connection with the Partner Portal. You have the option to change your preferences registered in connection with any of our sites or services at any time.
If you are an authorized channel partner and no longer want us to contact you related to marketing events or information, please contact us at [email protected].
Where you are an end user of CyberArk Services
Certain CyberArk Services are for business users only and are provided and administered to you by your employer (or customer, if you are an independent contractor) (“Employer”) which contracts directly with CyberArk. In these circumstances, you are an “end user” of CyberArk Services and we will collect and process your personal data on behalf of Employer. Since we act on the instructions, and on the behalf, of Employer, CyberArk is a data processor and Employer is a data controller for the purposes of the EU General Data Protection Regulation (GDPR) and/or the UK Data Protection Act 2018 (and other applicable data protection laws in the UK).
Please consult the policies of Employer for information on how Employer collects and processes your personal data relating to CyberArk Services. If you have privacy related questions or concerns about your personal data including with regard to your rights to your personal data (such as rights to rectification, erasure, blocking, accessing your personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making) please contact Employer.
We may collect the following personal data of end users:
- First and last name and title;
- Employer and position;
- Contact information (email, username, cell phone/ mobile number, physical business address);
- Device identification data (Device ID);
- Electronic identification data (IP address; MAC address);
- Technical data (operating system information; software logs; crash reports);
- user name and password to CyberArk Services;
- in relation to certain CyberArk Services, including the CyberArk® Alero™ Application, photo; or
- in relation to certain CyberArk Services, including the CyberArk® Alero™ Application, location data (using a mobile device’s built-in GPS in order for the Employer to set policies for the Services).
We will share your data with Employer and with our third party service providers (for more information on how we share your data, including where this involves a data transfer outside the EEA and UK, see the section above: Will CyberArk share your personal data with third parties?).
We will retain your personal data for as long as needed to provide the CyberArk Services to your organisation but no more than as allowed by applicable law.
CyberArk® Alero™ Application Users
If Employer uses Alero™, our cloud-based remote access authentication solution, and you install and use the Alero™ Application for mobile (Android or iOS version), you understand that (i) the section above Where you are an end user of CyberArk Services applies to you and (ii) Employer or Employer’s administrator, will have control over certain aspects of the Services including:
Setting password and authentication policies for the Services, including types of biometric data (e.g. finger print, facial recognition etc.) required and photo required (if any). Please note that while your biometric fingerprint and/or biometric facial scan may be used to enable fingerprint and/or facial recognition as part of our authentication services, we will never access the underlying authentication data stored on your mobile device. We will only receive a result indicating authentication success or failure. We will not capture, collect, store or process any biometric information;
- Requiring you to undergo the Alero™ onboarding process in the App, where you will be asked to confirm your identity (including in the event of repeated failed authentications or if your device is lost or stolen);
- Deleting your account for the Alero™ Services in certain scenarios (including in the event your device is lost or stolen or you are no longer an employee or contractor of Employer); and
- Removing features of or restricting access to the Services if certain device features are disabled by you (for example, if you disable location services on your device, you may not be able to access the Services).
How to contact us regarding or complain about CyberArk’s processing of personal data
Depending on your location and the circumstances of our processing, you will have certain rights relating to your personal data under data protection laws. These include the right to: (i) request access to, correction of or deletion of your personal data; (ii) object to or otherwise restrict CyberArk’s processing of your personal data; (iii) withdraw consent from our processing of your personal data.
If you wish to exercise any of the rights set out above, or would like to complain about any aspect of CyberArk’s processing of your personal data, then please contact us via [email protected].
While we would always appreciate the chance to deal with your concerns before you approach an external regulator, you can also contact a data protection supervisory authority in any of the countries in which CyberArk is established and you are based, such as the Information Commissioner’s Office in the United Kingdom.
How will I know if CyberArk updates this statement?
If you are an authorized channel partner, each time you use the Partner Portal we may also collect information including domain name/IP address, referring URL, browser and platform, time of visit, pages visited and any searches performed. This information is not itself personal data but may become personal data when used in conjunction with other information that you upload to the Partner Portal. We may use this information to help us improve the performance of the Partner Portal and to assess the suitability of, or requirements for, certain services on the Partner Portal.
CyberArk uses session-based Cookies on this website to improve your interaction with our website. These Cookies only exist for your visit to our website on that occasion and are removed automatically from your computer or device once you close your browser or turn-off your device.
Last Updated: June 24, 2019