CYBERARK WEBSITE PRIVACY NOTICE

This privacy notice (“privacy notice”, “privacy policy” etc.)  describes how CyberArk will process your personal data, where CyberArk acts as a controller of your Personal Data; namely, in connection with your use of the CyberArk owned and operated websites including without limitation www.cyberark.com and any of its related or subdomains (the “Website(s)“), including the CyberArk portals (such as Technical Community, Partners Community, Training and Certification Portal and the Marketplace) (the “Portals“); in connection with certain instances of your use of CyberArk’s products, services, and other technical applications and tools (the “Services“), where CyberArk acts as the controller of your personal data; and in connection with other occasions where CyberArk collects and processes your Personal Data, as further detailed in this Privacy Notice.

References to “we”, “us” or “CyberArk” in this statement mean CyberArk Software Ltd, and any of its affiliated entities, as far as they are related to the operation of the Websites, the Portals or the Services. Our contact details for these entities and their respective office locations can be found here. The CyberArk entity that will be responsible for processing your personal data will depend on how you use CyberArk Services and your geographical location.

References to “you” or “your” mean the individual who has or may in the future enter into a relationship with CyberArk as a user of CyberArk mobile applications (excluding: (i) when you are using CyberArk Mobile on behalf of your employer or customer; or (ii) CyberArk’s Identity mobile application, in which case CyberArk will be processing the data on behalf of our customer), a representative of a prospective or existing customer or authorized channel partner, a user of our Website or Portals, an investor, or otherwise use the CyberArk Websites or Services. When you are browsing our Websites or using our Services for your own benefit, CyberArk is the controller of your personal data, as such term is used in the GDPR.

If you are an end user of CyberArk Services, this policy does not apply to our processing of your personal data. The “controller” (as such term is used in the EU General Data Protection Regulations (“GDPR“)) of your personal data is your employer or the organization to which you are providing services and which is a CyberArk customer. CyberArk is the “processor” of such personal data. In such case, the processing of the personal data by us is subject to a data processing agreement between the applicable CyberArk entity and such customer, and this privacy notice does not apply to you.

At CyberArk, we pride ourselves on being an organization that has a privacy-minded culture consistent with legal requirements.

You can contact CyberArk at any time to request more information about the way we process personal data by contacting [email protected]. We will respond to your request in the timescales prescribed by applicable laws.

You should read this privacy policy in conjunction with the terms and conditions of the Website, or in conjunction with the terms and conditions applicable to you in the specific context.

The following describes the types of personal data that CyberArk processes about you, in which instances this personal data is collected and processed, the purposes of processing, and the lawful bases for processing in accordance to GDPR.

When you use one of our Websites
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you browse our Websites Certain identity information (e.g. names, usernames or similar identifiers) Information from your Web browser (such as browser type and browser language), your Internet Protocol (“IP”) address, internet service provider (ISP), operating system, date/time stamp, and clickstream data and the actions you take on the Company’s Web sites (such as the web pages viewed and the links clicked) • Administer our Websites
• Provide you with relevant website content and advertisements
• Measure the effectiveness of the content served to you and of our marketing efforts
• Analyze the use of the Websites and improve our Websites
• Provide more relevant and personalized information, promote our business in various platforms and assess the success of our promotional activities
• Fraud prevention and security of our Websites
Our legitimate interests in monitoring and improving our Websites
• When you submit a contact form or request a demo form through the Website
• When you download any whitepapers or other downloadable materials from our website
• When you subscribe for a free trial
First and last name, email address, telephone number, company name, role, job title, department, and country • To reply to your request or query
• To set up a demo at your request
• To send the requested materials to you, if requested
• To send you communications related to our products and services, or our events and webinars, including marketing communications (either by email, postal mail or telephone) subject to applicable law, for example, where applicable, where you have provided your consent to be included in our marketing mailing lists
Our legitimate business interests
When you use our Portals (either as a representative of a customer/prospective customer, channel/alliance partner, or a prospective channel/alliance partner
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
• When you set up an account in our Portal First and last name, telephone number, mobile phone number, country, language, email address, job function, organization, address • To set you up as an authorized user of the Portal and create a user profile for you
• To manage and administer your use of the Portals
• To send you communications related to our products and services, or our events and webinars, including marketing communications (either by email, postal mail or telephone) to the extent you provided your consent to be included in our marketing mailing lists
• To operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Our and/or our customers legitimate business interests
• When you log into and use our Portals Browser type and browser language, referring URL, your Internet Protocol (“IP”) address, internet service provider (ISP), operating system, date/time stamp, and clickstream data and the actions you take on the Portals (such as the web pages viewed the links clicked and any searches performed) • To provide you with support and training related to the Portals
• To keep records regarding how our partners/customers use the Portals and analysis thereof for the purpose of monitoring and improvement of Portals
• Measure the effectiveness of the content served to you
• To improve our understanding of your needs and interests as our partner or customer
• Understand how you and other partners move around the Portals, including to assess which content is the most useful to our partners/customers
• To send you communications related to our products and services, or our events and webinars, including marketing communications (either by email, postal mail or telephone) to the extent you provided your consent to be included in our marketing mailing lists
• To operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Our and/or our customers legitimate business interests
When you download and use CyberArk Mobile (excluding when you are using the applications on behalf of your employer or customer)
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you set up an account for use of any of our Services First name, last name, phone number, phone model and operating system, and, if you choose to provide this, a profile picture • To allow you access to the services, in accordance with the specific functionality for which you have access rights and authorizations
• Provide technical support
Fulfilment of our contractual obligation
• Measure our marketing efforts and performance
• To operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing
• To notify you about transactional issues, or other issues relating to CyberArk services (such as new features, version releases) or invitations to our customers related events
Our legitimate business interest
When you attend a CyberArk hosted or sponsored physical or virtual conference or event
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you register to the event First and last name, email address, telephone number, company name, role, job title, department, and country • To set you up as a registered participant in the event
• To manage and administer your participation in the event
• To send you communications related to the event the event
• To send you communications related to our products and services, or our events and webinars, including marketing communications (either by email, postal mail or telephone) to the extent you provided your consent to be included in our marketing mailing lists
• To operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Fulfilment of our contractual obligation, our legitimate business interest or consent
When you log into the event and during the event in which you participate (online events) Log in and out time, time spent, any information that you choose to provide for networking purposes, chat stream Browser type and browser language, referring URL, your IP address, internet service provider (ISP), operating system, and clickstream data and the actions you take on the Portals (such as the web pages viewed the links clicked and any searches performed) • To manage and enable your access to the event
• To provide you with technical support related to the event
• To keep records regarding our events and analysis thereof for the purpose of planning of future events
• Measure the effectiveness of our events
• To improve our understanding of your needs and interests
• Understand how you and other participants benefit from the events including to assess which content is the most useful
• To send you communications related to our products and services, or our events and webinars, including marketing communications (either by email, postal mail or telephone) to the extent you provided your consent to be included in our marketing mailing lists
• To operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Fulfilment of our contractual obligation, our legitimate business interest or consent
During the event in which you participate (in person) Business card info • To send you communications related to the event the event
• To send you communications related to our products and services, or our events and webinars, including marketing communications (either by email, postal mail or telephone) to the extent you provided your consent to be included in our marketing mailing lists
• To operate our business, for example transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Fulfilment of our contractual obligation, our legitimate business interest or consent
When we otherwise communicate with you when you are or when you represent a customer/partner/investor
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When we request and you submit feedback to a survey, for example following closing of a support ticket, delivery of our services or following training; or on a periodic basis Your responses to the survey • To consider your feedback and assess the level of service we have provided, and to improve our processes and services
• Follow-up with you depending on the nature of your feedback
Our legitimate business interests
To deliver communications to you (including marketing communications and advertising). Your email address, display name of your email account, personal information contained or referred to within such electronic communications, information about opening/clicks/form fills/ consumption of links/content included in the email, actions that you take on our and our partners’ websites such as your visits or interactions with such websites. • To monitor electronic communications sent or received by our users, including to gain insights on interactions we have with you to tailor our communications accordingly and measure our marketing efforts
• Security and fraud prevention
• To cater to your requests, for example, to reply to your inquiry, arrange a meeting for you, arrange a demo for you etc.
• Measure the effectiveness of our (online) advertising, improve our marketing practices, and helps us deliver more relevant communications and advertising to you and people like you (including on social media).
Our legitimate business interests and/or your consent where required under applicable law.

In addition to the above, under some circumstances we may collect and process other types of personal data; in these cases, we will provide and in-time notification with respect to the additional personal data collected and processed.

In addition to the above uses of your personal data, we will also process your personal data for the following purposes:

  1. To prevent, detect and fight fraud or other illegal or unauthorized activities
  2. To ensure legal compliance – from our side (to legal requirements that apply to us (such as various records keeping) and to our obligations under the Terms of Use) and from your side (Compliance with laws applicable to you and with the Terms of Use)

For some of the above processing, we may rely on multiple legal grounds. For example, we process some information both for our legitimate interests as a business regarding user compliance with applicable terms of use and to comply with legal obligations applying to us (GDPR Article 6(1)(f) and 6(1)(c)).

We may share your personal data with third parties as follows:

  • Where we use third party service providers or subcontractors to outsource certain tasks or processes whether in relation to the Website operation, the Services, or our internal requirements, such as audit or security requirements. We use the following categories of service providers: relationship management software providers, marketing automation platform providers, webinar software providers, email platforms, Website hosting providers, customer success software providers, online community platform providers, learning management system software providers, human resources information system provider (Workday) and our background check service providers; analytics providers, customer reference management software providers, hosting provider (currently Amazon Web Services), our online community platform provider, customer success software provider, survey tool service providers, calendar scheduling tool providers, accounting and payment management system providers. These service providers are authorized to use our personal data only as necessary to provide these services to us.
  • We may also share your personal data with our partners when we run or sponsor events with them and with social media and/or advertising companies to personalize our communications and your experience on our and other websites.
  • Where you are a member of staff at a CyberArk Customer or Partner and you register for a CyberArk event, this information may be shared with that Customer or Partner.
  • We may use or disclose personal data if required by applicable law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud and/or to comply with a judicial proceeding, court order, legal process or other governmental authority; provided, however, that unless prohibited by law, we will use reasonable efforts to give you notice to enable you to seek a protective order or take other appropriate action.
  • We will also disclose your information to third parties in and outside your country only to the extent allowed by applicable law, if we sell, buy, merge or partner with other companies or businesses, undergo a reorganization, bankruptcy, or liquidation; or otherwise undertake a business transaction or sell some or all of our assets. In such transactions, your information may be among the transferred assets.

We may store, process and/or transfer personal data to countries outside of the EEA (including countries where the European Commission has not made a decision of an adequate level of protection of personal data), especially to servers in the United States and in Israel but not only. The transfer of such data will be in compliance with local legislation for the cross-border transfer of data, where applicable. The safeguards we deploy for performing such transfers across boundaries:

  • We transfer the data, including personal data, to our offices located in Israel and process it there. Any transfers to Israel may be made on the basis of an adequacy decision made by the European Commission.
  • Model Clauses. With some of our processors and affiliates, we use standard contractual clauses approved by the European Commission that are binding standards of processing of personal data committed to contractually by third parties processing information for us and on our behalf.
  • In the absence of an adequacy decision or Model Clauses, and in the absence of any other right to transfer your data, we may rely on your consent as the basis for such transfer. We will take steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place including the security of your personal data.

We will retain your personal data for such periods of times required or permitted by law or subject to our retention policies as may be in place from time to time. The considerations Company takes into account in order to determine the retention period are as follows: the time required to retain personal data to fulfill business purposes, including providing products and services; maintaining corresponding transaction and business records; controlling and improving the performance and quality of the Site; handling possible user queries or complaints and locating problems; whether the user agrees to a longer retention period; whether we reasonably believe that this data will be needed for the handling of any litigation; and whether the laws, contracts, and other equivalencies pose any requirements for data retention.

We will maintain administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of your personal data processed by us as part of your use of our products/services, this website and any other aspects of our business as described in this policy; and will not materially decrease the overall security of such items. However, no method of data security is 100% effective. Therefore, we cannot guarantee or warrant its absolute security.

CyberArk provides community forums on some of the Company’s Websites, Portals or Services. Any personal data you choose to submit in such a forum may be viewed by others who visit these forums. CyberArk is not responsible for any misconduct by any person or entity of any personal data you choose to submit in these forums.

If you submit a Deal Registration Form via the Portal, we will also collect the following information: corporate name of end customer and contact details for your point of contact within the end customer (including name, job title and address).

Any marketing consents opt-ins/opt-outs or other preference details provided to us in connection with another website or service operated by us (such as the CyberArk community or our transactional websites) will be recorded and administered separately from any preferences or consents provided in connection with the Portal. You have the option to change your preferences registered in connection with any of our sites or services at any time.

If you are an authorized channel partner and no longer want us to contact you related to marketing events or information, please contact us at [email protected].

You may contact us at any time at [email protected] to request to fulfill any of your rights in relation to your personal data, depending on the laws applicable to you. We will respond to your request in the timescales prescribed by the relevant local laws.

Depending on your location and on the laws that are applicable to you, you may be entitled to some or all of the following rights:

The right to access – You have the right to request Company for copies of your personal data, which includes the right to obtain confirmation as to whether or not personal data concerning you are being processed.

The right to rectification – You have the right to request that Company correct any information you believe is inaccurate. You also have the right to request Company to complete the information you believe is incomplete.

The right to erasure – You have the right to request that Company erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that Company restrict the processing of your personal data, when: (a) you contest the accuracy of your personal data, for a period allowing Company to verify the accuracy of said data; (b) if you believe personal data has been unlawfully processed and you wish to restrict processing rather than delete it; (c) Company no longer needs the personal data but you require to keep it in order to establish, exercise or defend a legal claim; or (d) you have exercised your right to object the processing (below) for a period allowing Company to consider whether your legitimate grounds override those of Company.

The right to object to processing – You have the right to object to the processing of a part or all of your personal data at any time. When relating to processing for marketing purposes, you have an absolute right to object; while for other purposes, the existence of the right depends on what lawful basis the processing relies on and on the existence of our compelling legitimate grounds to continue the processing.

The right to data portability – You have the right to request that Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If allowed by applicable laws, you have the right to withdraw your consent at any time when Company processes your personal data based on your consent. However, withdrawal does not affect the legitimacy and effectiveness of how we process your personal data based on your consent before the withdrawal is made.

Although we will make reasonable efforts to accommodate your requests, in some circumstances we may deem your request unfounded or not eligible under applicable law. In such instances we reserve the right to refuse your request. We may require, as pre-requisite to fulfilling any request, to verify your identity which we may do by asking you to provide certain information or identification to ensure that all data subjects’ privacy is protected. We may charge you a small fee for the exercise of some of your rights under certain conditions.

While we would always appreciate the chance to deal with your concerns before you approach an external regulator, you can also contact a data protection supervisory authority in any of the countries in which CyberArk is established and/or the country in which you are based, such as the Information Commissioner’s Office in the United Kingdom, and lodge a complaint You can obtain the contact information for all of the EEA data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.

To opt-out of receiving communications relating to marketing, events or promotions from CyberArk, you can contact us at any time at [email protected]. Please note that if you are an existing customer then we may need to retain business contact information in order to provide you with CyberArk services, however this will not be used for marketing purposes.

We will make periodic updates to our privacy policy via this statement, and will note the date the then-existing version takes effect. If you have any queries concerning such changes then please contact us via [email protected].

What are cookies?

A cookie is a very small text document, which often includes a unique identifier. Cookies are created when your browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website’s server. Find out more about the use of cookies at www.allaboutcookies.org.

We also use other forms of technology which serve a similar purpose to cookies and which allow us to monitor and improve our Websites. When we talk about cookies, this term includes these similar technologies.

What cookies do we use and what information do they collect?

Category Purpose
Required cookies These cookies are required to enable core functionalities of our Websites. Without these cookies, services you have asked for, like identifying you while you are logged in, cannot be provided. If you disable these cookies certain parts of the Websites will not function for you.
Functional cookies These cookies help us improve, analyse or optimise the experience we provide. In particular, these allow us to measure how visitors interact with our Websites and we use this information to improve the user experience and performance of our Websites. These cookies are used to collect technical information such as the number of pages visited, which parts of our website are clicked on and the length of time between clicks.
Advertising cookies We use these cookies to collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign. We may share this information with other parties who help manage online advertising – please see the “Third Parties” section below for more details

Third parties

Your use of our Websites may result in some cookies being stored that are not controlled by us. This may occur when the part of the Websites you are visiting makes use of a third party analytics or marketing automation/management tool or includes content displayed from a third party website

How do you manage these technologies?

If you want to delete any cookies that are already on your device, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

To manage your cookie consent preferences, please click here.

If you are a California resident, we will not sell your personal data (within the meaning of “sell” under the California Consumer Privacy Act). However, we may transfer personal data to our service providers. In addition to the below disclosures, please read the section How CyberArk uses Cookies in relation to your use of the websites and partners portal above for further information on how we share your personal data. Please click here to record your cookies preferences.

This section is only applicable to California residents for purposes of compliance with the California Consumer Privacy Act of 2018 (“CCPA”). Defined terms used in this section, including but not limited to “Business Purpose”, “Consumers,” “Personal Information” and “Sale” (or “Sell”) are used as such terms are defined by and interpreted pursuant to the CCPA.

The categories of Personal Information we have collected about Consumers, which we have disclosed for a business purpose, in the preceding 12 months are:

(1)        Identifiers, such as name and Social Security number;

(2)        Personal information, as defined in the California safeguards law, such as contact information and financial information;

(3)        Characteristics of protected classifications under California or federal law, such as sex and marital status;

(4)        Commercial information, such as transaction and account information;

(6)       Internet or network activity information, such as browsing history and interactions with the Website;

(7)        Geolocation data, such as device location;

(8)        Audio, electronic, visual, thermal, olfactory, and similar information, such as video, photography and call and video recordings;

(9)        Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences and characteristics.

The sources we have collected this Personal Information from are: directly from California residents or their representative or employers.

In the past 12 months, however, we have not “sold” Personal Information relating to California residents within the meaning of the CCPA.

If you are a California resident, you may request that we disclose to you the following information covering the 12 months preceding your request:

(1)        the categories of Personal Information that we collected about you and the categories of sources from which we collected such Information;

(2)        the business or commercial purpose for collecting Personal Information about you;

(3)        the categories of Personal Information about you that we disclosed to third parties for a business purpose and the categories of third parties to whom we disclosed such Personal Information (if applicable); and

(4)        the specific pieces of Personal Information we collected about you.

If you are a California resident, you may also request that we delete Personal Information that we collected from you.

We may ask to verify your identity by providing us with certain information or identification. In some instances, we may decline to honor your request. For example, we may decline to honor your request if we cannot verify your identity or confirm that the Personal Information that we maintain relates to you, or if we cannot verify that you have the authority to make a request on behalf of another individual. In other instances, we may decline to honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another consumer or where the Personal Information that we maintain about you is not subject to the CCPA’s access or deletion rights, such as information relating to our employees and contractors that is used for our employment and vendor management purposes.

You have the right to be free from unlawful discrimination for exercising your rights under the CCPA.

CyberArk does not monitor or respond to Do Not Track browser requests. Hence please ensure to change any settings of your browser and/or our Services, whenever you wish cookies to cease.

Contacts

You may contact CyberArk’s Data Protection Office and make the requests permitted pursuant to applicable law by sending an email to [email protected].

Last Updated: 6 October 2021