This policy was last updated in May 2023.
We, at Varonis Systems, Inc. and its subsidiaries (collectively, “we” or “the Company”), are committed to protect the privacy of our business partners who are licensed to use our software (“the “Software”) on their internal network (“you” or “Client”) and our Clients' end users which have access to any of the data resources monitored by our Software (“End Users”).
WHAT INFORMATION DO WE PROCESS AND HOW WE COLLECT IT?
We collect two types of information when you or your End Users are using our Software:
- The first type of information is information that identifies an individual or may with reasonable effort identify an individual (“Personal Information”), which includes the following:
- Feedback: When you allow us (or our trusted third party service providers) to receive your End Users’ feedback and rating with regard to Software (“Feedback”), we may gather Personal Information which may include the following: email address of the End User, End User’s full name, End User’s IP address, and the End User’s email. In addition, we may collect Personal Information which your End User voluntarily shares with us when he/she sends us Feedback (e.g., identifying content, images, etc.).
- End Users' Information: In order to provide our Software as a Service (“SaaS”) products, we will collect Personal Information about your End Users, including their account details, IP addresses, MAC addresses, user agent, identifiers issued by Client, path of files and file names. Under certain applicable privacy laws, some of this metadata may be considered Personal Information.
- The second type of information is non-identifiable information pertaining to you or to your End Users, which may be made available or gathered via your use of the Software (“Non-Personal Information”). We are not aware of the identity of the user from which the Non-Personal Information was collected. Non-Personal Information which is being collected may include usernames, directory names, server names, share names, file names, configurations, logs related to Software and Client (e.g. event logs), browsing events and technical information transmitted by your device or your End Users’ devices, including certain software and hardware information (e.g., the type of browser and operating system the device uses, language preference, access time and the domain name from which you or your End Users are linked to the Software; etc.).
In addition, when you allow us (or our trusted third party service providers) to receive your End Users’ Feedback with regard to Software, we may gather Non-Personal Information which may include the following: Feedback rating, Feedback tags, Feedback text, browser type and language, operating system, viewport of the screen, page URL on which the Feedback has been given, screenshot of the screen on which Feedback was provided (with all textual strings redacted), and our clients.
We are not aware of the identity of the Client or End User from which the Non-Personal Information was collected.
Please note that when the Software is deployed by our Clients, it analyzes unstructured data that is stored on the Clients’ platforms. The Clients maintain sole ownership of this data and determine their own policies regarding the storage, access, deletion, sharing and retention of this data. This data is hosted and stored only on the Clients’ servers (not on the Company’s servers).
HOW DO WE USE THE INFORMATION WE COLLECT?
In addition to the purposes listed herein, the information we collect, which may include your Personal Information, is used for legitimate business purposes, only to the extent required or otherwise reasonably necessary for one or more of our functions or activities, and while maintaining your right to privacy. Such legitimate business purposes include:
- Setting up your account and to provide our services to you and to your End Users;
- Identifying and authenticating End Users’ access to the Software;
- Obtaining End Users’ Feedback with regard to the Software;
- Improving our Software;
- If we enter into a business transaction such as a merger, acquisition, reorganization, bankruptcy, or sale of some or all of our assets;
- Supporting and troubleshooting our Software and to respond to queries; and
- For other purposes for which we obtain your consent.
In addition, we may use and/or disclose Personal Information, or any information you submitted to us, if we have a good faith belief that use and/or disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, court/tribunal order, regulation, legal process, including alternative dispute resolution process, or governmental request; (ii) enforce our policies, including investigations of potential violations thereof; (iii) investigate, detect, prevent or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues; (iv) to establish or exercise our rights to defend against legal claims; (v) lessen or prevent harm or serious threat to the rights, property life, health or safety of us, our users, yourself or any third party; (vi) locating a person reported as missing; or (vii) for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.
WHAT ARE THE CONDITIONS FOR PROCESSING OF PERSONAL INFORMATION?
We will process your Personal Information based on the following legal basses, each of which is prescribed by relevant data protection laws.
- Performance of a contract, compliance with a legal obligation: We will process your Personal Information where it is necessary for the performance of a contract (such as for our agreement) or in order for us to comply with our various legal and/or regulatory responsibilities.
- Legitimate interests: We also process your Personal Information where we deem such processing to be in our (or a third party’s) legitimate interests and provided always that such processing will not prejudice your interests, rights and freedoms. Examples of us processing in accordance with legitimate interests would include: (i) where we disclose your Personal Information to any one or more of our associate/subsidiary companies following a restructure or for internal administrative purposes; (ii) processing for the purposes of ensuring network and information security, including preventing unauthorized access to our electronic communications network; (iii) sharing personal information with our advisers and professional services providers (such as auditors).
- Consent: On certain occasions we may ask for your consent to processing Personal Information. In these instances, your Personal Information will be processed in accordance with such consent and you will be able to withdraw this consent in writing at any time. If you reside in Singapore, we will process your Personal Information only where we have your consent or "deemed consent", unless such processing is required under applicable laws or where the legitimate interest exception applies.
WITH WHOM WE SHARE THE INFORMATION WE COLLECT; INTERNATIONAL DATA TRANSFERS
We may transfer or disclose Personal Information to our subsidiaries and other affiliated companies. In addition, Client’s and End User’s Personal Information may be disclosed to other trusted third party service providers or partners for the purpose of: (i) storing Personal Information on our behalf (e.g., cloud computing service providers); (ii) assisting us with our business operations and Software and improving it (e.g., processing and analyzing End Users’ Feedback); and (iii) performing research, technical diagnostics and analytics with regard to the Software.
Since we operate globally, it may be necessary to transfer, store and process Personal Information in other countries in which we or our affiliates, subsidiaries or service providers maintain facilities, such as the United States, Israel, United Kingdom, Australia, Singapore and the European Union (in particular, France, Germany, Ireland, Netherlands, Belgium and Luxemburg). The data protection and other laws of these countries may not be as comprehensive as those in your jurisdiction of residence. EU and UK residents, please note that we may transfer your personal information to countries outside the EEA or the UK In these instances, we will take steps, as required by applicable law, to ensure that a similar level of protection is given to Personal Information, including, when applicable, through contractual means (for example, when the GDPR or UK law applies, we will rely on the standard contractual clauses approved by the European Commission for data transfers, the UK International Data Transfer Addendum (IDTA), or transfer data only to recipients located in jurisdictions which were granted an “adequacy decision” with regard to their level of protection of personal data by the European Commission).
We may also disclose your information when we believe disclosure is required to comply with the law, enforce our policies or protect ours or others’ rights, property or safety.
THIRD PARTY COLLECTION OF INFORMATION
Our policy only addresses our use and disclosure of personal information from you and from your End Users through the Software (as described under the “With whom we share the information we collect” section herein). To the extent that you or your End Users disclose your information to other parties through the Software, different rules may apply to their use or disclosure of the information disclosed to them.
HOW LONG DO WE RETAIN THE INFORMATION WE COLLECT?
As for the retention of the Subscriber Data (as defined in the Subscription Service Agreement of our SaaS products) – our default retention policy is a sliding window of 180 days during the subscription term (unless a longer period was approved by Varonis, at its sole discretion). Upon the end/termination of the subscription term, Subscriber Data which was held by Varonis at such time shall be kept by Varonis for a period of 30 days after termination of the subscription.
We may rectify or remove incomplete or inaccurate information, at any time and at our own discretion.
At any time, you may request to view, change and update your Personal Information by contacting us in one of the ways described in the 'How to contact us' section below.
HOW DO WE SAFEGUARD YOUR INFORMATION?
We are committed to making reasonable efforts, in accordance with market best practices, to ensure the security, confidentially and integrity of the Personal Information. We take great care in implementing and maintaining the security of the Software and the Personal Information. Access to the Personal Information is based on the ‘least to know’ concept together with role-based access control systems, ensuring only authorized access to the Personal Information. We employ market best practice security measures to ensure the safety of your End Users’ Personal Information and prevent unauthorized use of any such information. Although we take steps to safeguard such information, we cannot be responsible for the acts of those who gain unauthorized access or abuse our Software, and we make no warranty, express, implied or otherwise, that we will prevent such access. If a password is used to help protect your accounts and Personal Information, it is your responsibility to keep your password confidential.
WHAT ARE YOUR RIGHTS?
Certain jurisdictions provide individuals with certain statutory rights to their Personal Information. To the extent these rights apply to you, you may exercise the following rights with respect to your Personal Information:
- To receive confirmation as to whether or not Personal Information concerning you is being processed, and access your stored Personal Information, together with certain supplementary information.
- To receive Personal Information you directly volunteer to us in a structured, commonly used and machine-readable format.
- To request rectification of your Personal Information that is in our control.
- To request erasure of your Personal Information.
- To object to the processing of Personal Information by us.
- To request to restrict processing of your Personal Information by us.
However, please note that these rights are not absolute, and may be subject to our own legitimate interests and regulatory requirements.
If you wish to exercise your data protection rights or raise a complaint on how we have handled your Personal Information, you can contact us as set forth below. In addition, you have the right to lodge a complaint with the supervisory authority, as detailed below.
The Software is not designated to End Users under the age of majority (as determined under the applicable laws where the individual resides; “Age of Majority”). In the event that we become aware that End Users under the Age of Majority have shared any information, we will discard such information. If you have any reason to believe that a minor has shared any information with us, please contact us as set forth below.
HOW TO CONTACT US
If you wish to exercise any of your rights with respect to the personal information we process, please email us at: email@example.com.
If you are unsatisfied with our response, you can reach out to the applicable data protection authority for Varonis:
- If the EU GDPR applies: the Data Protection Commissioner in Ireland at Canal House, Station Road, Portarlington R32 AP23 Co. Laois R32 AP23, Ireland.
- If the UK GDPR applies: The Information Commissioner's Office's Data Protection and Personal Information Complaints Tool.
- If the Personal Data Protection Act (No. 26 of 2012) of Singapore (“PDPA”) applies: Personal Data Protection Commission, 10 Pasir Panjang Road #03-01, Mapletree Business City, Singapore 117438, +65 6377 3131, firstname.lastname@example.org.
- If the Australian Privacy Act 1988, including the Australian Privacy Principles ("APPs"), apply: the Office of the Australian Information Commissioner, GPO Box 5218 Sydney NSW 2001, +61 1300 363 992, email@example.com.
PRIVACY NOTICE FOR CALIFORNIA AND VIRGINIA RESIDENTS
This part of the Policy addresses the specific disclosure requirements under the California Consumer Privacy Act of 2018 (Cal. Civ. §§ 1798.100–1798.199) and the California Consumer Privacy Act Regulations by the Attorney General (collectively, “CCPA“); the California Privacy Rights and Enforcement Act of 2020 ("CPRA") and the Virginia Consumers Data Protection Act of 2021 ("VCDPA"), (collectively: "U.S Applicable Laws").
Most of the statements, rights and obligations under this part are common to both California and Virginia residents, and apply to you only to the extent determined in the applicable law according to your residency.
Categories of Personal Information We Process?
In the 12 preceding months, we have collected and disclosed the following categories of Personal Information (as this term is defined under U.S Applicable Laws):
|Category of Personal Information Collected||Personal Information Collected||Categories of service providers to whom Personal Information was disclosed|
|A. Identifiers||Email address, device identifiers (UDID, IMEI, MAC, IP, identifiers issued by Client), image||Cloud Services
|B. Commercial information||Feedback of Clients and/or End Users||Cloud Services|
|C. Internet or Other Electronic Network Activity Information||Usernames, directory names, server names, share names, file names and paths, configurations, logs related to Software and Client (e.g. event logs), browsing events and technical information transmitted by your device or your End Users’ devices, including certain software and hardware information (e.g., the type of browser and operating system the device uses, language preference, access time and the domain name from which you or your End Users are linked to the Software.||Cloud Services|
In addition, in the past 12 months, we have collected the following categories of Sensitive Personal Information (as this term is defined under the CPRA or the VCDPA):
|Category of Personal Information Collected||Personal Information Collected||Categories of service providers to whom Personal Information was disclosed|
|A. Nonpublic communications||Email conversations, marketing and sales calls recordings||N/A|
We do not sell (as this term is defined under U.S Applicable Laws) or share (as this term is defined under the CPRA) any Personal Information.
We may transfer Personal Information to third parties as assets that are part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Company. Such transfer will be handled according to the requirement of the U.S Applicable Law and shall not be regarded as a sale of Personal Information under U.S Applicable Law.
Sources of Personal Information
In the 12 preceding months, we have collected the above-mentioned categories of Personal Information from the following categories of sources:
- Clients or End Users directly.
Purposes for collection of Personal Information
Our purposes for collecting Personal Information can be found above, under the section “How we use the information we collect”.
User Rights under U.S Applicable Law
U.S Applicable Law provides consumers with specific rights regarding their Personal Information:
Access to Personal Information
You may request, up to two times each year, that we disclose to you the categories and specific pieces of Personal Information that we have collected about you, the categories of sources from which your Personal Information is collected, the business or commercial purpose for collecting your Personal Information, the categories of Personal Information that we disclosed for a business purpose, any categories of Personal Information about you that we sold, the categories of third-parties with whom we have shared your Personal Information, and the business purpose for sharing your Personal Information, if applicable.
You have the right to obtain a copy of your Personal Information in a portable and, to the extent technically feasible, readily usable format.
You have the right to request that we delete any Personal Information collected from you and retained, unless an exception applies.
Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers, subcontractors, and consultants to delete) your Personal Information, unless an exception applies.
Right to Correction
You may have the right to request that we correct inaccurate Personal Information about you, and we will use commercially reasonable efforts to correct it.
Right to Opt-Out
Under U.S Applicable Law, you have the right to opt out of selling or sharing (as these terms are defined under U.S Applicable Law) of your Personal Information. As mentioned above, we do not sell or share your Personal Information.
Right to Limit Use of Sensitive Personal Information
You may have the right to limit our use of Sensitive Personal Information, only to what is necessary to the performance of the services you requested.
Exercising Your Rights
You can exercise your rights (such as deletion) by submitting a verifiable consumer request using the contact details specified in the "How to contact us" section above, in accordance with the instruction provided herein.
Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information.
The request must:
- Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
- Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it.
- We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
You may only request a copy of your data twice within a 12-month period.
If you have any general questions about the Personal Information that we collect about you how we use it, please contact us using the contact details specified in the "How to contact us" section above.
If you are a Virginia resident, you have the right to appeal a rejection to your request. The appeal request shall be submitted using the contact details specified in the "How to contact us" section above.
If your appeal is denied, you may lodge a complaint with the Virginia Attorney General through the contact information available here: https://www.oag.state.va.us/contact-us/contact-info or file the complaint at: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.
Response Timing and Format
Our goal is to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing within the first 45 days period. We will deliver our written response, by mail or electronically, at your option. Any disclosures we provide will cover only the 12-month period preceding the request. If reasonably possible, we will provide your Personal Information in a format that is readily useable and should allow you to transmit the information without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
In case of rejection, the response we provide will explain the reasons for which we cannot comply with your request.
Please note that these U.S Applicable Law rights are not absolute and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations.
If you are a California resident, you can designate an authorized agent to make a request under the CCPA or the CPRA on your behalf if:
- The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
- You sign a written declaration that you authorize the authorized agent to act on your behalf.
If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below.
If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA or the CPRA.
Unless permitted by the U.S Applicable Law, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.