Varonis Privacy Policy

GENERAL INFORMATION

We, at Varonis Systems, Inc. and our subsidiaries (collectively, “we” or the Company” or "Varonis"), respect the privacy of anyone who chooses to provide us with their individually identifying or identifiable information (“Personal Information”), and we are committed to protect their privacy.

This Privacy Policy ("Privacy Policy" or "Policy") describes, among other things, the types of information we may collect, how that information may be used, and with whom the information may be shared. This Privacy Policy applies to our Marketing Activity (as defined below), including whenever you use or interact with our website https://www.varonis.com (the "Website"), and to information collected and processed through our SaaS products (the "Software"), or the services we provide including any content or material provided thereon (collectively with the Software, the "Services"), as well as contact information we collect from vendors and partners for the purpose of management and execution of the respective engagements.

If you do not agree to this Policy, please avoid using our Website, Software or Services. You are not legally required to provide us with any Personal Data, but without it we will not be able to provide you with the best experience.

We encourage you to read this Privacy Policy carefully and use it to make informed decisions.

WHAT INFORMATION DO WE PROCESS AND HOW WE COLLECT IT?

• Contact Information:

o When using the Website (including when subscribing to our newsletter, registering for an event, responding to a survey or filling out a form) or when we receive the business contact information from various marketing events we organize or participate in, or from other lawful and legitimate sources (collectively with the Website, “Marketing Activities”), we may collect Personal Information, such as your name, address, telephone number and email address ("Contact Information").

We do not require that visitors to our Website provide us with Contact Information and you may visit our Website anonymously (by using the ‘Incognito’ status on your browser). In this case, we do not collect Contact Information when you visit our website, unless you choose to provide it to us (however, we do collect certain Online Identifiers, as described below). The decision to provide Contact Information is voluntary and you may withdraw your consent at any time by contacting us in one of the ways described in the 'How to contact us' section below. However, if you do not provide the Contact Information requested, you may not be able to proceed with the activity or enjoy the full experience of our Website.

o We collect Contact Information of the relevant personnel of our clients, business partners, service providers and vendors, in the course of our respective engagements and for the purpose of management and execution of such engagements.

• Online Identifiers: When you interact with our Website, we may collect your online identifiers, such as Internet Protocol (IP) address, user IDs and contact preferences ("Online Identifiers"). Online Identifiers may be supplemented with information you provided to us through other services and sources, such as trade shows or seminars, as well as other data collection methods.
• Call recording: We may record some of the marketing and sales calls with our prospective clients, but this will be only for internal training and quality control purposes and in accordance with applicable laws (e.g. in jurisdictions where a consent of both parties is required to record, we will either acquire the required consent before recording or refrain from recording the other party).
• Metadata from the Software: We may also collect incidental Personal Information that is included in the metadata processed in the course of our clients’ use of our Software and Services (which is referred to as ‘Subscriber Data’ in the Subscription Service Agreement of our SaaS products). Such incidental Personal Information relates to individuals whose Personal Information is on our customers’ systems or environments that are monitored by the Software. The Subscriber Data is primarily governed by the Data Processing Agreement , but is referenced in this Privacy Policy as well. For further information about our privacy practices of our Software, please refer to our Privacy Whitepaper .
• Non-identifiable information: We may collect non-identifiable information, which may be made available or gathered via use of the Services and/or through Marketing Activities (“Non-Personal Information”). We are not aware of the identity of the individual from which the Non-Personal Information was collected. Non-Personal Information which is being collected may include directory names, server names, share names, file names, configurations, logs from the Software (e.g. event logs), browsing events and technical information transmitted by your device, including certain software and hardware information (e.g., the type of browser and operating system the device uses, language preference, access time and the domain name from which you are linked to the Website or Software; etc.).
  
  

HOW DO WE USE THE INFORMATION WE COLLECT?

The information we collect, which may include Personal Information, is used for legitimate business purposes, onlyto the extent requiredor otherwisereasonably necessary for one or more of our functions or activities, and while maintaining the right to privacy. Such legitimate business purposes include :

• Conducting our business (such as, reaching out to prospective clients);
• Setting up our client’s account and providing our Services to them;

• Identifying and authenticating access to our Software;
• Supporting and troubleshooting our Software and responding to queries;
• Improving our Software and other Services;

• Performing research, technical diagnostics and analytics with regard to the Website;
• Communicating with prospective and existing clients with promotional content (however, you can always unsubscribe or choose not to receive promotional information from us by following the specific instructions in the email you receive or by notifying us via the appropriate method below. This will not apply to the receipt of mandatory service communications that are considered part of certain Services, which you may receive periodically unless you cancel the service); and
• Preventing potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts and any other misuse of the Services, enforcing our legal terms and conditions, protecting the security or integrity of our databases, and taking precautions against legal liability
  
  

WHAT ARE THE LEGAL BASES FOR PROCESSING OF PERSONAL INFORMATION?

We will process Personal Information based on either of the following legal bases, each of which is prescribed by relevant data protection laws.

• Performance of a contract, compliance with a legal obligation : We process Personal Information where it is necessary for the performance of our contract with you, or in order for us to comply with our various legal and/or regulatory responsibilities.
• Legitimate interests: We also process Personal Information where we deem such processing to be in our (or a third party’s) legitimate interests and provided always that such processing will not prejudice your interests, rights and freedoms. Examples of our processing in accordance with our legitimate interests would include: (i) where we disclose Personal Information to any one or more of our associate/subsidiary companies following a restructure or for internal administrative purposes; (ii) processing for the purposes of ensuring network and information security, including preventing unauthorized access to our electronic communications network; (iii) sharing personal information with our advisers and professional services providers (such as auditors).

· Consent: On certain occasions we may ask for your consent to processing Personal Information. In these instances, your Personal Information will be processed in accordance with such consent, and you will be able to withdraw this consent in writing at any time (for further information, see "WHAT ARE YOUR RIGHTS" section below).

WITH WHOM WE SHARE THE INFORMATION WE COLLECT

We disclose Personal Information to trusted third parties that help us maintain and provide our Services and/or Marketing Activities. We only disclose Personal Information as described in this Privacy Policy, or as permitted by applicable law.

If you fill a registration form to participate in an event organized by Varonis alone, or together with other exhibitors and/or sponsors (“Co-Organizers”), Varonis may share the information you provided in the registration form with its Co-Organizers. At this point, you will be subject to the Co-Organizers’ communications and privacy practices. If you wish to opt-out or exercise any appliable privacy rights you may have regarding these Co-Organizers communications, you must exercise those rights directly with those Co-Organizers.

We may share Personal Information with the following recipients: (i) our affiliates and subsidiaries; (ii) subcontractors and other third-party service providers (for further elaboration about our sub-processors, please refer to our Data Processing Agreement ); (iii) auditors or advisers of our business processes; and (iv) any potential purchasers or investors in Varonis.

We may share Personal Information with our recipients for any of the following purposes: (i) storing or processing Personal Information on our behalf (e.g., cloud computing service providers); (ii) processing such information to assist us with our business operations; (iii) performing research, technical diagnostics, personalization and analytics.

When disclosing Personal Information to third parties, they are required to secure and use that Personal Information only for the purpose of providing us the services, and in compliance with all applicable data protection regulations (such service providers may use other Non-Personal Information for other purposes).

In addition, under certain circumstances we may be required to disclose Personal Information in response to, or we may have a good faith belief that use and/or disclosure of such information is reasonably necessary to: (i) comply with any applicable law, court/tribunal order, regulation, legal process, including alternative dispute resolution process, or governmental request; (ii) enforce our policies, including investigations of potential violations thereof; (iii) investigate, detect, prevent or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues; (iv) establish or exercise our rights to defend against legal claims; (v) lessen or prevent harm or serious threat to the rights, property, life, health or safety of us, our users, yourself or any third party; (vi) locating a person reported as missing; or (vii) for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.

We reserve the right to use, disclose or transfer (for business purposes or otherwise) aggregated and processed Non-Personal Information to third parties for various purposes including commercial use, provided that the individuals to whom the Personal Information pertains are not identifiable. This information may be collected, processed and analyzed by us and transferred in a combined, collectively and aggregated manner (i.e., your information is immediately aggregated with other users) to third parties.

Please note, this Privacy Policy only addresses Varonis' use and disclosure of Personal Information. To the extent that Personal Information is processed by third parties who gained access to the Personal Information independently of Varonis, different rules may apply to their use or disclosure of the information disclosed to them.

COOKIES AND TRACKING TECHNOLOGIES

We use “cookies” (or similar tracking technologies) when you access or interact with our website.

The use of cookies is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns and stores on your computer while you are viewing it. You can find more information about cookies at www.allaboutcookies.org . Cookies can be used for various purposes, including allowing you to navigate between pages efficiently, or for statistical and advertising purposes.

Additionally, after you register to our Website, we will be able to backtrack your activity on our website even before you registered (information that if you did not register will remain anonymous to us).

The cookies we use on our website are all described in our cookie settings menu. You can adjust your preferences when visiting our website.

Please note that once you choose to opt out or disable cookies on our website, some features of the website may not operate properly, and your online experience may be limited. In addition, even if you do opt-out, you may still receive some content and advertising, however it will not be targeted content or advertising.

Most browsers will allow you to erase cookies from your computer’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. You may set your browser to block all cookies, including cookies associated with our website, or to indicate when a cookie is being used by us, by adjusting the privacy and security settings of your web browser. Below is a list of useful links that can provide you with more information on how to manage your cookies: Google Chrome ; Mozilla Firefox ; Safari (Desktop) ; Safari (Mobile); Android Browser ; and Microsoft Edge .

You can learn more and turn off certain third party targeting and advertising cookies by visiting the following third-party webpages:

• The Interactive Advertising Bureau (US) ;
• The Interactive Advertising Bureau (EU) ; and
• European Interactive Digital Advertising Alliance (EU) .

INTERNATIONAL DATA TRANSFERS

Since we operate globally, it may be necessary to transfer,store and processPersonal Information in other countries in which we or our affiliates, subsidiaries or service providers (including the sub-processors) maintain facilities, such as the United States, Israel, the European Union and the United Kingdom. The data protection and other laws of these countries may be different than those in your jurisdiction of residence.

EU and UK residents, please note that we may transfer your Personal Information to countries outside the EEA or the UK. In these instances, we will take steps, as required by applicable law and market practice, to ensure that a similar level of protection is given to Personal Information, including, when applicable, through contractual means (for example, when the GDPR or UK law applies, we will rely on the standard contractual clauses approved by the European Commission for data transfers, the UK International Data Transfer Addendum (IDTA), or transfer data only to recipients located in jurisdictions which were granted an “adequacy decision” with regard to their level of protection of Personal Information by the European Commission).

For information about international data transfer of the Personal Information processed by our SaaS software (‘Subscriber Data’), please refer to our Data Processing Agreement .

HOW LONG DO WE RETAIN THE INFORMATION WE COLLECT?

Unless you instruct us otherwise for justified reasons, we retain the Personal Information we collect for as long as needed to manage our business and provide our services (including marketing communications, as described herein) and to comply with our legal obligations, resolve disputes and enforce our agreements (including exercising any of our rights under our agreements, such as audit and record-keeping).

As for the retention of Subscriber Data – our default retention policy is a sliding window of 180 days during the subscription term (unless a longer period was approved by Varonis, at its sole discretion, at the request of the Client). Upon the end/termination of the subscription term, Subscriber Data which is held by Varonis at such time shall be kept for a period of up to 30 days after termination of the subscription.

We may rectify or remove incomplete or inaccurate information, at any time and at our own discretion.

At any time, you may request to view, change and update your Personal Information by contacting us in one of the ways described in the 'How to contact us' section below.

HOW DO WE SAFEGUARD YOUR INFORMATION?

We are committed to making reasonable efforts, in accordance with market best practices and legal requirements, to ensure the security, confidentially and integrity of the Personal Information. We take great care in implementing and maintaining the security of our website, software and anywhere the Personal Information is stored. Access to the Personal Information is based on the ‘least to know’ concept together with role-based access control systems, ensuring only authorized access to the Personal Information. We employ market best practice security measures to ensure the safety of the Personal Information and prevent unauthorized use of any such information. Although we take steps to safeguard such information, we cannot be responsible for the acts of those who gain unauthorized access or abuse our software, and we make no warranty, express, implied or otherwise, that we will prevent such access. If a password is used to help protect your accounts and Personal Information, it is your responsibility to keep your password confidential.

For further information about our privacy and security practices, please visit our Trust Center.

WHAT ARE YOUR RIGHTS?

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your Personal Information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.

The following table describes all the rights you are entitled to. Please note that some rights are only available for residents of certain jurisdictions. Please also note that these rights are not absolute, and may be subject to our legitimate interests and regulatory requirements.

If you wish to exercise your data protection rights or raise a complaint on how we have handled your Personal Information, you can contact us as set forth below. In addition, you have the right to lodge a complaint with the supervisory authority, as detailed below.

MINORS

Our website, products and services are all directed and designated to people who are above the age of majority (as determined under the applicable laws where the individual resides). If you have any reason to believe that a minor has shared any Personal Information with us, please contact us as set forth below.

UPDATES OR AMENDMENTS TO THE PRIVACY POLICY

We may revise this Privacy Policy from time to time, in our sole discretion, and the most current version will always be posted on our website. We encourage you to review this Privacy Policy regularly for any changes.

In the event of material changes to this Privacy Policy, that affect the use of our SaaS software, we will inform of such change in the Varonis portal for customers. The continued use of our SaaS software, following the notification of such amendments, constitutes acknowledgement and consent of such amendments to the Privacy Policy.

HOW TO CONTACT US

If there are any questions regarding this Privacy Policy or the information that we collect about you, or if you feel that your privacy was not treated in accordance with this Privacy Policy, you may contact our Data Protection Officer at: privacy@varonis.com or at 1250 Broadway st, New York, NY 10001, USA.

If you wish to unsubscribe or stop receiving any marketing material from Varonis, please use the Unsubscribe link at the bottom of the email you receive from us.

If you wish we stop processing and delete your personal information, please emailus at:dl-privacy-request@varonis.com.

If you are unsatisfied with our response, you can reach out to the applicable data protection authority for Varonis:

· If the EU GDPR applies:the Data Protection Commissioner in Ireland at Canal House, Station Road, Portarlington R32 AP23 Co. Laois R32 AP23, Ireland.

· If the UK GDPR applies: The Information Commissioner's Office's Data Protection and Personal Information Complaints Tool .

• If the Personal Information Protection Act (No. 26 of 2012) of Singapore (“PDPA”) applies: Personal Information Protection Commission, 10 Pasir Panjang Road #03-01, Mapletree Business City, Singapore 117438, +65 6377 3131, info@pdpc.gov.sg.

· If theAustralian Privacy Act 1988, including the Australian Privacy Principles ("APPs")‎, apply: the Office of the Australian Information Commissioner, GPO Box 5218 Sydney NSW 2001, +61 1300 363 992, enquiries@oaic.gov.au .

ADDITIONAL PRIVACY NOTICE FOR U.S RESIDENTS

This part of the Policy addresses the specific disclosure requirements under the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and the regulations enacted thereunder (collectively: "CCPA"), the Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1 ("VCDPA"), the Colorado Privacy Act, 2021 Colo. ALS 483; 2021 Colo. Ch. 483; 2021 Colo. SB. 190 ("CPA"), the Connecticut Data Privacy and Online Monitoring Act, Conn. Gen. Stat. §42-515 et. Seq. ("CTDPA"), the Utah Consumer Privacy Act, Utah Code Ann. Title 13, Ch. 61 ("UCPA") (collectively: "US Applicable Laws").

Most of the statements, rights and obligations under this part are common to all US Applicable Laws and apply to you only to the extent determined in the applicable law according to your residency.

Collection, disclosure and sharing of Personal Information

In the 12 preceding months, we have collected and disclosed the following categories of Personal Information:

Sources of Personal Information:

1. Directly and indirectly from activity on our Website: For example, directly from forms you complete on Website or on the subscription process; indirectly when we collect your usage data automatically from measurement tools.

2. Indirectly from you: We track your activities across the internet, for example, when you view or interact with certain content, web page or ad.

3. From third parties: For example, from vendors who assist us in performing services for Clients, data analytics providers, social networks.

Categories of service providers to whom Personal Information was disclosed:

• Cloud Services
• Fraud Prevention
• Website Analysis

We do not sell or share Personal Information, as these terms are defined under US Applicable Laws .

We may transfer Personal Information to third parties as assets that are part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Company. Such transfer will be handled according to the requirement of the U.S Applicable Law and shall not be regarded as a sale of Personal Information under U.S Applicable Law.

Purposes for collection and disclosing of Personal Information

Our purposes for collecting and disclosing Personal Information can be found above, under the section “How do we use the information we collect”.

Exercising Your Rights

You can exercise your rights (such as deletion) by submitting a verifiable consumer request using the contact details specified in the "How to contact us" section above, in accordance with the instruction provided herein.

Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information.

The request must:

• Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
• Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it.
• We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

You may only request a copy of your data twice within a 12-month period.

If you have any general questions about the Personal Information that we collect about you how we use it, please contact us using the contact details specified in the "How to contact us" section above.

If you are a Virginia resident, you have the right to appeal a rejection to your request. The appeal request shall be submitted using the contact details specified in the "How to contact us" section above.

If your appeal is denied, you may lodge a complaint with the Virginia Attorney General through the contact information available here: https://www.oag.state.va.us/contact-us/contact-info or file the complaint at: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint .

Response Timing and Format

Our goal is to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing within the first 45 days period. We will deliver our written response, by mail or electronically, at your option. Any disclosures we provide will cover only the 12-month period preceding the request. If reasonably possible, we will provide your Personal Information in a format that is readily useable and should allow you to transmit the information without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

In case of rejection, the response we provide will explain the reasons for which we cannot comply with your request.

Please note that these U.S Applicable Law rights are not absolute and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations.

Designating Agents

If you are a California resident,you can designate an authorized agent to make a request on your behalf if:

• The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
• You sign a written declaration that you authorize the authorized agent to act on your behalf.

If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below.

If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA or the CPRA.

We may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Non-Discrimination

Unless permitted by the U.S Applicable Law, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.

• Provide you a different level or quality of goods or services.

• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

EU/UK/Swiss-U.S. DATA PRIVACY FRAMEWORK

Introduction

• Varonis complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce (collectively, the "DPF Principles").
• Varonis has certified to the U.S. Department of Commerce that:

o it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF.

o it adheres to the Data Privacy Framework Principles with regard to the processing of Personal Information received from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

o it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF.

• If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern.
• To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/ .

Applicable Authority

The Federal Trade Commission has jurisdiction over Varonis' compliance with the DPF Principles.

Redressal Mechanisms

• In compliance with DPF Principles, Varonis commits to resolve complaints related to the DPF Principles about our processing of your Personal Information. EU, UK (Gibraltar included) and Swiss individuals with inquiries or complaints regarding our handling of Personal Information received in reliance on the DPF Principles should first contact us at privacy@varonis.com .
• In compliance with DPF Principles, Varonis commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the DPF Principles to JAMS, an alternative dispute resolution provider based in 7160 Rafael Rivera Way Suite #400 Las Vegas, NV 89113. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Under certain conditions you may also be able to invoke binding arbitration as further described on the DPF website (available here ).

Disclosure to Public Authorities

Please note that under certain circumstances, we may be required to disclose your Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In such circumstances, Varonis will make reasonable endeavors to limit this disclosure only to the extent necessary to comply with the order. As of the last update of this Policy, Varonis has never received such a requirement from a public authority.

Onward Transfers

Varonis remains responsible for the processing of Personal Information it receives and subsequently transfers to a third party acting on our behalf, in accordance with the DPF Principles. We will remain liable under the DPF Principles if such third-party processes such Personal Information in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Additional Rights Under the DPF Principles

In addition to the rights granted to you under applicable laws as set out under the "WHAT ARE YOUR RIGHTS" section of this policy, and to the extent applicable, under the DPF Principles you also have the Right to Opt-Out ofVaronis's disclosure of Personal Information to certain third parties and from the collection of Sensitive Personal Information (i.e., personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), although no Sensitive Personal Information is expected to be collected by Varonis.

Accordingly, individuals to which those rights are applicable, may contact us at privacy@varonis.com and request:

• To opt-out of the disclosure of relevant Personal Information to third parties;
• To opt-out of our processing of Personal Information for materially different purposes from those which it was originally collected for.

Please note that these rights are not absolute and may be subject to regulatory requirements or other law enforcement order.