This policy was last updated in June of 2021.
We, at Varonis Systems, Inc. and its wholly-owned subsidiaries (collectively, “we” or “the “Company”), are committed to protect the privacy of our business partners who are licensed to use our software (“the “Software”) on their internal network (“you” or “Client”) and our Client’s end users which have access to any of the data resources monitored by our Software (“End Users”).
What information do we collect?
We collect two types of information when you or your End Users are using our Software:
- The first type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual (“Personal Information”), which includes the following:
- Feedback: When you allow us (or our trusted third party service providers) to receive your End Users’ feedback and rating with regard to Software (“Feedback”), we may gather Personal Information which may include the following: email address of the End User, End User’s full name, End User’s IP address, and the Client’s email. In addition, we may collect Personal Information which your End User voluntarily shares with us when he sends us Feedback (e.g., identifying content, images; etc.).
- In order to provide some of our Software as a Service (“SaaS”) products, we will collect metadata of your End Users, including IP addresses, MAC addresses, user agent, identifiers issued by Client, path of files and file names. Under certain privacy regulations some of this metadata may amount to Personal Information.
- The second type of information is unidentified and non-identifiable information pertaining to you or to your End Users, which may be made available or gathered via your use of the Software (“Non-Personal Information”). We are not aware of the identity of the user from which the Non-Personal Information was collected.
- Non-Personal Information which is being collected may include usernames, directory names, server names, share names, file names, configurations, logs related to Software and Client (e.g. event logs), browsing events and technical information transmitted by your device or your End Users’ devices, including certain software and hardware information (e.g., the type of browser and operating system the device uses, language preference, access time and the domain name from which you or your End Users are linked to the Software; etc.).
- In addition, when you allow us (or our trusted third party service providers) to receive your End Users’ Feedback with regard to Software, we may gather Non-Personal Information which may include the following: Feedback rating, Feedback tags, Feedback text, browser type and language, operating system, viewport of the screen, page URL on which the Feedback has been given, screenshot of the screen on which Feedback was provided (with all textual strings redacted), and our clients.
Please note that when the Software is deployed by our Clients, it analyzes unstructured data that is stored on the Clients’ platforms. The Clients maintain sole ownership of this data and determine their own policies regarding the storage, access, deletion, sharing and retention of this data. This data is hosted and stored only on the Clients’ servers (not on the Company’s servers).
How we use the information we collect?
In addition to the purposes listed herein, the information we collect, which may include your Personal Information, is used for legitimate business purposes only, such as:
- To identify and authenticate End Users’ access to the Software;
- To obtain End Users’ Feedback with regard to the Software;
- To improve our Software;
- To support and troubleshoot our Software and to respond to queries; and
- To investigate violations and enforce our policies, and as required by law, regulation or other governmental authority, or to comply with a subpoena or similar legal process or respond to a governmental request.
We use the Personal Information only to the extent required and while maintaining your right to privacy.
What are the Conditions for Processing of Personal Information?
We will process your Personal Information for a variety of reasons, each of which is prescribed by relevant data protection laws.
- Performance of a contract, compliance with a legal obligation:I It is necessary for us to process your Personal Information where it is necessary for the performance of a contract (such as for our agreement) or in order for us to comply with our various legal and/or regulatory responsibilities.
- Legitimate interests:
We also process your Personal Information where we deem such processing to be in our (or a third party’s) legitimate interests and provided always that such processing will not prejudice your interests, rights and freedoms. Examples of us processing in accordance with legitimate interests would include: (i) where we disclose your Personal Information to any one or more of our associate/subsidiary companies following a restructure or for internal administrative purposes; (ii) processing for the purposes of ensuring network and information security, including preventing unauthorized access to our electronic communications network; (iii) sharing personal information with our advisers and professional services providers (such as auditors).
Our processing of your Personal Information will primarily be necessary for us to provide you with the services. However, on certain occasions we may ask for your consent to processing Personal Information. In these instances your Personal Information will be processed in accordance with such consent and you will be able to withdraw this consent in writing at any time.
With whom we share the information we collect?
We may transfer or disclose Personal Information to our subsidiaries and other affiliated companies. In addition, Client’s and End User’s Personal Information may be disclosed to other trusted third party service providers or partners for the purpose of: (i) storing Personal Information on our behalf (e.g., cloud computing service providers); (ii) assisting us with our business operations and Software and improving it (e.g., processing and analyzing End Users’ Feedback); and (iii) performing research, technical diagnostics and analytics with regard to the Software.
Since we operate globally, it may be necessary to transfer Personal Information to countries outside the European Union. The data protection and other laws of these countries may not be as comprehensive as those in the European Union − in these instances, we will take steps to ensure that a similar level of protection is given to Personal Information. You hereby consent to the transfer of your and your End Users’ Personal Information to countries outside the European Union.
Third party collection of information
Our policy only addresses our use and disclosure of personal information from you and from your End Users through the Software (as described under the “With whom we share the information we collect” section herein). To the extent that you or your End Users disclose your information to other parties through the Software, different rules may apply to their use or disclosure of the information disclosed to them.
How long do we retain the information we collect?
At any time, you or your End Users may request to change, update, correct errors or delete Personal Information by emailing us at firstname.lastname@example.org.
As for the retention of the Subscriber Data (as defined in the Subscription Service Agreement of our SaaS products) – our default retention policy is a sliding window of 180 days during the subscription term (unless a longer period was approved by Varonis, at its sole discretion). Upon the end/termination of the subscription term, Subscriber Data which was held by Varonis at such time shall be kept by Varonis for a period of 30 days after termination of the subscription.
We may rectify, replenish or remove incomplete or inaccurate information, at any time and at our own discretion.
How do we safeguard and transfer your information?
We are committed to making reasonable efforts, in accordance with market best practices, to ensure the security, confidentially and integrity of the Personal Information. We take great care in implementing and maintaining the security of the Software and the Personal Information. Access to the Personal Information is based on the ‘least to know’ concept together with role based access control systems, ensuring only authorized access to the Personal Information. We employ market best practice security measures to ensure the safety of your End Users’ Personal Information and prevent unauthorized use of any such information. Although we take steps to safeguard such information, we cannot be responsible for the acts of those who gain unauthorized access or abuse our Software, and we make no warranty, express, implied or otherwise, that we will prevent such access. If a password is used to help protect your accounts and Personal Information, it is your responsibility to keep your password confidential.
What are your rights?
You may contact us at email@example.com any time and request:
- To delete, change or update any personal data relating to you (for example, if you believe that your Personal Information is incorrect, you may ask to have it corrected);
- That we will cease any further use of your Personal Information or delete your information (for example, you may ask that we stop using or sharing your Personal Information with third parties).
If you wish to raise a complaint on how we have handled your Personal Information, you may contact us at the addresses indicated below.
The Software is not designated to End Users under the age of 18. In the event that we become aware that End Users under the age of 18 have shared any information, we will discard such information. If you have any reason to believe that a minor has shared any information with us, please contact us at firstname.lastname@example.org.
Notice for California residents
If you reside in the state of California please see the notice below.
How to contact us
If you are unsatisfied with our response, you can reach out to the applicable data protection authority for the Company affiliates for the purpose of the EU General Data Protection Regulations: the Data Protection Commissioner in Ireland at Canal House, Station Road, Portarlington R32 AP23 Co. Laois R32 AP23, Ireland.
Privacy Notice for California Residents
This part of the Policy addresses the specific disclosure requirements under the California Consumer Privacy Act of 2018 (Cal. Civ. §§ 1798.100–1798.199) and the California Consumer Privacy Act Regulations by the Attorney General (collectively, “CCPA“).
Categories of Personal Information We Process?
In the 12 preceding months, we have collected and disclosed the following categories of Personal Information:
|Category of Personal Information Collected||Personal Information Collected||Categories of service providers to whom Personal Information was disclosed|
|A. Identifiers||Email address, device identifiers (UDID, IMEI, MAC, IP, identifiers issued by Client), image||Cloud Services
|B. Commercial information||Feedback of Clients and/or End Users||Cloud Services
|C. Internet or Other Electronic Network Activity Information||Usernames, directory names, server names, share names, file names and paths, configurations, logs related to Software and Client (e.g. event logs), browsing events and technical information transmitted by your device or your End Users’ devices, including certain software and hardware information (e.g., the type of browser and operating system the device uses, language preference, access time and the domain name from which you or your End Users are linked to the Software.||Cloud Services
We do not sell (as this term is defined under the CCPA) any Personal Information.
We may share or transfer Personal Information to third parties as assets that are part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Company. Such transfer will be handled according to the requirement of the CCPA and shall not be regarded as a sale of Personal Information under the CCPA.
Sources of Personal Information
In the 12 preceding months, we have collected the above-mentioned categories of Personal Information from the following categories of sources:
- Clients or End Users directly.
Purposes for collection of Personal Information
Our purposes for collecting Personal Information can be found above, under the section “How we use the information we collect”.
User Rights under the CCPA
The CCPA provides consumers with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights:
Access to Personal Information
You may request, up to two times each year, that we disclose to you the categories and specific pieces of Personal Information that we have collected about you, the categories of sources from which your Personal Information is collected, the business or commercial purpose for collecting your Personal Information, the categories of Personal Information that we disclosed for a business purpose, any categories of Personal Information about you that we sold, the categories of third-parties with whom we have shared your Personal Information, and the business purpose for sharing your Personal Information, if applicable.
You have the right to request that we delete any Personal Information collected from you and retained, unless an exception applies.
Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers, subcontractors, and consultants to delete) your Personal Information, unless an exception applies.
Exercising Your Rights
You can exercise your rights (such as access and deletion) by submitting a verifiable consumer request to our email address: email@example.com or by sending a mail to our physical address specified in the HOW TO CONTACT US section.
Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information.
The request must:
- Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
- Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it.
- We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
You may only request a copy of your data twice within a 12-month period.
If you have any general questions about the Personal Information that we collect about you how we use it, please contact us at firstname.lastname@example.org
Response Timing and Format
Our goal is to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing within the first 45 days period. We will deliver our written response, by mail or electronically, at your option. Any disclosures we provide will cover only the 12-month period preceding the request. If reasonably possible, we will provide your Personal Information in a format that is readily useable and should allow you to transmit the information without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
In case of rejection, the response we provide will explain the reasons for which we cannot comply with your request.
Please note that these CCPA rights are not absolute and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations.
You can designate an authorized agent to make a request under the CCPA on your behalf if:
- The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
- You sign a written declaration that you authorize the authorized agent to act on your behalf.
If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below.
If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.
Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.