Privacy Standards and Practices

Our approach to data privacy

This whitepaper is for informational purposes only.

At Varonis, we apply the highest security standards to the way we use clients’ data in our day-to-day operations. We also believe in full transparency, and have outlined key aspects of our standards, practices, and safeguards for your information and compliance assessment purposes.

Varonis products are not only aimed at protecting clients’ data, but they are also built based on the Privacy by Design and Privacy by Default approach. Accordingly, role-based access is incorporated within the platform; clients have regional deployment choices; and optional features that involve greater content processing are customer-enabled.

What Varonis does (through the privacy lens)

Varonis technology crawls data sources for the purpose of threat detection and response, data security, compliance and remediation.

Our Data Security Platform includes the following capabilities (note: this is not a comprehensive list of our products’ capabilities and advantages, but a highlight of the main items that are related to the processing of private data):

• Data activity monitoring monitors who and what is accessing data and what they do with that data (create/open/modify/delete, etc.) and monitors authentication and perimeter telemetry in the data access chain.

• Data discovery and classification automatically and continuously scan the contents of files, folders, and other objects to determine the sensitivity and category of the document.

• Data access intelligence combines data sensitivity, permissions, and activity to show customers who has access to critical data (i.e., their data blast radius), how they derive access, and whether access is necessary.

• Posture management interrogates configurations and settings to assess, report on, and optimize security or privacy posture.

• User and entity behavior analytics profiles users, applications, and devices and their associated behaviors with respect to the monitored systems and data and detects and alerts on meaningful deviations that indicate compromise.

• Special products:

  • Varonis Interceptor is an AI-native email and browser security solution designed to stop advanced phishing, social engineering, and credential theft.

  • Varonis Atlas AI Security discovers, governs, and secures enterprise AI systems like LLMs, agents, and copilots.

Scope and nature of the personal information processed by Varonis products

As a general rule, Varonis products process metadata, while customer content remains in the customer environment. Where limited content processing is required for specific features, it is feature-specific, controlled, and subject to defined retention and access restrictions.

Varonis differentiates between data and metadata:

• Customer data refers to the actual content stored within files or communications (such as document text or email bodies);

• Customer metadata refers to information that describes or contextualizes that content (such as user identities, file/folder/path names, email addresses/subjects/senders/recipients, domains, and IP addresses, timestamps, or communication attributes).

Varonis also sends technical logs and telemetries from the Collector to Varonis' Data Security Platform. However, those do not contain any personal data.

Customer data is retrieved and processed by the Collector server(s) that are installed inside the customer premises; Varonis personnel or subcontractors do not have access to it. Only metadata, and not the data itself, is stored on Varonis DSP. For example: The file Sample.doc contains a password in line 3; The actual password is not sent to SaaS.

Administrative functions that affect change in the customer environment (such as removing monitored servers/systems) are also run from servers inside the customer premises (e.g., the Collector) without access by Varonis or its subcontractors.

Please note that there are a few product-specific exceptions to the above that require certain processing of data to provide the intended services:

1. Interceptor Email Security

   Varonis Email Interceptor monitors email communications of organizational employees and detects spam emails and malicious patterns, based on either text contents, suspicious URLs in emails, QR codes or attachments or unusual communications patterns. Each email is analyzed by Varonis momentarily and then deleted. Varonis does not retain the content of the emails, unless it is detected to be a malicious email.

   For details on how the Email Interceptor works, please refer to https://www.varonis.com/trust/responsible-ai#25-varonis-ai-email-interceptor.

   See also reference to the Email Hunt under the File Analysis section below. 
   
   

2. AI Security and Atlas AI licenses

   If a customer adds its GenAI corporate platform/s (such as, Copilot, AgentForce, ChatGPT, Gemini, etc.) as a data source to Varonis DSP, or uses the Atlas AI license (that provides protection of the AI corporate environment), Varonis will collect, analyze, and store on Varonis DSP the relevant GenAI prompts (questions entered by users) and responses. Only customer users who are assigned a special dedicated role may retrieve these prompts and responses via Varonis’ analytical interface. In addition, AI prompts and responses are additionally secured in the platform by using tenant segregation, and access to Varonis personnel is restricted to a small, dedicated engineering team with least privilege access and on a need-to-know basis.

   For further information on how Atlas AI works, please refer to https://www.varonis.com/platform/ai-security.

   For further information on how AI Security works, please refer to https://www.varonis.com/solutions/ai-security.
   
   

3. AI Classification

   Varonis supports AI based classification of actual data. Each document is analyzed by Varonis momentarily and then deleted. Varonis does not retain the content of the documents but only their classifications. AI Classification is optional, and customer can enable it.

   For details of how AI Classification works, please refer to https://www.varonis.com/trust/responsible-ai#24-ai-based-data-classification.
   
   

4. DatAdvantage Cloud
   DatAdvantage Cloud (DAC) works directly with cloud data sources, such as Salesforce, Google Suite, Box, etc. Most of the sources allow installing a Collector on the customer’s environment, which is the same method used with Varonis DSP, however a handful of these data sources do not allow Customer Hosted Collector, so the full data is temporarily retrieved by DatAdvantage Cloud from the data sources for classification. The data is not stored on DAC, and after data is classified (which is a matter of minutes per file), the data is discarded, and only metadata and classification results are stored in the cloud to enable their analysis by the customers (similar to that of Varonis' Data Security Platform).
   
   

5. File Analysis

   The File Analysis functionality allows a user, who was granted a special dedicated role, to view the documents that are referenced in the Varonis DSP classification or alerts.

   However, neither Varonis DSP nor Varonis personnel can view or access the plain text of the file, because the files that are viewed through the File Analysis are encrypted end-to-end using private/public key handshake (ECDH), and the encryption key is not exposed to Varonis Cloud or personnel.

   A similar functionality exists in the Varonis Email Interceptor (called Email Hunt) and relates to the scanned emails the user wishes to view. The Email content is fetched by the SaaS platform and immediately presented to the user over HTTPS with TLS (not hidden from the SaaS platform). The Email content is in the SaaS platform briefly, and isn't stored. 

Data locality

Data storage: Upon onboarding, Varonis' Data Security Platform can be set to operate from the geography of the customer’s choice.

Varonis uses sub-processors, which are third-party SaaS platforms, to provide certain service functions on the Varonis SaaS platform.

The full list of Varonis sub-processors and their locations of processing can be found in our Sub-Processors list.

Access to Varonis' Data Security Platform: While Varonis' Data Security Platform shall be stored at the client’s chosen region, specialized Varonis personnel located globally may be required to access the client’s Varonis' Data Security Platform, in order to provide some specialized or advanced services. The safeguards and technical and organizational measures applied to access of Varonis personnel worldwide are identical and include approval process, based on need-to-know and least-privilege principles and monitored. Therefore, client’s data stored on Varonis' Data Security Platform is protected in the same manner regardless of the origin of the access.

For EU, we have implemented safeguards and measures to secure the metadata of European individuals when that metadata is accessed (i.e. exported) outside of EEA. In this framework, Varonis incorporated the Standard Contractual Clauses (SCCs) in its DPA with its customers and conducted a transfer impact assessment (TIA) and, executed intra-group SCCs with all Varonis sub-processors. For further information, please refer to the section Service Providers Compliance below.

Official roles in Varonis related to privacy and data security

Varonis highly values the privacy and security of the data it processes and, accordingly, incorporates the Privacy by Default principle in its processes and Privacy by Design in its products. Therefore, Varonis designated several senior positions and teams across the organization to ensure all aspects of data safekeeping are attended to properly:

Data Protection Officer (DPO) — Our DPO has a vital role in supervising and ensuring Varonis complies with all necessary security and privacy legislation, evaluating and reviewing processing activities, and drafting and overseeing compliance with our procedures and internal policies.

The DPO develops and maintains a comprehensive privacy compliance practice at Varonis based on in-depth knowledge and understanding of Varonis technology. The DPO collaborates with multiple stakeholders in all departments across the company, ensuring Varonis’ various products and processes are compliant with the rapidly evolving legal privacy landscapes worldwide.

Our DPO has the required expertise in data security laws and practices, an in-depth understanding of GDPR, CCPA, and other applicable privacy laws, an understanding of our processing operations, and the integrity and independence to be an objective supervisor necessary for such a role.

Chief Information Security Officer (CISO) — Our teams follow strict security policies and procedures designed by our CISO and the CISO's highly qualified team of experts. The team’s purpose is to protect personal information from disclosure, unauthorized access, and leakage by setting up the proper classifications, controls, and measurements.

To learn more about our CISO operations and Varonis' Compliance Certifications, please visit our Trust Center.

Product Architecture and Product Security Teams — Varonis designated two expert teams in the R&D organization to oversee the integrity of Varonis software.

Chief Architect and his team lead the technological architecture of our products and reviews designs of all architecture changes. The architect maintains a data catalog and ensures that data residence and data governance principles are considered during the design process.

Product Security team verifies, from the security perspective, that private and sensitive data is guarded according to industry standards and best practices, including conducting active assessments to ensure adherence to security standards and policies.

Data Retention

Varonis is committed to retaining client data only for as long as needed to provide and secure its services, while applying appropriate technical and organizational safeguards throughout the retention period to protect such data against unauthorized access, misuse, alteration, or loss.

Our default retention policy for the Subscriber Data on the Varonis SaaS platforms, is a sliding window of 180 days during the subscription term (unless a longer period was approved by Varonis, at its sole discretion, at the request of the Client).

However, classification results are kept for as long as the original data source exists and if original data source is deleted, the classification result will be deleted too within 30 days.

Email samples submitted as part of false positive/false negative investigations of Varonis Interceptor are deleted 30 days after case is closed.

Upon the end/termination of the subscription term, Subscriber Data which is held by Varonis at such time shall be deleted within up to 30 days after termination of the subscription.

Compliance with privacy legislation

Because we operate globally, we invest significant effort to be aligned and compliant with various applicable privacy laws and requirements.

Over the years, Varonis has made extensive adjustments to its internal practices and legal documents, including signing DPAs with all its sub-processors (for further information, please refer to the Service Providers Compliance section below) to comply with the applicable legal framework.

We actively monitor legal developments and analyze whether additional steps are required to comply with new legislation.

Across jurisdictions, privacy legislation is built on a common set of foundational principles, which guide how Varonis approaches the processing and protection of personal information. Varonis applies such principles consistently in the design, operation, and governance of its products and services:

Respecting personal information

Varonis is committed to the privacy and protection of the personal information we process, and that commitment manifests itself in our day-to-day activities. The below describes the key aspects of our security and privacy controls and measures.

The personal information that is processed by Varonis is treated with care for the users’ (data subject) rights. We have implemented the necessary mechanisms to enable users to exercise such rights. Our teams are kept up to date with new privacy legislation, and our internal procedures are updated to satisfy new requirements. Our internal accountability documents and policies are continuously reviewed and updated to ensure our teams follow and operate in accordance with a cohesive and detailed policy.

Purpose limitation and data minimization

We process information only at the scope and duration that is necessary to provide our services. The information we process is strictly necessary to provide our services. As detailed above, some information is processed temporarily.

Furthermore, we have built into our systems various privacy features, such as the ability to limit some of the data processing (such as in the Management Console).

Data Protection Impact Assessment (DPIA)

Whenever a new technology, system, policy, or significant change is proposed for implementation, a privacy and security assessment (Data Protection Impact Assessment) is performed. Such assessments allow us to identify and mitigate any potential privacy-related risks and implement applicable solutions.

Detailed policies, procedures and documentation

Processing activity is documented in our internal records, detailing — among other things — all purposes, categories of personal information, retention schedules, and recipients. The relevant stakeholders in the R&D and privacy teams constantly update the documentation.

Personnel vetting and training

Our personnel are trained in privacy and security matters during the onboarding process and on an ongoing and annual basis. If our policies are violated, our personnel are subject to disciplinary measures.

Varonis personnel must also receive proper clearance to access personal information and undergo either background checks or appropriate reliability tests.

Keeping personal information secure

Varonis implements a wide array of security measures to keep your information safe and secure. Security measures are also applied to applicable Varonis service providers.

Varonis certifications and accreditations

Varonis has achieved numerous certifications and successfully completed audits, including but not limited to ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, SOC 2 Type 2, SOC 3, PCI DSS, and CSA's STAR Level 1 security assessment. Together, these certifications demonstrate that Varonis maintains an independently audited control environment, applies formalized and repeatable security and privacy management processes, and operates under ongoing governance, review, and accountability mechanisms.

The above certifications are only part of the full scope of technical and organizational measures we use. For more information, please visit our Trust Center.

Additional information regarding security matters can also be found in our security page.

Service providers compliance

Personal information is transferred only to our service providers (sub-processors) who need to access it as part of their services. The transfer of personal information to new sub-processors is subject to a security risk assessment (conducted by the CISO), transfer impact assessment (conducted by the DPO), and procedures that establish the requirements and standards for disclosing or transferring such information. The assessments are reviewed periodically. These procedures are designed to ensure that any transfer complies with applicable privacy laws.

Security risk assessment

Prior to engaging with a third-party vendor, Varonis conducts a security risk assessment. Varonis thoroughly investigates vendors for security and posture. The risk assessment reviews the vendor’s security, compliance, and privacy practices and ensures appropriate safeguards are put in place. Each engagement with the potential disclosure of PII requires an enhanced privacy assessment. High-risk vendors that hold customer data undergo periodic reviews.

Transfer impact assessments (TIA)

We do not transfer any personal information to countries outside the European Economic Area (EEA) or U.K. without making sure it is being transferred lawfully and that the transferred information will be in good hands. For that purpose, we perform transfer impact assessments (TIAs), which allow us to ensure that any recipient of personal information has the proper legal, organizational, and security mechanisms in place to avoid any mishandling or abuse of personal information.

TIAs performed by Varonis include a wide variety of inquiries regarding the level of security the recipient can apply to the personal information transferred. This includes questions regarding the organizational, technical, and contractual mechanisms being implemented, the possibility of disclosure of personal information to a governmental authority (mainly when stored in the U.S.), and the feasibility of transferring personal information exclusively to data centers allowing the maximum protection possible (e.g., data centers in the EU when the GDPR is applicable).
In addition, TIAs cover matters such as whether the laws in the recipient's jurisdiction ensure the integrity of personal data privacy and whether the recipient itself is performing any relevant onward transfers.

TIAs allow Varonis to make informed decisions and maintain control over where personal information is being kept and how it is processed on Varonis' behalf.

Data processing agreement (DPA)

Any transfer of personal information will be subject to a data processing agreement (DPA), detailing the parties' obligations under the applicable privacy laws and implementing all safeguards necessary by law to ensure that personal information will always be treated in accordance with the requirements of privacy laws and industry best standards. These DPAs apply to any external transfer, as well as to internal data transfers between members of the Varonis group of companies.

When required by law, Varonis also incorporates the GDPR's Standard Contractual Clauses (SCCs), or their UK and Swiss counterpart, or the EU-US Data Privacy Framework (DPF), including the UK and Swiss extensions, providing further protection in terms of privacy and security matters whenever personal information is transferred to relevant jurisdictions.

Varonis’ DPAs also oblige the receiving party (sub-processors) to assist Varonis and maintain various security mechanisms to ensure the security of personal information transferred. For example, data recipients must:

• Implement and maintain appropriate technical and organizational methods to protect personal information against accidental or unlawful destruction

• Comply with a detailed list of measures ensuring the security of the information, including having a written security management system, maintaining a security policy that is regularly reviewed, applying encryption, maintaining a firewall configuration, and limiting personal information storage to that which is necessary

• Conduct periodic reviews of network security and adequacy, measured against industry security standards

• Notify Varonis without undue delay after becoming aware of a security incident and assist in investigations and resolution thereof

For any further questions, please do not hesitate to contact your Varonis representative or reach out to privacy@varonis.com.

More privacy resources

• Data Processing Addendum (DPA)

• Privacy Policy

• Sub-Processors

• Security Schedule