We respect the privacy of our Visitors, Customers, Users and Participants, and are strongly committed to making our data processing practices more transparent and fair. This Policy concerns personal data collected, received or used via Tufin's websites referring to this Policy (including www.tufin.com and www.tufinnovate.com; collectively – "Websites"), via Tufin's products and services (“Solutions”; and together with our Websites and events - "Services"), and other data sources as described below.
Specifically, this Policy describes our practices regarding:
- Data Collection
- Data Uses
- Data Location and Retention
- Data Sharing
- Cookies and Tracking Technologies
- Data Security
- Data Subject Rights
- Data Controller / Processor
- Additional Notices
You are not legally required to provide us with any Personal Data (defined below), but without it we may not be able to provide you with the full range of Services or with the best user experience when using our Services.
1. Data Collection
We collect Personal Data regarding our Customers, Users, Participants and Visitors. Such data is typically collected and generated through your interaction with our Services, through automatic means, directly from you or through third parties. Specifically, we collect the following categories of data (which, to the extent it relates to an identified or identifiable individual, will be deemed as “Personal Data“):
- Data automatically collected or generated: When you visit, interact with or use our Services, we may collect or generate certain technical data about you. We collect or generate such data either independently or with the help of third-party service providers (as detailed in Section 4 below), including through the use of “cookies” and other tracking technologies (as further detailed in Section 5 below).
Such data mainly consists of connectivity, technical and aggregated usage data, such as IP addresses, device, system and software details, click-stream and usage logs, unique identifiers and similar data and information concerning log-in attempts, usage and use preferences regarding any of Tufin's Websites or Solutions. We mainly use this data to gain a better understanding on how you typically use and interact with our Services; how we could improve your user experience; to optimize our product; and to optimize the overall performance of our Services.
- Data received from you: such Personal Data includes any data or information you may provide which is identifiable to you (either in itself or due to the manner in which it was provided or the Data with which it was provided or generated), such as your name, company and position, contact details (such as business e-mails, phones and addresses), account login details (such as usernames and hashed passwords for using our SaaS Solutions), as well as any free-form text or documentation you may choose to provide us. If you register as a Participant in any of our events, you may provide us with additional details such as your participation eligibility and preferences, your experience relating to Tufin and its Solutions, your meal or accommodation preferences, and any other relevant information.
- Data provided by third parties: We may receive your Personal Data from other sources. For example, if you participate in an event or webinar that we sponsor or participate in, we may receive your Personal Data from the event organizers. We may also receive your contact and professional details (e.g., your name, company, position, contact details and professional experience, preferences and interests) from our business partners or service provides, and through the use of tools and channels commonly used for connecting between companies and individuals in order to explore potential business and employment opportunities, such as LinkedIn and other data services and sources
2. Data Uses
We use Personal Data as necessary for the performance of our Services; to comply with applicable law; as necessary for the performance of our contracts and agreements; and to support our legitimate interests in maintaining and improving our Services and offerings, understanding how our Services are used, optimizing our marketing, advertising and sales practices, providing customer service and technical support, and protecting and securing our Visitors, Customers, Users, Participants, ourselves and our Services.
We do not sell your personal information for the intents and purposes of the California Consumer Privacy Act (CCPA).
Specifically, we use Personal Data for the following purposes:
- To facilitate, operate, and provide our Services;
- To verify the identity of our Users and Participants, and to allow them access to our Services and events, respectively;
- To further develop, customize and improve our Services, and to offer a better experience to our Visitors, Customers, Users and Participants, based on common or personal preferences, experiences and difficulties;
- To provide our Customers and their Users with assistance and technical support, and to diagnose or fix technical problems reported by them;
- To facilitate and improve our marketing, advertising and sales practices, and make them more effective;
- To contact our Visitors, Customers, Users and Participants with general or personalized service-related notices, informational materials and promotional messages, in accordance with Section 6 below;
- To facilitate, organize, sponsor and offer certain events and promotions;
- To monitor aggregate metrics and create aggregated statistical data, inferred non-personal data, or anonymized or pseudonymized data (rendered non-personal), which we, our Customers, Users or business partners may use at our discretion, including to provide and improve our respective services;
- To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of error, fraud or any illegal or prohibited activity;
- To act as permitted by, and to comply with, any legal or regulatory requirements.
3. Data Location and Retention
Tufin is mainly based in the United States and Israel, with headquarters in Boston and Tel Aviv, respectively, and additional offices in North America, Europe and Asia-Pacific. Israel is considered by the European Commission to be offering an adequate level of protection for the Personal Data of EU Member State residents. Tufin's U.S. subsidiary is self-certified and adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. To learn more, please visit our Privacy Shield Notice.
Data Retention: We may retain Customer and User Personal Data for as long as your organization's account with us is active; as reasonably necessary for us to provide or offer our Services to you and your organization; or as long as we consider necessary for the purposes described herein.
We may retain Visitor and Participant Personal Data for as long as reasonably necessary in order to maintain and expand our relationship and to provide them with our Services.
We will also retain Personal Data for as long as is required in order to comply with our legal and contractual obligations, or to protect ourselves from any potential disputes (i.e. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), in accordance with our data retention policy.
Please note that except as required by applicable law, we will not be obligated to retain your Personal Data for any particular period, and we are free to securely delete it for any reason and at any time, with or without notice to you. If you have any questions about our data retention policy, please contact us by email at email@example.com.
4. Data Sharing
Legal Compliance: We may disclose or allow government and law enforcement officials access to your Personal Data in response to a legal request, such as a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we have a good faith belief that we are legally compelled to do so, or that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing.
Service Providers: Tufin engages with a number of selected third party companies and individuals, to perform services complementary to our own (e.g. hosting and server co-location services, data analytics services, marketing and advertising services, data and cyber security services, payment processing services, fraud detection and prevention services, e-mail distribution and monitoring services, session recording, remote access services, and our business, legal and financial advisors (collectively, "Service Providers").
Such Service Providers may receive or otherwise have access to your Personal Data, depending on each of their particular roles and purposes in facilitating and enhancing our Services and business, and may only use it for such purposes.
Sharing Personal Data with our Customers: We may share a User's Personal Data with their affiliated organization, or the organization to which systems (powered by Tufin's Solutions) they attempted to access.
In certain cases, other Users from your organization may control your account and will be entitled to monitor, process and analyze your data and associated content, including (i) view any content you submit and your activities on the Services; (ii) view statistics regarding your account; (iii) change your account password or other access credentials or privileges; (iv) suspend or terminate your account access; and (v) access or retain data stored as part of your account. Please note that in these circumstances Tufin is not responsible for and does not control any further disclosure, use or monitoring by or on behalf of your organization, that acts as the “Data Controller” of such data (as further described in Section 9 below).
Protecting Rights and Safety: We may share your Personal Data with others, if we believe in good faith that this will help protect the rights, property or personal safety of Tufin, any of our Visitors, Customers, Users or Participants, or any members of the general public.
For the avoidance of doubt, Tufin may share your Personal Data in additional manners, pursuant to your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal and anonymous. Additionally, we may transfer, share or otherwise use non-personal data at our sole discretion and without the need for further approval.
5. Cookies and Tracking Technologies
Tufin and some of its Service Providers utilize "cookies", anonymous identifiers and other tracking technologies, which help us provide, secure and improve our Services, personalize your experience and monitor the performance of our activities and campaigns.
A “cookie” is a small text file that is used, for example, to collect data about activity on our Websites. Some cookies and other technologies serve to recall Personal Data, such as an IP address previously indicated by a Visitor or User.
While we do not change our practices in response to a “Do Not Track” signal in the HTTP header from a browser, most browsers allow you to control cookies, including whether or not to accept them and to remove them. You may set most browsers to notify you if you receive a cookie, or to block cookies with your browser.
Service Communications: Tufin may contact you with important information regarding our Services. For example, we may notify you (through any of the means available to us) of changes or updates to our Services, billing issues, service maintenance or changes, password retrieval notices, etc. You will not be able to opt-out of receiving such service communications while using our Services, as they are integral to such use.
Notifications and Promotional Communications: We may send you notifications concerning new features, offerings, events, and special opportunities or any other information we think you will find valuable. We may provide such notices through any of the contacts means available to us (e.g. phone, mobile or e-mail), through the Services, or through our marketing campaigns on any other websites or platforms.
If you do not wish to receive such promotional communications, you may notify Tufin at any time by sending an e-mail to firstname.lastname@example.org, by contacting us through the contact form at www.tufin.com, or by following the "unsubscribe", "stop" or "change e-mail preferences" instructions contained in the promotional communications you receive.
7. Data Security
In order to protect your Personal Data held with us and our Service Providers, we are using industry-standard physical, procedural and electronic security measures, including encryption as appropriate. However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any Personal Data stored with us or with any third parties as described in Section 4 above.
8. Data Subject Rights
If you wish to exercise your rights under any applicable law, including the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), such as the right to request access to, or rectification or erasure of your Personal Data held with Tufin, or to restrict or object to such Personal Data’s processing, or to port such Personal Data, or the right to equal services and prices (each to the extent available to you under the laws which apply to you) – please send us an e-mail to email@example.com.
Please note that once you contact us, we may require additional information and documents, including certain Personal Data, in order to authenticate and validate your identity and to process your request. Your request along with such additional data will be then retained by us for legal purposes (e.g. so we have proof of the identity of the person submitting the request), in accordance with Section 3 above.
9. Data Controller / Processor
Certain data protection laws and regulations, such as the GDPR and CCPA, typically distinguish between two main roles for parties processing Personal Data: the “Data Controller”, (or under the CCPA, the “Business”), who determines the purposes and means of processing; and the “Data Processor” (or under the CCPA, the “Service Provider”), who processes the data on behalf of the Data Controller. Below we explain how these roles apply to our Services, to the extent that such laws and regulations apply.
If Tufin agrees (in writing) to process Personal Data on a Customer’s behalf, such Customer shall be deemed the “Data Controller” of this data. The Customer will be solely responsible for meeting any legal requirements applicable to Data Controllers (such as establishing a legal basis for processing and responding to Data Subject Rights requests concerning the data they control).
If you would like to make any requests or queries regarding your Personal Data that we process on our Customer’s behalf, please contact such Customer directly. For example, if you wish to access, correct, or delete data processed by Tufin on behalf of a Customer, please direct your request to the relevant Customer (who is the “Data Controller” of such data). Should we receive such requests directly, we may refer them to our Customer.
10. Additional Notices
Children’s Privacy: Our Services are not intended for use by children under the age of 18. We do not knowingly collect Personal Data from minors under the age of 18 and do not wish to do so. In the event that it comes to our knowledge that a minor is using the Services, we will prohibit and block such user from accessing the Services (to the extent reasonably possible) and will make all efforts to promptly delete any Personal Data stored with us with regard to such user.
Tufin has designated Tufin Software Germany GmbH as its representative in the European Union, for data protection matters pursuant to Article 27 of the GDPR. Tufin Software Germany GmbH may be contacted only on matters related to the processing of Personal Data. To make such an inquiry, please send an email to firstname.lastname@example.org.
Mr. Aner Rabinovitz of PrivacyTeam Ltd. has been appointed as Tufin’s Data Protection Officer, for monitoring and advising on Tufin's ongoing Privacy compliance and serving as a point of contact on Privacy matters for data subjects and supervisory authorities. Mr. Rabinovitz may be reached at email@example.com.
If you are a GDPR-protected individual, you also have the right to lodge a complaint with an EU supervisory authority.
Effective Date: March 3, 2020