Last updated: October 2023

This Job Candidate Privacy Notice (“Notice”) describes what personal data we – Tufin Software Technologies Ltd. and our affiliates, (“Tufin”, “we”, “our” or “us”) collect and process on our job candidates and applicants (“Candidate(s)”, “you”) with respect to their application and recruitment process, why we collect it and how we use it. It also describes how Candidates may exercise their rights to such data held with us.

We strongly urge you to read this Notice and make sure that you fully understand and agree to the practices it describes. If you do not agree to this Notice, please avoid providing us with your data.

You are not legally required to provide us with any personal data, but without it, we may not be able to process your application.

1. What data do we collect, how do we collect it, and how do we use it?

Throughout the application and recruitment process, you may provide us (or we may otherwise have access to) personal data about you, such as your identifying data, contact details, resume/CV, salary expectations, work-related data, social media activity, etc. We may collect this data directly from you, as you provide it voluntarily through your application and candidacy review process, or from other sources such as recruitment agencies, background check services (as applicable and subject to applicable law), or your references.

We may use such data to assess our Candidates’ skills, qualifications and overall to verify, consider and process their application and candidacy for any of our positions, and to communicate with them regarding such processes. We may also use it to manage risk and enhance our security and anti-fraud measures, and to create aggregated statistical or inferred data regarding our Candidates, for further development and improvement of our recruitment processes.

In addition, we may use it to act as permitted or required by any legal or regulatory requirements. Should we wish to conduct any additional activities that may require the use of your data, we will notify you in advance and, if required by applicable law, request your prior specific consent.

In some regions, we may also ask you to submit sensitive data relating to your ethnicity, gender, and whether you have a disability, to ensure our compliance with our legal obligations under applicable law, or otherwise to better analyze and improve our hiring practices. We may also collect sensitive data about your prior criminal convictions and offences as part of our background checks for specific roles if permitted or required by applicable law. To the extent legally required, we will obtain your explicit consent prior to any such collection and use.

2. For what purposes do we use our Candidates’ data?

We will use and process your personal data as part of the employment application process at Tufin for the following purposes and in reliance on the lawful bases noted below:


Lawful Basis for Processing

To evaluate your suitability for a role at Tufin, and progress your application

▪      Performance of a Contract

To contact you about other suitable roles within Tufin in the future

▪      Legitimate Interests

▪      Consent (where applicable)

To maintain our internal records of recruitment and employment applications

▪      Legal Obligations

▪      Legitimate Interests

To create your employee personnel file, if hired

To comply with applicable legislation and industry codes

To manage risk and enhance our security and anti-fraud measures

▪      Legitimate Interests

To further develop and improve our recruitment processes and hiring practices

To protect the rights and interests of Tufin, its affiliates and personnel


If you reside in a territory governed by privacy laws under which “Consent” is the only or most appropriate legal basis for the processing of personal data as described herein, your acceptance of this Notice will be deemed as your consent to the processing of your personal data for all purposes detailed in this Notice. If you wish to revoke such consent, you may do so at any time by contacting us at

3. Where do we store our Candidates’ data?

Data regarding our Candidates will be maintained, processed and stored by Tufin and our authorized affiliates and Service Providers (as defined in Section 6 below) in Tufin’s different offices worldwide, including in the United States of America, in Israel, in the applied position’s location(s), and jurisdictions as necessary, on our internal systems and in secured cloud storage provided by our Service Providers.

While privacy laws may vary between jurisdictions, Tufin, its affiliates and Service Providers that store or process your personal data on Tufin’s behalf are each committed to keep it protected and secured, in accordance with this Notice, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred.

To the extent we transfer Candidates’ personal data originating in the European Economic Area (EEA), UK, or Switzerland to countries that have not been recognized as offering an adequate level of data protection by the relevant competent authority, we rely on appropriate contractual undertakings and data transfer mechanism as established under applicable law, such as the standard contractual clauses adopted by the EU and the UK. We will be liable in cases of onward transfers of your personal data to third parties (including our Service Providers). If you wish to receive a copy of the standard contractual clauses, please contact If we transfer candidates’ personal data originating from the EEA, UK, or Switzerland to Israel, EEA, UK (as appropriate), we rely on the respective adequacy findings of the EU, Switzerland and the UK regarding the level of data protection offered by Israel, the UK, and the EEA.

Tufin complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF) as set forth by the US Department of Commerce.

Tufin has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.

Tufin has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF.

If there is any conflict between the terms in this policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern for personal data transferred under the DPF. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit

4. For how long may we keep your data?

We may retain your data even after the applied position has been filled or closed. This is done so we could re-consider Candidates for other positions and opportunities at Tufin; so we could use their personal data as reference for future applications submitted by them; in case the Candidate is hired, for additional employment and business purposes related to their work; and as reasonably necessary to comply with our legal obligations, to resolve disputes, prevent fraud and abuse, enforce our agreements or otherwise protect our legitimate interests.

5. How will we secure your data?

Tufin has implemented physical, procedural and electronic security measures designed to protect the personal data of our Candidates. We also regularly seek new ways and tools for further enhancing the security of our services and the integrity of the personal data that we hold. Please note, however, that regardless of the measures we take and the efforts we make, we cannot and do not guarantee the absolute protection and security of any personal data stored with us.

6. Who will have access to your data?

Tufin will share your personal data with selected third-party Service Providers (defined below), whose services and solutions complement, facilitate and enhance our own. These include any recruitment firms that have referred you to us (or vice versa), candidate evaluation centers, background checks providers, applicant tracking and recruitment software providers, data storage and cybersecurity services, web analytics, and our business, legal, compliance and financial advisors (collectively, “Service Providers”). Such Service Providers may receive or otherwise have limited access to our Candidates’ personal data, depending on each of their particular roles and purposes in facilitating and enhancing our recruitment process, and may only use it for such purposes.

Additionally, we may disclose or otherwise allow access to any Candidates’ personal data pursuant to a legal request, such as a subpoena, search warrant or court order, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or in compliance with applicable laws, with or without notice to you, if we have a good faith belief that we are legally required to do so, or that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud or other wrongdoing. We may also share your personal data with others, with or without notice to you, if we believe in good faith that this will help protect the rights, property or personal safety of Tufin, any of our customers or employees, or any member of the general public.

In addition, we may share personal data internally within our group of companies (including Tufin Software Technologies Ltd., Tufin Software North America Inc., and Tufin Software Germany GmbH), for the purposes described above, or should Tufin undergo any change in control, including by means of merger, acquisition or purchase of all or part of its assets, your personal data may be shared with the parties involved in such event.

7. Which cookies and data collection technologies do we use?

Tufin uses certain monitoring and data collection technologies, such as cookies and other downloaded data files, including ones offered by our Service Providers. These technologies are used to maintain, provide and improve our processes and operations on an ongoing basis, and in order to provide a better experience to our website visitors and Candidates.

For example, these technologies enable us to better secure our website and services and detect abnormal behaviors, to identify technical issues, and to monitor and improve the overall performance of our services and processes.

To learn more regarding our use of cookies, and to see a list of the cookies we use, please visit our Cookie Policy.

8. How can you exercise your privacy rights?

If you wish to exercise your privacy rights under applicable law (including the EU or UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), as amended, or Israeli Protection of Privacy Law), to request access to, and rectification or erasure of, your personal data held with us; to port it or restrict its processing; to object at any time to any processing of your data which is based on our legitimate interests, or to withdraw at any time your consent to any processing of your data on the basis of such consent (each as detailed in Section 2 above); to opt-out of sale of your personal information, to limit use and disclosure of sensitive personal information, to not be subject to discrimination to exercise your rights, or to exercise any similar rights afforded to individuals under the laws that apply to you please send us an e-mail to, and we will respond within a reasonable timeframe and in accordance with applicable laws.

Please note that we may require additional information, including certain personal data, in order to authenticate and process your request. Such additional information, along with any communications and records related to your request, may then be retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request), in accordance with Section 4 above. We may redact from the data which we will make available to you, any personal data related to others.

Please also note that such rights are not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal data that we hold about you. In the event that we cannot accommodate your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Tufin commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Tufin at  

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Tufin commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

Please note that under certain conditions (as described under the DPF Principles Tufin adheres to) you can invoke a binding arbitration by delivering a notice to Tufin via Additionally, please note that Tufin is being subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Additionally, you have a right to lodge a complaint with a competent data protection authority, such as the supervisory authority in the EU Member State of your habitual residence, place of work, or of the alleged GDPR infringement, the UK’s Information Commissioner’s Office, or your State’s Attorney General (as applicable).

9. Additional Information 

Updates and amendments: we may update and amend this Notice from time to time by distributing an amended version. The amended version will be effective as of the published effective date. We will use reasonable efforts to provide advance notice if any substantial changes are involved, via any of the communication means available to us. After this notice period, all amendments shall be deemed accepted by you.

California requirements: This Privacy Notice describes the categories of personal information we may collect and the sources of such information (in Sections 1 and 2 above), and our deletion and retention (Section 3 and 4) practices. We also included information about how we may process your information (in Sections 1 through 5), which includes references for “business purposes” under the California Consumer Privacy Act (CCPA), as amended. We do not sell your personal information, or share it with third parties for cross-contextual behavioral advertising purposes, for the intents and purposes of CCPA. We may disclose personal information to third parties or allow them to collect personal data from our Services as described in Section 6 above, if those third parties are service providers or partners who have agreed to our contractual limitations as to their retention, use, and disclosure of such personal information, or if you integrate the services of third parties with our Services, or direct us to disclose your personal information to third parties, or as otherwise described in Section 6 above.

EU Representative: Tufin has designated Tufin Software Germany GmbH as its representative in the European Union, for data protection matters pursuant to Article 27 of the GDPR. Tufin Software Germany GmbH may be contacted only on matters related to the processing of personal data. To make such an inquiry, please send an email to

UK Representative: Tufin has designated Prighter as its representative in the United Kingdom for data protection matters pursuant to Article 27 of the UK GDPR. Inquiries regarding our UK privacy practices may be sent to: Prighter (Attn: Tufin), Kemp House 160 City Road, EC1V 2NX, London, United Kingdom.

Data Protection Officer: Tufin has appointed PrivacyTeam Ltd. as its Data Protection Officer (DPO), for monitoring and advising on Tufin’s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities. If you have any comments or questions regarding this Notice, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is being processed by Tufin, you can contact our DPO at

Questions, concerns or complaints: If you have any comments or questions regarding our data practices or your privacy, or if you wish to make a complaint about how your personal data is being processed by Tufin, you can contact our Data Protection Officer at