Privacy Shield Notice

Tufin Software North America, Inc. (“Tufin US”, “us“, “we” or “our”) has self-certified with the EU-US and Swiss-US Privacy Shield Frameworks with respect to the personal data of any individuals residing in the EU and Switzerland that we receive or process, including on behalf of any of our affiliated companies worldwide (collectively, “Tufin Group”). To learn more about the Privacy Shield program, please visit https://www.privacyshield.gov. Our Privacy Shield certification is available HERE.

Accordingly, Tufin adheres to the principles of the EU-US and Swiss-US Privacy Shield Frameworks, as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union and Switzerland to the United States (“Privacy Shield Principles”). If there is any conflict between this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

Our participation in the Privacy Shield Frameworks applies to personal data that Tufin receives from any other member of the Tufin Group which relates to data subjects residing in the EU or Switzerland, or directly from such data subjects themselves.

In the event that the United Kingdom ceases being a Member State of the European Union, Tufin will continue to adhere to the Privacy Shield Principles also with respect to the collection, use and retention of personal data transferred from the United Kingdom to the United States, or with any successor framework between the United Kingdom and the United States.

Our participation in the Privacy Shield applies to personal data that Tufin receives from and processes on behalf of any member of the Tufin Group, and any customers, business partners, suppliers, employees or candidates of the Tufin Group, that reside in the EU or Switzerland.

EU and Swiss data subjects, as well as UK data subjects, have the right to access personal data about them, and in some cases to limit use and disclosure of their personal data. If you would like to request access to your personal data processed by us, or to limit use and disclosure of your personal data, please contact privacy@tufin.com and provide your name and contact information. If your request pertains to data processed on behalf of another member of the Tufin Group, we will refer your request to them, and will support them as needed in responding to your request.

1. Scope

2. Data Subject Rights

3. Onward Transfers of Personal Data

We will not transfer personal data originating in the EU, Switzerland or UK to third-parties unless such third-parties have entered into a written agreement with us requiring them to provide at least the same level of privacy protection to such personal data as required by the Privacy Shield Principles. In cases of such onward transfer, Tufin remains responsible and potentially liable, other than for events outside of its reasonable control.

Such third-parties include selected companies and individuals that we have engaged to provide us with services complementary to our own. These include cloud data hosting and delivery services, data and cyber security services, web analytics, content distribution and monitoring services, session or activity recording services, performance measurement, support and customer relation management systems, and our legal, financial and compliance advisors.

We may also engage in data transfers internally within the Tufin Group, for the provision of our services. In addition, should Tufin or any member of the Tufin Group undergo any change in control or ownership, including by means of merger, acquisition or purchase of substantially all or part of its assets, then personal data may be shared with the parties involved in such an event. We may also share personal data with others if we believe in good faith that this will help protect the rights, property or personal safety of Tufin Group members, any of our customers, partners or users, or any members of the general public.

4. Compelled Disclosures

Tufin may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

5. Recourse Mechanism

In compliance with the Privacy Shield Principles, Tufin is committed to resolve complaints about our collection or use of personal data. EU, Swiss and UK individuals with inquiries or complaints regarding our privacy practices should first contact Tufin at privacy@tufin.com or by postal mail sent to:
Tufin Software North America, Inc.
Attn: Privacy Shield Inquiry
10 Summer Street,
Boston MA, 02110
United States

Tufin has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles and the Swiss-U.S. Privacy Shield Principles to JAMS, a non-profit alternative dispute resolution provider located in the United States to assist with the complaint resolution process. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit JAMS for more information and to file a complaint. The services of JAMS are provided at no cost to you.

Tufin further commits to cooperate with EU and UK data protection authorities (DPAs), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU, Switzerland and UK in the context of the employment relationship. Data Subjects with inquiries or complaints regarding this Privacy Shield Notice should first contact Tufin at: privacy@tufin.com. You may find the relevant contact details here or here.

6. Enforcement

Tufin is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) to ensure compliance with the Privacy Shield Principles outlined in this Notice.

7. Arbitration

Under certain conditions, more fully described on the Privacy Shield website, you may also be able to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Privacy Shield Notice.