Data Protection FAQ

The FAQ responses in this Document are up-to-date as of May 24, 2021. Any use of Remote Access shall be subject to CyberArk’s Terms of Service and Privacy Policy

1. What personal data does CyberArk process in order to provide Remote Access to my company?

   When a user, typically an employee or a third-party remote vendor of our customer, downloads the CyberArk Mobile smartphone app (Alero Mobile App), we process their first name, last name, phone number and phone model, and, if the customer has configured this, the user will also provide a profile picture. When a customer invites a third- party remote vendor to use Remote Access, the customer provides us with that user’s email address and company name. Remote Access also audits service activity. For employees, Remote Access will perform a one-time processing of the employee’s active directory credentials, in order to validate that the employee is a member of the organisation. Afterwards, the employee’s active directory credentials are stored on the mobile device only. The credentials are encrypted and secured on the mobile device, with access available via the user’s biometric key only. The credentials are then re-validated at regular intervals as configured by the customer’s Remote Access administrator. Additionally, after processing of the employee’s active directory credentials, some active directory properties of the user (UserPrincipalName, email, objectSID, object GUID, sAMAccountName, Distinguished Name) will be stored in the Remote Access cloud. If a user uses Remote Access’s direct RDP access feature, then, when they invoke the RDP protocol, CyberArk receives access to data included under Microsoft's RDP protocol messaging. User RDP sessions are fully encrypted while passing through the CyberArk Remote Access SaaS service and only unencrypted on the CyberArk Remote Access Connector within the customer site.

2. Does Remote Access access my employee’s biometric data?

   No. All the biometric data is processed and stored locally on the user’s smartphone. CyberArk will not have access to that biometric data, neither can we grant such access to the user’s employer. When Remote Access requests to biometrically authenticate a user, it asks the mobile device to verify whether the authorized person is holding the phone, and the device checks against the locally-stored biometric data. No user credentials or biometric data are stored by Remote Access or within the SaaS environment; that data is kept locally and natively on the respective user’s smartphone.

   A pass or fail response is the only information that Remote Access receives for the biometric authentication prompt, not how it was calculated, or how the biometric data was used.

3. Does the CyberArk Mobile provide CyberArk with access to additional personal data?

   The CyberArk Mobile does not access any additional personal data. Users will be asked to provide permission for the app to access the smartphone Camera and Photo Library. This enables the user to upload a profile picture (if required) and to scan a QR code for login purposes. We will not use this permission for any other purpose.

4. Does Remote Access allow CyberArk to access any data in addition to that outlined above, for example to access my systems, or data that is sensitive to my business?

   No. Our products do not have any inbuilt functionality that gives or allows CyberArk to access any customer data or system remotely. Remote Access user sessions passed via Remote Access are end-to-end encrypted outside the customer firewall. Remote Access does not have access to any of the secrets or data communicated via these encrypted sessions.

5. Will CyberArk act as a Data Controller or Data Processor?

   CyberArk acts as Data Processor, and the customer acts as a Data Controller, in respect of personal data provided by customers. CyberArk will only process personal data (as set out above) for the purposes of providing the service to the customer, and will act on the customer’s instructions. In addition, CyberArk acts as a Data Controller for data which it processes for its own purposes, such as data about our own internal employees, and marketing data related to our prospective customers. This is outside the scope of purchases made by customers and is processed independently of any data processed as part of the provision of our services.

6. Will CyberArk transfer the personal data outside my territory?

   CyberArk currently maintains data centers in various territories, including the United States, Canada, Germany, and Australia, to enable customers to nominate a region of their choice in which customer data will be hosted. No personal data provided to Remote Access by the customer will be transferred by CyberArk outside of the datacenter chosen by the customer. With regard to data provided by users who download CyberArk Mobile (as set out above in FAQ 1), this is stored in the database chosen and managed by the mobile app user when they first start the mobile application. Mobile app users have the ability to remove their data from one data center, or create a new profile in another data center at any time. Changes to a user in one data center are not applied to a user with the same phone number in any other data center (if applicable).

   In order to provide a global service (for example 24x7 Maintenance and Support) we do share personal data with our regional offices and some of our sub-processors, and data hosting services are based outside of Europe (for example, Salesforce.com, AWS, MS Azure). We rely on “appropriate safeguards” for the transfer of personal data outside of Europe by CyberArk, most commonly the European Commission’s standard contractual clauses.

7. How does the Schrems II court ruling affect CyberArk services?

   In response to the July 2020 ruling of the European Court of Justice regarding transfers of personal data from the EEA to the US, CyberArk has considered and implemented the applicable recommendations of the European Data Protection Board. For example, CyberArk has implemented a Vendor Compliance Program designed to ensure that all subcontractors or other third parties who process customer data on our behalf have entered into a Data Processing Addendum with CyberArk which complies with the additional safeguards required by the ruling. The program is designed to ensure that such transfers do not rely on the Privacy Shield mechanism invalidated by the court, and that reliance on the Standard Contractual Clauses (which the court upheld) is subject to additional safeguards, as required by the ruling.

   Even before the ruling, CyberArk customers were not transferring data to CyberArk under the Privacy Shield. Accordingly, the invalidation does not directly affect the way our customers may transfer data to us. We have also updated our customer DPA template to include a new Annex C, which addresses the additional safeguards raised by the court.

   When conducting your own risk assessment as the data exporter to consider what safeguards are required, you may wish to take into account our data security standards and the limited nature of the personal data processed by CyberArk. CyberArk solutions in themselves are designed to enhance your compliance with the obligation to deploy technical and organizational measures to keep personal data transfers secure. CyberArk is happy to provide further information in connection with our data privacy practices. We suggest beginning with the information available on our Privacy Center.

8. What subcontractors/sub-processors does CyberArk use to provide its services? Where will those sub-processors store the personal data provided by my business?

   In line with market practice, we provide a list of sub-processors on our Privacy microsite (www.cyberark.com/privacy-center). Customers can subscribe to alerts to be notified of any change to this list. We use a variety of sub-processors to help host and deliver our products and services. The geographic location of those sub-processors or their data centers that we use are set out on the Privacy microsite.

9. What training and internal processes does CyberArk have in place to ensure that its staff are appropriately trained to correctly handle these different data types?

   All of our personnel are bound by duties of confidentiality and are required to undergo onboarding and refresher training courses on information security and GDPR compliance.

10. How would CyberArk deal with a breach or suspected breach of my data?

    Security is our business. We have a well-maintained and up to date incident response policy (this is an internal document and cannot be shared with third parties) and stay on top of security developments through the expertise of our own people and the advice of leading external legal and professional services consultants. We would report any breach to the customer without undue delay, in line with our legal obligations.

11. Does CyberArk have a Data Processing Agreement we can review? Can it review ours?

    We have a comprehensive Data Processing Agreement, available here, which incorporates the European Commission’s standard contractual clauses. It is aligned to our products/services and internal processes and we consequently find it much more straightforward for both parties to use our template rather than a customer’s version, which will typically be aimed at any type of vendor and data processing activity.

12. How secure is the Remote Access solution?

    Remote Access is secured according to commercially applicable industry security practices, based on OWASP and CAIQ standards. The service’s multitenancy is secured by, among other means, methods to isolate data of different tenants, and regular, frequent security reviews. Remote Access Administration is protected by various security measures, including session management capabilities for full recording, automation isolation and real-time monitoring of access.

13. How does the dedicated CyberArk team access the data?

    Only those specifically authorized CyberArk personnel who require access in order to provide successful delivery, operation and service to the customer may access data, using the secure Remote Access portal. In order to access the secure Remote Access portal, such personnel must be authenticated using biometric authentication and may perform actions only in keeping with their permissions in respect of the data. Access to the secure Remote Access portal is restricted to the internal CyberArk network and is audited.

14. How long does Remote Access retain the data?

    Customer data (including back up data) will be deleted 60 days after expiration/termination of the Remote Access services. Additionally, customers may make a specific written request at any time to the CyberArk Customer Support portal for data deletion. Shortly after the customer request, the data will be deleted from the Remote Access services live systems (databases).

15. Will CyberArk use my company’s usage data?

    CyberArk does aggregate statistical data related to its customers’ use of, access to and configuration of our SaaS solutions. This will be used for CyberArk’s reasonable business purposes or for the customer’s benefit, including improving our services.

Copyright © 2021 CyberArk Software Ltd. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document.