Last Updated: July 2021
Our efforts are guided by Privacy by Design principles set forth in the GDPR. Privacy by Design refers to having privacy as an objective when developing personal data collection and processing measures. While not an exhaustive list, some examples of situations in which we apply Privacy by Design include when (i) we develop the features of our products and services; (ii) we specify the business purposes for which we collect personal data when you use http://www.forcepoint.com and any of its sub-domains, (iii) you conduct business with Forcepoint or use Forcepoint products; (iv) we deploy any information systems that will be processing personal data, (v) we design and employ security measures to protect personal data in the systems our customers use; and (vi) we dispose of personal data that is no longer required to satisfy business or legal objectives.
This Policy was last updated at the date indicated above. We may change this Policy from time to time so please check back regularly to keep informed of updates.
1. FORCEPOINT’S PERSONAL DATA ROLES
Forcepoint collects personal data in furtherance of our business activities, as described below. Forcepoint typically collects such data directly, but may work through third parties. When Forcepoint collects personal data directly or through a third party, Forcepoint is a data controller as defined and with the responsibilities provided in the GDPR.
Forcepoint is a processor of personal data that has been collected from its customers’ use of Forcepoint products and services. Under these circumstances, the customer is the data controller as defined and with the responsibilities provided in the GDPR. Forcepoint’s processing of personal data collected through the use of its products and services is done in accordance with Forcepoint’s Data Processing and Protection Measures (DPPM) (2).
2. PRIVACY SHIELD PARTICIPATION
In previous versions of this Policy, we proudly highlighted Forcepoint’s participation in the EU/US Privacy Shield Framework (Privacy Shield). Participation in Privacy Shield is only approved for companies that verifiably implement Privacy Shield’s privacy principles and enforcement procedures. Privacy Shield participants could rely on participation as a GDPR compliant means to transfer personal data from the EU to the US.
The European Court of Justice (ECJ) invalidated Privacy Shield as a GDPR compliant method to transfer personal data from the EU to the US (see Schrems II Judgment). At the same time, the ECJ affirmed that adoption of and adherence to the EU’s Standard Contractual Clauses (SCC) (with supplementary measures where appropriate) does meet GDPR requirements for lawful cross border transfers of EU personal data data to the US and any other country that has not received an Adequacy Decision in accordance with GDPR.
Forcepoint’s DPPM, which are incorporated by reference into Forcepoint’s standard terms and conditions, provide that we apply the SCCs whenever we have occasion to transfer EU personal data to a country that has not received an Adequacy Decision. Since the US has not received an Adequacy Decision, Forcepoint manages EU personal data transfers to the US in compliance with the SCCs. (Note: The applicable version of the SCCs are attached to our DPPM.)
Even though the US continues to operate Privacy Shield, Forcepoint decided to transition to an inactive status. There is no benefit to maintaining an active status when Privacy Shield is no longer a GDPR compliant means to transfer EU person data to the US.
Our decision to be “inactive” in Privacy Shield should in no way be construed to mean we will not continue to abide by the program’s principles. We remain committed to compliance with lawful privacy principles and this commitment is reflected in our compliance with SCCs when processing EU data subjects’ data.
3. PERSONAL DATA WE COLLECT AND/OR PROCESS
General: We receive and store information, including information that can be used to identify you (Personal Data), entered on the Forcepoint Website (the Website), or received when, for example, you make inquiries about the Website or about Forcepoint partners, products or services. Except to the limited extent that may be necessary in the context of online job applications, we neither request nor collect Special Category Data.
Information that we collect when you use the Website: When you use the Website, we automatically collect:
- Navigation and click-stream data
- HTTP protocol elements
- Search terms
If you browse the Website without registering with us or creating an online account, we do not collect your Personal Data; however, you will not be able to access resources, such as reports, papers, or technical alerts or join technical forums.
Registering/creating an online account enables you to access Website resources. We collect registrants’/account holders’ Personal Data, such as first and last name; telephone number; email address; job function and/or title; organization name, size and location; and whether the registrant/account holder is acting on a current customer’s behalf.
Personal Data we collect when we obtain online feedback from you: We collect your name, online contact information, organization’s name, physical contact information, and any other Personal Data that you share when providing online feedback.
Personal Data we collect when you do business with Forcepoint: We may collect and process customer, vendor or business partner (Partner) Personal Data for Partners that conduct business with Forcepoint for themselves or on behalf of a customer, vendor, supplier, consultant, professional adviser or other third party. Partner Personal Data may be collected by Forcepoint whether or not such natural person is also a Website user. Examples of Partner Personal Data include:
- Points’ of contact connection or communication details;
- Business job title, responsibilities, department and organization;
- Financial information if needed to take payment or fulfill contractual obligations or for related purposes;
- Information necessary to evaluate Forcepoint's and business partners’ or vendors’ performance; and
- If you also hold an online Forcepoint account, we add any purchase information we collect, including details of the purchase and your business address, to your online account information.
Personal Data you provide about another person: We rely on our Partners to bring this Policy to the attention of any individuals whose Personal Data the Partners share with us. If anyone provides us information about another person, we may require the submitter to verify the data subject has consented to the sharing of their Personal Data with Forcepoint for the processing purposes, as set out in this Policy.
Personal Data that we collect when you apply online for employment: You may submit Personal Data through our Website to be considered for Forcepoint employment. Such data includes your name, your address, your phone number, your email address, job preferences, experience, desired salary, relocation preferences, work authorization, security clearance, education, job skills and other information contained on your resume or curriculum vitae. Forcepoint uses such data solely for consideration of your candidacy for employment, to communicate with you and to generate related correspondence, including offer letters and employment agreements. Such data may also be used, subject to applicable local laws, to conduct necessary background checks for compliance and other employment related purposes. Finally, Forcepoint retains such data as legally permitted, such as when necessary to address your employment interest or otherwise process your application.
Your submission of such data constitutes your consent to its processing, as described above, including in the United States.
Personal Data received from the use of certain Forcepoint products: Forcepoint products enable customers to monitor their networks to protect against cyber threats. “On-Premise” product deployments process data in customer managed networks, in accordance with customers’ configurations. Forcepoint does not typically access customers’ end users’ Personal Data (End User Personal Data) for “On-Premise” deployments.
Forcepoint may have access to End User Personal Data when customers use Forcepoint products or services via a cloud infrastructure (Cloud Services). In all such cases, the Personal Data is processed in accordance with the customers’ configurations and directions. Some examples of the type of End User Personal Data processed through customers’ use of the Cloud Services includes:
- Subscriber ID information: ID of the customer sending or receiving files; User or Visitor ID that identifies the IP of the client visiting a file; and network users’ name, email address, company name, and country.
- Communication information: email metadata, including email addresses of sender and recipient, sender email in SMTP transaction and email subject.
- Traffic data: proxy log, web traffic logs, apache browsing logs, browsing and diagnostic logs, IP addresses, URL information, website session data and files submitted by users of Forcepoint products.
- Such other data collected through customer configured policies in the Forcepoint products supporting the customers’ cybersecurity program.
In Section 4 below, we explain how End User Personal Data is processed in accordance with our customers’ decisions regarding what is necessary to protect monitored network users’ security and the customer’s other legitimate interests. Any Forcepoint use of End User Personal Data is in furtherance of the customers’ specified legitimate interest and ensuring the products or services work effectively.
Personal Data we obtain from other sources: We also may periodically obtain both Personal Data and non-Personal Data about you from Forcepoint subsidiaries, Partners and other third-parties to facilitate the legitimate interests of administering such business relationships. We may add Personal Data and other information we obtain from these sources to Personal Data and other information we may already hold, such as updated business address information; purchase history; demographic information; and Partner credit information (for more information see Section 4 below).
4. HOW WE USE YOUR PERSONAL DATA
Personal Data: We use or may use Personal Data in line with the requirements of data protection laws and the “legitimate interests” we determine necessitate the collection. Such purposes include:
- Creating and administering records about online accounts, including organizations’ purchase history;
- To provide requested information, access to resources or other products or services;
- To send customer service-related communications, including in relation to administering organizations' online accounts and providing online services;
- To provide technical product support and enhance product technical support services.
- To address any communications sent to Forcepoint;
- To provide product upgrade/enhancement alerts and announce new products or services, including by email, in accordance with your communication preferences. Please see the "Your Rights: Accessing and Changing Your Personal Data " section below for information about how you can control these updates;
- To request feedback and improve our Website, products and services, as appropriate;
- To assess financial, credit or insurance risks arising from any existing or prospective business relationship with a Partner;
- To complete and support the current activity, Website and system administration, and to improve the navigation and Website content;
- To analyze Website users’ activities and decision making (3), for customers who opt in to sharing such data with us;
Website usage data: We use tools to measure Website visitor performance, click data, engagements with content on the Website, pathing, form completions, etc. We also aggregate such data without Personal Data and use it to analyze user behavior and make decisions about how to improve user experiences.
Marketing: In accordance with your communication preferences, we may use mail, telephone, fax, email or other contact means to offer goods or services, announce promotions or provide other information. Where required by applicable law, prior approval will be obtained before sending direct marketing. Consent may be withdrawn at any time by changing communications preferences. Please submit your communications preferences to firstname.lastname@example.org.
Forcepoint does not sell Personal Data to third parties. To be clear, our use of the word “sell” is intended to encompass sales, leases, rentals, or sharing for anything of value.
Anonymous and Non-Personal Data: We may generate, use and disclose anonymous and non-Personal Data from the Website for marketing and strategic purposes. Similarly, we may generate aggregated usage and statistical information related to Customers’ and end-users’ use of the products in order to facilitate analysis and comparisons.
End User Personal Data: As noted in Section 3 above, Forcepoint’s customers monitor use of their networks to protect against cyber threats. Under applicable data protection laws, customers are the “Data Controller” and Forcepoint is the “Data Processor” regarding End User Personal Data passing through the networks monitored with Forcepoint products.
As Data Controllers of the End User Personal Data, our customers retain full responsibility for ensuring the End User Personal Data collected by their use of Forcepoint products is handled in accordance with applicable privacy laws and regulations.
In its role as the Data Processor, Forcepoint will process the End User Personal Data as required to perform the service including to manage and administer Forcepoint’s customers’ services such as providing technical support, tailoring network monitoring policies, and developing product improvements. Forcepoint complies with the laws applicable to Data Processor activities. We meet our obligations in this regard by ensuring our customer contracts (which incorporate the DPPM) (i) define each party’s respective obligations under applicable privacy legislation and (ii) require our customers to comply with relevant privacy legislation.
5. SHARING YOUR PERSONAL DATA
We may share Personal Data as follows:
- With Forcepoint affiliates, for the purposes described in Section 4 above;
- With our service providers or agents solely to the extent necessary for them to provide services to Forcepoint or act on Forcepoint's behalf;
- In response to lawful subpoenas, court orders or other legal process, or as may otherwise be required by applicable law;
- To Forcepoint auditors, legal representatives or similar agents;
- To Forcepoint product resellers for the purposes of Forcepoint product sales and Forcepoint product support;
- To Partners with which we collaborate;
- To any third party that purchases, or to which a Forcepoint entity transfers, all or substantially all of the Forcepoint assets or business (in which case the relevant Forcepoint entity will use reasonable efforts to ensure that the third party to which it transfers personal data uses it in a manner that is consistent with this Policy);
- To credit reference agencies for the purposes of making periodic searches in the context of managing and taking decisions about Forcepoint's relationship or prospective relationship with a Forcepoint Partner or job applicant. Information provided to credit reference agencies may affect information used by other credit providers to make decisions about Partners.
- In an emergency where someone’s health or safety may be endangered, to the extent permitted by law.
Forcepoint’s policy is to maintain contracts with all third parties (other than law enforcement where the sharing is determined by law) with which it shares Personal Data. Such contracts include provisions that restrict the access, use and disclosure of Personal Data in compliance with the express purposes provided in the contracts and our legal obligations, including those under GDPR, the CCPA, and other data protection laws, as applicable.
6. YOUR RIGHTS: ACCESSING AND CHANGING YOUR PERSONAL DATA (4)
Forcepoint seeks to ensure that your Personal Data and preferences are accurate and complete. If at any time you decide you want us to delete, correct, or provide you a copy of any Personal Data we have, or you think we have about you, submit a request with your name, and physical and e-mail addresses to email@example.com together with a description of the changes you request (5). You may also make changes by writing to Forcepoint at:
Attention: Data Protection Officer
10900-A Stonelake Blvd., Quarry Oaks 1, Suite 350
Austin, TX 78759
Persons in the EU can contact Forcepoint International Technology Limited in Ireland (see Section 8 below).
We may require you to provide additional information about your request, including information that will enable us to process your request, as described in Section 7, below.
If we delete your information you will no longer be registered with us, you will not have access to services that are only available through registration and we will be unable to enforce your opt-out requests, if any (6). However, we will continue to send you services-related (non-marketing) communications in connection with the administration of your organization's account and products or services.
As noted above, even if you are not registered with us, we collect Website navigation and click-stream data, HTTP protocol elements, and search term data. This data is not identifiable to an individual, but is useful for optimizing Website experiences in general.
Please note, requests of customer employees who are seeking deletion, correction, or a copy of Personal Data the customer may have collected through use of Forcepoint products/services, will be forwarded to the customer as the “Data Controller”.
You may at any time go to our Communication Preference Center in order to elect not to receive marketing messages from Forcepoint or its business partners. You do not need to de-register to make this choice.
7. DATA ACCESS REQUEST DUE DILIGENCE
When we receive a request regarding Personal Data,we will undertake to confirm the authenticity of the requestor and, for requests received from third parties, the lawfulness of the request. Our due diligence process involves:
- All requestors will be asked to verify their identity by providing a copy of a government-issued ID, e.g., passport, immigration card, driver’s license, etc.
- For requests concerning data subjects other than the requestor, the requestor must provide evidence sufficient to verify the identity of the data subject, the reason it is believed that Forcepoint has the requested Personal Data, and evidence sufficient to verify that the third party is an authorized agent of the data subject (including a copy of the authorization).
All such evidence must be provided in a form that Forcepoint can retain for audit purposes. More information regarding the Forcepoint data access diligence can be found in the DPPM.
8. QUESTIONS, OBJECTIONS AND COMPLAINTS
We are responsible for our collection, use and disclosure of Personal Data in accordance with applicable data privacy laws, such as the GDPR.
Where we are relying on our legitimate interests to process, collect, use, or disclose of Personal Data (see section 4 above), the data subject has the right to object to such processing, collection, use, or disclosure of such Personal Data. To exercise their right to object, the person should contact us as specified above. We will consider the objection and we will comply with it unless we have a compelling legitimate ground as permitted by applicable law.
Forcepoint is committed to reply to any questions and resolve any complaints, including complaints regarding our collection, use or disclosure of an individual’s Personal Data. Anyone with such inquiries or complaints may contact Forcepoint as specified above.
EU persons may raise issues regarding Forcepoint processing of their data by contacting us using the contact methods provided in this policy. They may also raise issues with their local data protection authority or with the Data Protection Commission in Ireland, the country where Forcepoint’s main EU establishment is located. Forcepoint International Technology Limited (FITL), an Irish incorporated company, is a wholly-owned subsidiary of Forcepoint LLC, is the place of central administration for Forcepoint in the EU and as such is the “Main Establishment” for Forcepoint in the EU. FITL’s registered office is at Riverside One, Sir John Rogerson’s Quay, Dublin 2, Ireland.
9. CALIFORNIA COMPLIANCE
a. “SHINE THE LIGHT” LAW
We acknowledge that California’s “Shine the Light” law permits California residents to annually request and obtain information free of charge about what Personal Data is disclosed to third parties for direct marketing purposes in the preceding calendar year. Forcepoint does not, without your consent, distribute your Personal Data that it collects to outside parties for their direct marketing, or any other purpose, except as provided for in this Policy.
b. CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
The CCPA specifies the rights California residents have with respect to their Personal Data, as that term is defined in the CCPA. Subject to some exceptions specified in the law, the CCPA affords California residents the right to:
- Request to know the categories or specific pieces of their Personal Data that Forcepoint collects, uses, or shares. As noted above, Forcepoint does not sell Personal Data as defined in the CCPA.
- Request to delete the Personal Data Forcepoint collected about them.
To make a request regarding your rights under CCPA, you or your designated agent can contact us as specified in Section 4 or call us 1-800-723-1166. Your request must satisfy the due diligence standards set forth in Section 7.
We will not discriminate against you for exercising any of your CCPA rights.
10. PROTECTING YOUR INFORMATION
Forcepoint acknowledges your trust and is committed to protecting the personal data you provide to us. To prevent unauthorized access, maintain accuracy, and ensure proper use of such data, we employ appropriate physical, technical, and organizational security measures to seek to prevent unauthorised or unlawful processing of, or accidental loss, destruction or damage to your Personal Data.
Website users can help further protect their Personal Data by using a secure web browser and by changing any access passwords regularly. Please note that data transmission over the Internet is not 100% secure and any information disclosed online can potentially be collected and used other than by the intended recipient. Please be aware that, by posting information to the Technical Forum via the Website, you may be making this information available to the public. You should be careful not to reveal any sensitive or other personal details about yourself.
11. CHANGES TO THIS POLICY
We may revise this Policy from time to time as necessary to ensure it is accurate, complete and up-to-date. Notice of the revised policy will be provided by its posting to our Website. The revised version will indicate its effective date. Whenever you visit our Website we recommend you check the effective date to determine if the posted version has been changed since you last visited. Of course, if a newer version has been posted we encourage you to review it. Use of the Website indicates acceptance of the Policy.
12. OTHER LINKS
13. RETENTION OF PERSONAL DATA
Forcepoint will only keep Personal Data it collects, as long as necessary, for the purpose or purposes (i) for which it was collected; (ii) of performing or fulfilling contractual obligations; (iii) of complying with law; and/or (iv) of responding to legal actions.
14. MONITORING AND COMPLIANCE
We may monitor, store, review or disclose any information, including your Personal Data, obtained on or through the Website. Additionally, we may use IP addresses to identify a particular user if we believe it is needed to enforce compliance with these terms or to protect our company, employees, Website, or customers.
1 “Affiliates” consists of any and all entities directly or indirectly owned or controlled by Panther Parent Holdings L.P., including but not limited to, Forcepoint Oakly Systems, LLC, Forcepoint Federal Holdings LLC, Forcepoint Federal LLC, RedOwl Analytics, Inc., Forcepoint LLC
2 Please note that the DPPM is incorporated by reference in, and enforceable by the terms of, our agreements in place with the relevant Partners.
3 In addition to any other options you have with regard to our retention or use of your personal data (See Section 5 of this Policy), you are asked to opt in to this usage.
4 If you are a resident of the EU and your query relates to personal data that you have provided to us through an online employment application then you may also raise your query with the Data Protection Authority in your home country. The Forcepoint Data Protection Officer will provide contact information for the Data Protection Authority upon request.
6 You should know that you re-register each time you fill out a Website form requesting information about Forcepoint products and services, register for an event, etc.