Last Updated: September 24, 2020

At Agari, we care about our customers’, employees’, and end-users’ privacy, and have implemented a series of processes, policies, and measures to comply with the General Data Protection Regulation (GDPR). This Privacy Data Sheet describes the processing of personal data (or personally identifiable information) by Agari’s Phishing Defense service in the provision of such services to its enterprise customers.

When providing Agari’s services to customers, we are processing their staff’s personal data on behalf of such customers and are therefore acting as data processor. We have set up the following mechanisms, processes and policies, to comply with the GDPR:

Overview of Agari Phishing Defense™ Capabilities

Agari Phishing Defense provides unprecedented insight into and control over the email traffic coming into your enterprise. Powered by Trust Analytics – Agari’s unique machine learning techniques based on historical email traffic to your organization – Agari Phishing Defense models the unique behavior of all legitimate email senders and allows you to quickly distinguish good messages from potentially bad messages. Coupled with Trust Analytics, Agari’s platform of data built from analyzing billions of email messages worldwide, Agari Phishing Defense provides you a risk overview and a control point for all messages into your organization and the senders of those messages.

Risky messages – such as phishing attempts or business email compromise (BEC) messages that may contain malicious payload or questionable links – are delineated from known good messages.

Agari Phishing Defense complements traditional secure email gateway (SEG) solutions by blocking the spear phishing, targeted, low volume, and zero-day attacks that typically are the weaknesses of traditional, reactive SEG security “layers".Agari has established detailed policies and procedures illustrating its data flows and processing practices and we document any decision-making reasoning relating to personal data. This includes:

  • Internal data protection policies, including details of:
    • Categories of processing carried out per controller
    • Applicable processing purposes
    • Data sharing and data retention practices
    • Security measures)
  • Staff training
  • Annual internal audits of processing activities

The following paragraphs describe which personal data Agari Phishing Defense processes to deliver its services, the location of that data and how it is secured in accordance with privacy principles, laws and regulations.

1 Personal Data Processing

Agari Phishing Defense™
The table below lists the personal data used by Agari Phishing Defense to carry out its services and describes why Agari processes such data.

Personal Data Purpose of Processing
Customer contact info for product admins and users Creating an account
– Data collected are for customer product enablement, product use notifications, customer training and customer support only
Email “mail from” header Message scoring
– Data used to determine the authenticity and reputation of the underlying identify assertion
Email Friendly From Header Message scoring
– Data used to determine the authenticity and reputation of the underlying identify assertion
Email “rcpt to” header/Email Friendly To header Message scoring
– Data used to determine the authenticity and reputation of the underlying identify assertion
Email Subject Message Scoring
– Data used to assist in message identification, these data can be suppressed at the customer’s discretion.
Email Attachment Filename1 Message Scoring
– Data used to assist in message identification and threat classification, these data can be suppressed at the customer’s discretion.
Uniform Resource Identifier (URI)2 Message Scoring
– Data used to assist in message identification and threat classification, these data can be suppressed at the customer’s discretion.
Email Attachment Metadata (file format and presence of macros/malicious code)1 Message Scoring
— Data used to determine the authenticity and reputation of the underlying identity assertion, these data can be suppressed at the customer’s discretion.
Email Attachment Hash (e.g. encrypted MDS or SHA1 format)1 Message Scoring
— Data used to determine the authenticity and reputation of the underlying identity assertion, these data can be suppressed at the customer’s discretion.

1 If attachment analysis is enabled

2 If URI analysis is enabled

Customer Support Data
Agari may receive and process PII that is provided by an Agari customer when they make a support request to Agari (“Customer Support Data”). Agari only processes this data to assist the customer in resolving the issue and to improve Agari’s services and customer support function.
Outside of the necessary requester contact information, Agari does not intentionally collect or process PII via a customer support request. Agari instructs customers to provide the minimum amount of personal data necessary to adequately provide the support request. Nonetheless, a customer may provide unsolicited personal data in the request or supporting attachments.

Personal Data Purpose of Processing
Customer Support Data
The below is representative though not exhaustive list of the information a customer may provide to Agari in a support request that may contain PII: name, email address, phone number of employee making request, authentication information (not including passwords), information regarding support issue, software and/or hardware configuration files provided to enable support request, error-tracking files)
  • Provide customer support
  • Review and improve the quality of customer support service
  • Improve Agari Services
Customer Support Case Attachment
The below is representative though not exhaustive list of the information a customer may provide to Agari in a support request that may contain PII: device configuration, command line interface , product identification numbers, serial numbers, host names, sysDescr (has device location), IP addresses, operating system (OS) feature sets, OS software version, browser type and version, hardware version, installed memory, installed flash, boot versions, MAC address
  • Provide customer support
  • Review and improve the quality of customer support service
  • Improve Agari Services

2 Cross Border Transfers

When a new customer purchases a subscription to Agari Phishing Defense, that customer’s information (both the data relating to the customer’s employees who are in contact with Agari to procure and administer the products on behalf of customers and the data processed through Agari’s provision of its services to customers) is always created, processed, and stored in North America.

Agari Phishing Defense is hosted at Amazon Web Service’s US-West 2 (OR) Cloud Region and is deployed in an active-active manner across 3 separate Availability Zones. For information regarding AWS compliance/certification please refer to documentation online at https://aws.amazon.com/compliance. Certifications and SOC reports are listed on this webpage and corresponding links under “Assurance Programs”.

For information regarding GDPR impacts to cross border data transfers, please see the section on GDPR.

3 Access Control

Personal Data Who has Access Purpose of Access
Customer contact info for product admins and users Customers Granting and managing access to their own Agari Phishing Defense account.
Customer contact info for product admins and users Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Creating an account and validating license entitlements and general product support and operations
Email message header data, attachment file names, and URIs Customers Security administration and operations
Email message header data, attachment file names, and URIs Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Providing message trust scores and general product support and operations
Customer Support Data Customers Submitting customer support requests
Customer Support Data Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Providing customer support

4 Data Retention

Customer Account Data -

Customer account data is retained for as long as customer is an active Agari Phishing Defense customer. In the event that a customer terminates its subscription, Agari will retain such Customer Account Data until customer requests in writing that Agari removes all stored contact information, including potential PII, from all instances of Agari’s product and customer relationship management platforms.

Email Message Meta-Data -
Customer email message metadata is retained for scoring and reporting purposes and is expired out of Agari’s “active” data stores after 60 days. In the event that a customer terminates its subscription, customer can request in writing that Agari removes all stored email message data from all instances of Agari’s application and backup systems, failing this, Agari effect such removal within 30 days following termination of the Customer subscription.

Customer Support Data –
Customer Support Data is retained for as long as the customer is an active Agari Brand Protection customer. In the event a customer terminates their subscription, Agari will retain Customer Support Data until the customer requests in writing that Agari remove all Customer Support Data, including potential PII from Agari systems and third party customer support platforms, or, if earlier, within a period of 30 days following termination of the Customer subscription. Agari retains related support data as necessary to ensure support of recurring issues and to comply with audit policies related to business records of services provided to customers.

5 Personal Data Security

Agari has governance measures in place, and has built its processing practices around the principles of data protection by design and by default. This includes: data minimization, pseudonymization (where possible), allowing end-users to monitor the processing, and enhanced and up-to-date security features, such as encryption, confidentiality, integrity, resilience of processing systems, and ability to restore personal data in a timely manner in the event of an incident. Agari’s technical and organizational measures and risk mitigation plans are audited, tested and re-evaluated on an annual basis to ensure the appropriateness of its systems, networks, and business practices on an ongoing basis. Agari has disaster recovery procedures set up to restore personal data in case of any security incident.

Personal Data Type of Encryption
Customer contact info for product admins and users Encrypted in transit and encrypted at rest.*
Email message headers, attachment filenames, and URIs* Encrypted in transit and encrypted at rest.*
Customer Support Data Encrypted in transit and encrypted at rest.*

* Encryption is provided using then current best practices as defined by Amazon Web Services
Agari will notify its customers without undue delay after learning of a data breach, if required by law, and has mechanisms by which it can detect and report data breaches.

6 Agari Phishing Defense data ingest process

Agari Phishing Defense provides unprecedented insight into the traffic coming into your enterprise. To realize this value, customers configure their Secure Email Gateways to copy all incoming messages to the Agari Phishing Defense sensor. The sensor component receives the full email message including the body and any attachments present. The sensor extracts the metadata (email headers), attachment filenames, and URIs, forwards these into the Agari Phishing Defense pipeline, and then deletes the message. The sensor can be hosted either on Customer premises (within the customer enterprise’s internal network) or by Agari (hosted sensors).
On Premises
Customers have complete control over the sensor including full “root” level access to the operating system and host application. Agari employees cannot access an on premises sensor without the permission of the customer.
Hosted Sensors
Agari Phishing Defense hosted sensors are provisioned in a dedicated and separate Amazon Web Services account. Hosted sensors are not “multi-tenant.” Each customer gets their own Virtual Private Cloud (VPC), their own Elastic Load Balancer (ELB), and their own EC2 Autoscale Group (ASG). The underlying AWS IaaS is multi-tenant. Agari engineers cannot access the hosted sensor EC2 instances using the root account, and only a subset of Agari engineers have access to the hosted sensor environment. All hosted sensor actions are logged locally and can be reviewed with the customer. This includes evidence that each message is deleted post-processing.

Personal Data Type of Encryption
Email message While being processed by an Agari hosted sensor, message level data is encrypted both in transit and, if temporarily persisted, at rest using encrypted Elastic Block Storage (EBS) volumes.

7 Third Party Service Providers

Agari’s agreements with its sub-processors reflect the obligations and commitments it has and makes to its customers. Agari conducts prior due diligence on sub-processors before contracting with them.

Agari utilizes third party cloud hosting provider Amazon Web Services (AWS) to provide a highly secure and reliable cloud platform. Agari’s service is hosted within the AWS North America Region. For information regarding AWS compliance/certification please refer to documentation online at https://aws.amazon.com/compliance.

Agari utilizes Pendo (www.pendo.io) Product Analytics to enhance the usability of our products. Although Pendo’s cloud service has no access to our customers’ data, it can see the usernames (email addresses) of our customer users who have access to our web applications. Pendo’s data centers are US based and their GDPR Process and Approach is available online.

Agari utilizes ZenDesk (www.zendesk.com) as its customer support platform. ZenDesk has access to Agari Customer Support Data solely in its role as Agari’s customer support platform. ZenDesk’s data centers are U.S. based. For more information regarding ZenDesk’s security and privacy program, visit https://www.zendesk.com/company/privacy-and-data-protection/.

Agari utilizes Salesforce (www.salesforce.com) for customer relationship management (“CRM”). Salesforce has access to Customer contact info for product admins and users and Customer Support Data solely in its role as Agari’s CRM provider. Salesforce’s data centers are U.S. based. For more information regarding Salesforce’s security and privacy program, visit https://trust.salesforce.com/en/.

Agari utilizes Gainsight (www.gainsight.com) as a customer success SaaS platform to improve customer satisfaction. Gainsight has access to Customer contact info for product admins and users and Customer Support Data solely in its role as an Agari customer success solution provider. Gainsight’s data centers are U.S. based. For more information regarding Gainsight’s security and privacy program, visit https://www.gainsight.com/security/ and https://www.gainsight.com/policy/.

cp privacy datasheet

AWS SOC reports can be requested through a Business Development representative if they are not publicly available for download.

8 GDPR (General Data Protection Regulation)

Agari’s relationship with controllers

In providing the Agari services, Agari only processes personal data upon the documented instructions of its customers. To that end, Agari has template data processing agreements ready for use with its customers, which include the following provisions:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and category of data subject in question
  • Obligations and rights of our customers (as data controllers).

Agari imposes confidentiality obligations on its authorized personnel who process the personal data. Agari has implemented measures to assist its customers in complying with data subjects’ rights and requests.

Data Transfers to countries outside the EEA

We share data both with our affiliated companies within the Agari group and certain external third parties who are based outside the European Economic Area (“EEA”). Any such processing will involve an export of data outside of the EEA. We endeavor to ensure that people to whom we provide personal data hold it subject to appropriate safeguards and controls. Whenever we transfer our customers’ employees’ personal data out of the EEA to countries that have not been deemed to provide an adequate level of protection for personal data by the European Commission, we ensure a similar degree of protection is afforded to it by implementing the following safeguards:

For example, our cloud storage provider is Amazon Web Services and we have entered into GDPR-compliant data processing terms, which incorporate by reference Model Contractual Clauses.

Based on Agari’s understanding of GDPR, in consultation with other large, multinational organizations doing business in the EU, data containing personal data as defined by GDPR, including email addresses of individuals, may lawfully be transferred and reside outside the EEA for the purposes of processing such data to legitimately protect their organizations from cyberattacks.

It is Agari’s belief and assumption that it meets all current applicable data protection requirements as laid out by the GDPR for the purposes of cross border transfers of personal data.

For further information on Agari’s data protection practices, please contact privacy@agari.com.