Last Updated: March 23, 2021

At Agari, we care about our customers’, employees’, and end-users’ privacy, and have implemented a series of processes, policies and measures to comply with the General Data Protection Regulation (“GDPR”). This Privacy Data Sheet describes the processing of personal data (or personally identifiable information) by Agari’s Brand Protection service, in the provision of such services to its enterprise customers.

When providing Agari’s services to customers, we are processing their staff’s personal data on behalf of such customers and are therefore acting as data processor. We have set up the following mechanisms, processes and policies, to comply with the GDPR:

Overview of Agari Brand Protection Capabilities

Agari automates phishing prevention, securing email more effectively than all other vendors combined. Unlike other vendors who lack automation features, Agari’s Easy SPF™, Hosted SPF, and Email Cloud Intelligence enable companies to organize and secure 3rd party senders quickly and accurately without risking email deliverability.

Agari has established detailed policies and procedures illustrating its data flows and its processing practices and we document any decision-making reasoning relating to personal data. This includes:

  • Internal data protection policies, including details of:
    • Categories of processing carried out per controller
    • Applicable processing purposes
    • Data sharing and data retention practices
    • Security measures
  • Staff training
  • Annual internal audits of processing activities

The following paragraphs describe which personal data Agari Brand Protection processes to deliver its services, the location of that data and how it is secured in accordance with privacy principles, laws and regulations.

1 Personal Data Processing for Brand Protection

Agari Brand Protection™

The table below lists the personal data used by Agari Brand Protection to carry out its services and describes why Agari processes those data.

Personal Data Category Types of Personal Data Purpose of Processing
Registration Information
  • Name
  • Address
  • Email address
  • User ID
  • Product administration: Creating an account, validating license entitlements, general product support and administration
  • Product notifications
  • Product training
Email Header Data (RUF Failure Samples)*
  • Email From address
  • Email To address
  • Email subject
  • Uniform Resource Identifier (URI)
Message Failure Sample

  • Data used to determine the source of the inauthentic message
Sender IP
  • IP address of sending mail server
  • Identify legitimate and illegitimate sources of email

* The Email Header Data listed in this table is derived from DMARC authentication failure samples (“RUF Failure Samples”) which typically originate from third party emails not generated by a customer. However, on rare occasions an email generated by the customer could fail DMARC authentication. In such cases, Brand Protection would receive that DMARC failure sample from the applicable email service provider. This data is deleted in accordance with Section 5. Customers can disable the DMARC authentication failure reporting (opt-out) at their own discretion and still derive the value Brand Protection provides.

Customer Gateway Service Reporting (Optional Configuration)

Customer has the option to send numerical summaries about messages which have been processed and appear to come from Customer’s domains (“RUA Data”) or messages failing email authentication (“RUF Failure Samples”) directly to Agari to enhance the Brand Protection Service. If a Customer chooses to share RUF Failure Samples directly with Agari, such a configuration may transfer Customer PII within RUF Failure Samples to Agari which Agari shall manage in accordance with this Privacy Data Sheet.

Customer Support Data

Agari may receive and process PII that is provided by an Agari customer when they make a support request to Agari (“Customer Support Data”). Agari only processes this data to assist the customer in resolving the issue and to improve Agari’s services and customer support function.

Outside of the necessary requester contact information, Agari does not intentionally collect or process PII via a customer support request. Agari instructs customers to provide the minimum amount of personal data necessary to adequately provide the support request. Nonetheless, a customer may provide unsolicited personal data in the request or supporting attachments.

Personal Data Purpose of Processing
Customer Support Data

The below is representative though not exhaustive list of the information a customer may provide to Agari in a support request that may contain PII: name, email address, phone number of employee making request, authentication information (not including passwords), information regarding support issue, software and/or hardware configuration files provided to enable support request, error-tracking files

  • Provide customer support
  • Review and improve the quality of customer support service
  • Improve Agari Services
Customer Support Case Attachment

The below is representative though not exhaustive list of the information a customer may provide to Agari in a support request that may contain PII: device configuration, command line interface , product identification numbers, serial numbers, host names, sysDescr (has device location), IP addresses, operating system (OS) feature sets, OS software version, browser type and version, hardware version, installed memory, installed flash, boot versions, MAC address

  • Provide customer support
  • Review and improve the quality of customer support service
  • Improve Agari Services

2 Personal Data Processing for Optional Inbound DMARC Feature Only

Inbound DMARC is an optional feature of Brand Protection that provides DMARC visibility to inbound email for domains owned by the Customer via the use of a sensor. Inbound DMARC requires additional configuration and be must be proactively enabled by Agari and the Customer in the Brand Protection configuration settings (e.g. opt-in). If enabled, a Customer can subsequently choose to disable this feature at any time.

To enable Inbound DMARC, a data sensor must be implemented. The Inbound DMARC sensor is available in an on-premises deployment model (the “On-Premises Sensor”) or a hosted deployment model where the sensor is hosted by Agari (the “Hosted Sensor”).

Customers configure their Secure Email Gateway to copy all incoming messages to a sensor. The sensor component receives the Email Metadata (defined in the chart below) and the full email message including the body and any attachments present (“Email Content”). The sensor extracts the Email Header Data (Inbound DMARC) (defined in the chart below) and forwards this data into the Agari Inbound DMARC pipeline, and then deletes the message. The Email Header Data (Inbound DMARC) is then aggregated and displayed within the Agari BP portal on a daily basis.

Hosted Sensors

Agari Hosted Sensors are provisioned in a dedicated and separate Amazon Web Services account. Hosted Sensors are not “multi-tenant.” Each customer gets their own Virtual Private Cloud (VPC), their own Elastic Load Balancer (ELB), and their own EC2 Autoscale Group (ASG). The underlying AWS IaaS is multi-tenant. Agari engineers cannot access the Hosted Sensor EC2 instances using the root account, and only a subset of Agari engineers have access to the Hosted Sensor environment. All Hosted Sensor actions are logged locally and can be reviewed with the customer. This includes evidence that each message is deleted post-processing.

On-Premises Sensors

An On-Premises Sensor is deployed exclusively in the customer’s system environment. Customers have complete control over the On-Premises Sensor including full “root” level access to the operating system and host application. Agari employees cannot access an On-Premises Sensor without the permission of the customer.

The table below lists the additional personal data processed by Agari from the Customer for the Inbound DMARC feature. For clarity, if Customer uses an On-Premises Sensor, Agari does not collect the Email Metadata or Email Message Content data listed in the table below, and in that scenario the processing occurs on the Customer premises where the On-Premises Sensor is located.

Personal Data Category Types of Personal Data Purpose of Processing
Email Header Data (Inbound DMARC) and Sender IP
  • Email From header
  • Email "rept to" header
  • Email To header
  • Email subject
  • Sender IP
Identify emails that are applicable for analysis by the Inbound DMARC feature
Email Metadata
  • Attachment file name
  • Attachment file format and presence of macros/malicious code
  • Attachment Hash (e.g. encrypted MDS or SHA1 format)
  • Uniform Resource Identifier (URI)
This data is not required by Inbound DMARC but is incidentally processed by the sensor. However, if the customer is utilizing the On-Premises Sensor, this processing occurs on the customer’s premises and the data is not collected by Agari.
Email Message Content
  • Personal data, if any, included in email message including attachments
This data is not used by Inbound DMARC but is incidentally processed by the sensor due to the configuration of the Hosted Sensor. However, if the customer is utilizing the On-Premises Sensor, this processing occurs on the customer’s premises and the data is not collected by Agari.

3 Cross Border Transfers

When a new customer purchases a subscription to Agari Brand Protection, that customer’s information (both the data relating to the customer’s employees who are in contact with Agari to procure and administer the products on behalf of customers and the data processed through Agari’s provision of its services to customers) is always created, processed, and stored in North America.

Agari Brand Protection is hosted at Amazon Web Service’s US-West 2 (OR) Cloud Region and is deployed in an active-active manner across 3 separate Availability Zones. For information regarding AWS compliance/certification please refer to documentation online at https://aws.amazon.com/compliance/. Certifications and SOC reports are listed on this webpage and corresponding links under “Assurance Programs”.

For information regarding GDPR impacts to cross border data transfers, please see the section on GDPR.

4 Access Control

Personal Data Who has Access Purpose of Access
Registration Information Customer Granting and managing access to their own Agari Brand Protection account
Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Creating an account and validating license entitlements and general product support and operations
Email Header Data (RUF Failure Samples)

Email Header Data (Inbound DMARC) and Sender IP

Customer Security administration and operations
Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Providing general product support and operations
Email Metadata (for Hosted Sensor Deployment with Inbound DMARC only) Agari Employees– Sales Administration, Licensing Operations, Engineering and Support staff only Incidentally processed by Hosted Sensor and not retained.
Email Message Content (for Hosted Sensor Deployment with Inbound DMARC only) Agari Employees - Sales Administration, Licensing Operations, Engineering and Support staff only Incidentally processed by Hosted Sensor and not retained.
Customer Support Data Customer Submitting customer support requests
Agari Employees - Sales Administration, Licensing Operations, Engineering and Support staff only Providing customer support

5 Data Retention

Registration Information - Registration Information is retained for as long as the customer is an active Agari Brand Protection customer. In the event that a customer terminates their subscription, Agari will retain such Registration Information until customer requests in writing that Agari remove all stored contact information, including potential PII, from all instances of Agari product and customer relationship management platforms, or, if earlier, for a period of 30 days following termination of the Customer subscription.

Email Header Data (RUF Failure Samples) - Email Header Data (RUF Failure Samples) is retained for 14 days and then deleted according to the current Amazon Web Services best practices for data deletion.

Sender IP - Sender IP data derived from Agari Brand Protection listed in Section 1 above is retained by Agari for three years. Sender IP data derived from the Inbound DMARC in Section 2 above is retained for 13 months and then deleted according to the current Amazon Web Services best practices for data deletion.

Customer Support Data – Customer Support Data is retained for as long as the customer is an active Agari Brand Protection customer. In the event a customer terminates their subscription, Agari will retain Customer Support Data until the customer requests in writing that Agari remove all Customer Support Data, including potential PII from Agari systems and third party customer support platforms, or, if earlier, within a period of 30 days following termination of the Customer subscription. Agari retains related support data as necessary to ensure support of recurring issues and to comply with audit policies related to business records of services provided to customers.

Email Header Data (Inbound DMARC Only) - Customer Email Header Data from Inbound DMARC is retained for scoring and reporting purposes and is expired out of Agari’s “active” data stores after 60 days. In the event that a customer terminates its subscription, Customer can request in writing that Agari remove all stored Email Header Data from all instances of Agari’s application and backup systems, failing this, Agari effect such removal within 30 days following termination of the Customer subscription.

Email Metadata and Email Message Content (Inbound DMARC Only) - Email Metadata and Email Message Content are never stored by Agari and are only retained in the Hosted Sensor during the processing period.

6 Personal Data Security

Agari has governance measures in place, and has built its processing practices around the principles of data protection by design and by default. This includes: data minimization, pseudonymization (where possible), allowing end-users to monitor the processing, and enhanced and up-to-date security features, such as encryption, confidentiality, integrity, and resilience of processing systems and ability to restore personal data in a timely manner in the event of an incident. Agari’s technical and organizational measures and risk mitigation plans are audited, tested and re-evaluated on an annual basis, to ensure the appropriateness of its systems, networks and business practices on an ongoing basis. Agari has disaster recovery procedures set up to restore personal data in case of any security incident. Agari will notify its customers without undue delay after learning of a data breach, if required by law, and has mechanisms by which it can detect and report data breaches.

Personal Data Type of Encryption
Registration Information Encrypted in transit (TLS) and encrypted at rest (AES 256)*
Email Header Data (RUF Failure Samples)
Email Header Data (Inbound DMARC Only)
Sender IP
Encrypted in transit (TLS) and encrypted at rest (AES 256)*
Email Metadata (for Hosted Sensor Deployment with Inbound DMARC Only) Encrypted in transit (TLS). This data is not retained by Agari and thus does not come to rest so encryption at rest is not applicable.
Email Message Content (for Hosted Sensor Deployment with Inbound DMARC Only) Encrypted in transit (TLS). This data is not retained by Agari and thus does not come to rest so encryption at rest is not applicable.
Customer Support Data Encrypted in transit (TLS) and encrypted at rest (AES 256)*

* Encryption is provided using then current best practices as defined by Amazon Web Services.

7 Third Party Service Providers

Agari’s agreements with its sub-processors reflect the obligations and commitments it has and makes to its customers. Agari conducts prior due diligence on sub-processors before contracting with them.

Agari utilizes third party service providers that provide Agari with various data feeds used to enhance the service, including its spoofing detection capabilities.

The below table lists Agari’s third party sub-processors that may process Customer personal information.

Sub-processor Potential Customer Data Processed Purpose of Processing Data Center Location Link to Security/Privacy Program
Amazon Web Services Any Customer Data provided to Agari Data Center for all Services North America https://aws.amazon.com/compliance
Datadog Customer contact information Product Logging, Monitoring and Performance Platform United States https://www.datadoghq.com/security/
Sentry Customer contact information Product Performance Logging, Monitoring and Analytics United States https://sentry.io/security/
Pendo Customer email addresses Product Usage and Feedback United States https://www.pendo.io/data-privacy-security/
Salesforce Customer contact information Customer Relationship Management (CRM) United States https://trust.salesforce.com/en/
ZenDesk Customer contact information Support Ticket Platform United States https://www.zendesk.com/company/privacy-and-data-protection/
Microsoft Office365 Customer contact information Support Ticket processing and communication United States https://www.microsoft.com/en-us/trust-center/privacy
Slack Customer contact information Support Ticket processing and communication United States https://slack.com/trust
Gainsight Customer contact information Customer Success platform United States https://www.gainsight.com/security/

https://www.gainsight.com/policy/

MailChimp Customer email addresses Product communication United States https://mailchimp.com/about/security/
Sparkpost Customer email addresses Product communication United States https://www.sparkpost.com/policies/security/

cp privacy datasheet

AWS SOC reports can be requested through a Business Development representative if they are not publicly available for download

8 GDPR (General Data Protection Regulation)

Agari’s relationship with controllers

In providing the Agari services, Agari only processes personal data upon the documented instructions of its customers. To that end, Agari has template data processing agreements ready for use with its customers, which include the following provisions:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and category of data subject in question
  • Obligations and rights of our customers (as data controllers)

Agari imposes confidentiality obligations on its authorized personnel who process the personal data. Agari has implemented measures to assist its customers in complying with data subjects’ rights and requests.

Data Transfers to countries outside the EEA

We share data both with our affiliated companies within the Agari group and certain external third parties who are based outside the European Economic Area (“EEA”). Any such processing will involve an export of data outside of the EEA. We endeavor to ensure that people to whom we provide personal data hold it subject to appropriate safeguards and controls. Whenever we transfer our customers’ employees’ personal data out of the EEA to countries that have not been deemed to provide an adequate level of protection for personal data by the European Commission, we ensure a similar degree of protection is afforded to it by implementing the following safeguards:

For example, our cloud storage provider is Amazon Web Services, and we have entered into GDPR-compliant data processing terms, which incorporate by reference Model Contractual Clauses.

Based on Agari’s understanding of GDPR, in consultation with other large, multinational organizations doing business in the EU, data containing personally identifiable information (PII) as defined by GDPR, including email addresses of individuals, may lawfully transfer and reside outside of the EU boundary for the purposes of processing such data to legitimately protect their organizations from cyber-attacks.

It is Agari’s belief and assumption that it currently meets all applicable data protection requirements as laid out by GDPR for the purposes of cross border transfers of information.

For further information on Agari’s data protection practices, please contact privacy@agari.com.