Customer Protect Privacy Data Sheet

At Agari, we care about our customers’, employees’, and end-users’ privacy, and have implemented a series of processes, policies and measures to comply with the General Data Protection Regulation (“GDPR”). This Privacy Data Sheet describes the processing of personal data (or personally identifiable information) by Agari’s Enterprise Protect service, in the provision of such services to its enterprise customers.

When providing Agari’s services to customers, we are processing their staff’s personal data on behalf of such customers and are therefore acting as data processor. We have set up the following mechanisms, processes and policies, to comply with the GDPR:

Overview of Agari Customer Protect Capabilities

Agari automates phishing prevention, securing email more effectively than all other vendors combined. Unlike other vendors who lack automation features, Agari’s Easy SPF™, Hosted SPF, and Email Cloud Intelligence enable companies to organize and secure 3rd party senders quickly and accurately without risking email deliverability.

Agari has established detailed policies and procedures illustrating its data flows and its processing practices and we document any decision-making reasoning relating to personal data. This includes

  • Internal data protection policies, including details of:
    • Categories of processing carried out per controller
    • Applicable processing purposes
    • Data sharing and data retention practices
    • Security measures
  • Staff training
  • Annual internal audits of processing activities

The following paragraphs describe which personal data Customer Protect processes to deliver its services, the location of that data and how it is secured in accordance with privacy principles, laws and regulations.

1 Personal Data Processing

The table below list the personal data used by Customer Protect to carry out its services and describes why Agari processes those data.

Personal Data Purpose of Processing
Customer contact info for product admins and users Creating an account
– Data collected are for product enablement, product use notifications, training, and support only
Email Friendly From Header* Message Failure Sample
– Data used to determine the source of the inauthentic message
Email Subject* Message Failure Sample
– Data used to determine the purpose of the inauthentic message.

* These data are derived from DMARC RUF “Failure Samples.” Customers can disable DMARC RUF reporting at their own discretion and still derive the value Customer Protect provides.

2 Cross Border Transfers

When a new customer purchases a subscription to Agari Customer Protect, that customer’s information (both the data relating to the customer’s employees who are in contact with Agari to procure and administer the products on behalf of customers and the data processed through Agari’s provision of its services to customers) is always created, processed, and stored in North America.

Agari Customer Protect is hosted at Amazon Web Service’s US-West 2 (OR) Cloud Region and is deployed in an active-active manner across 3 separate Availability Zones. For information regarding AWS compliance/certification please refer to documentation online at https://aws.amazon.com/compliance/. Certifications and SOC reports are listed on this webpage and corresponding links under “Assurance Programs”.

For information regarding GDPR impacts to cross border data transfers, please see the section on GDPR.

3 Access Control

Personal Data Who has Access Purpose of Access
Customer contact info for product admins and users Customers Granting and managing access to their own account.
Customer contact info for product admins and users Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Creating an account and validating license entitlements and general product support and operations
Email message header data Customers Security administration and operations
Email message header data Agari Employees – Sales Administration, Licensing Operations, Engineering and Support staff only Providing general product support and operations

4 Data Retention

Customer Account Data

Customer account data are retained for as long as they are an active Agari CP customer. In the event that a customer terminates their subscription, Agari will retain such Customer Account Data until customer requests in writing that Agari remove all stored contact information, including potential PII, from all instances of Agari product and customer relationship management platforms, or, if earlier, for a period of 30 days following termination of the Customer subscription.

Email Message Meta-Data

Customer email message metadata is retained for 14 days and then deleted according to then current Amazon Web Services best practices for data deletion.

5 Personal Data Security

Agari has governance measures in place, and has built its processing practices around the principles of data protection by design and by default. This includes: data minimization, pseudonymization (where possible), allowing end-users to monitor the processing, and enhanced and up-to-date security features, such as encryption, confidentiality, integrity, and resilience of processing systems and ability to restore personal data in a timely manner in the event of an incident. Agari’s technical and organizational measures and risk mitigation plans are audited, tested and re-evaluated on an annual basis, to ensure the appropriateness of its systems, networks and business practices on an ongoing basis. Agari has disaster recovery procedures set up to restore personal data in case of any security incident.

Personal Data Type of Encryption*
Customer contact info for product admins and users Encrypted in transit and at rest
Email failure sample data Encrypted in transit, not encrypted at rest

* Encryption is provided using then current best practices as defined by Amazon Web Services

Agari will notify its customers without undue delay after learning of a data breach, if required by law, and has mechanisms by which it can detect and report data breaches.

6 Third Party Service Providers

Agari’s agreements with its sub-processors reflect the obligations and commitments it has and makes to its customers.  Agari conducts prior due diligence on sub-processors before contracting with them.

Agari utilizes third party cloud hosting provider Amazon Web Services (AWS) to provide a highly secure and reliable cloud platform. Agari’s service is hosted within the AWS North America Region. For information regarding AWS compliance/certification please refer to documentation online at https://aws.amazon.com/compliance.

Agari utilizes Pendo (www.pendo.io) Product Analytics to enhance the usability of our products. Although Pendo’s cloud service has no access to our customers’ data, it can see the usernames (email addresses) of our customer users who have access to our web applications. Pendo’s data centers are US based and their GDPR Process and Approach is available online.


AWS SOC reports can be requested through a Business Development representative if they are not publicly available for download.

7 GDPR (General Data Protection Regulation)

Agari’s relationship with controllers

In providing the Agari services, Agari only processes personal data upon the documented instructions of its customers. To that end, Agari has template data processing agreements ready for use with its customers, which include the following provisions:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and category of data subject in question
  • Obligations and rights of our customers (as data controllers)

Agari imposes confidentiality obligations on its authorized personnel who process the personal data. Agari has implemented measures to assist its customers in complying with data subjects’ rights and requests.

Data Transfers to countries outside the EEA

We share data both with our affiliated companies within the Agari group and certain external third parties who are based outside the European Economic Area (“EEA”). Any such processing will involve an export of data outside of the EEA. We endeavor to ensure that people to whom we provide personal data hold it subject to appropriate safeguards and controls. Whenever we transfer our customers’ employees’ personal data out of the EEA to countries that have not been deemed to provide an adequate level of protection for personal data by the European Commission, we ensure a similar degree of protection is afforded to it by implementing the following safeguards:

For example, our cloud storage provider is Amazon Web Services, and we have entered into GDPR-compliant data processing terms, which incorporate by reference Model Contractual Clauses.

Based on Agari’s understanding of GDPR, in consultation with other large, multinational organizations doing business in the EU, data containing personally identifiable information (PII) as defined by GDPR, including email addresses of individuals, may lawfully transfer and reside outside of the EU boundary for the purposes of processing such data to legitimately protect their organizations from cyber-attacks.

It is Agari’s belief and assumption that it currently meets all applicable data protection requirements as laid out by GDPR for the purposes of cross border transfers of information.

For further information on Agari’s data protection practices, please contact privacy@agari.com.