CyberArk privacy and data protection customer FAQs

For all of our SaaS services we may process our customers’ personnel names, job titles, email addresses, mobile number (if necessary to access the service), IP-based location, account names, group membership, CyberArk credentials, computer name, device information, service activity (such as connection status, IP address) and a list of their privileges. We can process additional application information or attributes where customers configure the services or create policies for specific purposes involving the processing of personal data. We may use this information to validate that those personnel are who they say they are when raising a support ticket with CyberArk.

For services relying on CyberArk Identity to access our other services or to verify the identity of their employees (Workforce Identity) or customers (Customer Identity), CyberArk may collect and process the following information in addition to the above:

  • Personal data provided by customers: company country, zip code, address and organization IP address, office phone number.
  • Personal data provided by or collected from users: profile photo (optional, to display on the user interface of the Identity portal or App); phone number (optional, if SMS/phone calls have been chosen by your company as a factor for Multi-Factor Authentication).   The service may also collect additional user and device attributes, if configured by the customers to be collected. Examples include mobile number, other email or security questions, among others that may either be set up by the user, or are synchronized into the service from other services by the customer.

To provide customer support, we may also need to access logs. By default, we do not access any other personal data than the above. If we are required to access any additional customer data, for example to provide support services, a controlled process is in place to obtain temporary access.

A limited number of our services may process additional personal data. Please expand the relevant CyberArk service at the bottom of this page to see the additional personal data processed by specific services.

Where configured by customers to do so, some of our services can be used to manage third party credentials and keys, including for integration purposes with third party services. Our services do not have any inbuilt functionality that gives or allows CyberArk to access any customer data or system remotely other than the information described above.

CyberArk Mobile does not access any additional personal data. Users will be asked to provide permission for the app to access the smartphone Camera, Photo Library, or (for CyberArk Identity Secure Web Sessions) pedometer data. This enables the user to upload a profile picture (if required), to scan a QR code for login purposes, or for CyberArk Identity Secure Web Sessions pedometer tracking for awareness of movement. We will not use this permission for any other purpose.

All the biometric data is processed and stored locally on the user’s smartphone. CyberArk will not have access to that biometric data, neither can we grant such access to the user’s employer. When the CyberArk Mobile app requests to biometrically authenticate a user, it asks the mobile device to verify whether the authorized person is holding the phone, and the device checks against the locally-stored biometric data. No user biometric data are stored by CyberArk or within the SaaS environment; that data is kept locally and natively on the respective user’s smartphone.

Please see Annex 3 for information about the CyberArk Identity app.

CyberArk acts as Data Processor, and the customer acts as a Data Controller, in respect to personal data processed in the context of providing the CyberArk services. CyberArk will only process personal data (as set out above) for the purposes of providing the services to the customer and will act on the customer’s instructions. In addition, CyberArk acts as a Data Controller for data which it processes for its own purposes, such as data about our own internal employees, and marketing data related to our prospective customers. This is outside the scope of purchases made by customers and is processed independently of any data processed as part of the provision of our services.

CyberArk currently maintains datacentres in various regions, to enable customers to nominate a region of their choice in which customer data will be hosted. Depending on the CyberArk service subscribed to the list of available regions may differ. In the absence of a request for a specific datacentre, your default region will be based on your account’s billing address.

In order to provide a global service, we may transfer data required to provide 24×7 Maintenance and Support, administer our management system including internal integrations and Disaster Recovery, as necessary. We rely on “appropriate safeguards” for the transfer of personal data between regions by CyberArk, for example the European Commission’s standard contractual clauses, adequacy decisions such as the adequacy decision adopted by the EU Commission for the EU-US Data Privacy Framework and/or our Vendor’s BCRs. We also take into account the guidance from data protection authorities on these transfer mechanisms such as the EDPB guidance on safeguards granted by the EU-US Data Privacy Framework when using other data transfer mechanisms such as the standard contractual clauses.

In line with market practice, we provide a list of sub-processors on our Privacy Center (www.cyberark.com/privacy-center). Customers can subscribe to alerts to be notified of any change to this list. We use a variety of sub-processors to help host and deliver our services. The geographic location of those sub-processors or their datacenters that we use are set out on the Privacy Center.

All of our personnel are bound by duties of confidentiality and are required to undergo onboarding and refresher training courses on information security and GDPR compliance.

We have a well-maintained and up to date incident response policy (this is an internal document and cannot be shared with third parties) and stay on top of security developments through the expertise of our own people and the advice of leading external legal and professional services consultants. We would report any breach to the customer without undue delay, in line with our legal obligations.

We have a comprehensive Data Processing Agreement, available here, which incorporates the European Commission’s standard contractual clauses. It is aligned to our services and internal processes and we consequently find it much more straightforward for both parties to use our template rather than a customer’s version, which will typically be aimed at any type of vendor and data processing activity.

CyberArk services are secured according to commercially applicable industry security practices, such as OWASP, NIST and CAIQ standards. The services’ multitenancy (where applicable) is secured by, among other means, methods to isolate data of different tenants, and regular, frequent security reviews. Administration of CyberArk services is protected by various security, compliance and governance measures, including isolation and real-time monitoring of access.

Only those specifically authorized CyberArk personnel who require access in order to provide successful delivery, operation and service to the customer may access data.

In order to access the data, such personnel must be authenticated using multifactor authentication and may perform actions only in keeping with their permissions in respect of the data. Access is restricted to the internal CyberArk network and is audited.

Additionally, Customer may also provide access permission to their data on a case-by-case basis to authorized CyberArk personnel requiring access to the Customer data in accordance with the above principles and policies.

Customer data (including back up data) will be deleted no later than 60 days after expiration/termination of the CyberArk services. Additionally, customers may make a specific written request at any time to the CyberArk Customer Support portal for data deletion. Shortly after the customer request, the data will be deleted from the service live systems (databases).

Personal data collected or processed in connection with one customers’ use of CyberArk services is not shared with other CyberArk customers. CyberArk does aggregate statistical data related to its customers’ use of, access to and configuration of our SaaS solutions. This will be used for CyberArk’s reasonable business purposes or for the customer’s benefit, including improving our services.

If you are considering CyberArk’s Self-Hosted services only, we won’t host your data in our datacenters or otherwise process personal data on your behalf. You may incidentally share limited personal data with us if you raise a support ticket with our support and maintenance team.

A. Does Privilege Cloud allow CyberArk to access any data in addition to that outlined under question 1 above?

In addition to the data mentioned in Q1, under exceptional circumstances (as described below) CyberArk will potentially have access to:

  1. – Managed Accounts Credentials
  2. – Session Recordings

Such access will be subjected to a controlled and monitored procedure outlined in Question B below.

B. How does the dedicated CyberArk team access the additional data referred to in Question A above?

Where exceptional circumstances require temporary access to such additional data in order to assist customer, a process that requires customer’s approval is triggered.

The key retrieval process can only be performed by a dedicated engineering team.

In order to initiate the process, the CyberArk engineer will request access to a customer-specific and dedicated encryption key. Accessing the encryption key triggers a request for manager approval which will only be given with approval from the customer on a case-by-case basis. Once the activity is done, access to the encryption key is revoked.

A. Does Secure Web Sessions allow CyberArk to access any data in addition to that outlined under question 1 above?

In addition to the information above, if configured by the administrator, CyberArk processes a record of the user’s actions via the device on which the CyberArk Secure Web Sessions Browser extension is installed. This includes screen recordings and data generated during a web session where the SWS administrator has configured session recordings for an application. Such recording is limited to the configured application and selected users as defined by the customer

B. Does Secure Web Sessions have access to the data in sessions being step recorded?

Step recordings are encrypted locally when captured by the SWS browser extension on the end user device. Screenshots are encrypted using a public/private key pair where the private key is owned and controlled exclusively by the customer. CyberArk does not have access to decrypt these screenshots at any time. Metadata and keywords captured alongside the screenshots are encrypted using a different key. CyberArk has access to this key in order to provide search capabilities within the encrypted session data.

C. How does SWS Continuous Authentication track a user’s footsteps?

The monitoring of the web application secured by SWS is linked with the continuous authentication on the CyberArk Mobile app. SWS accesses the pedometer data on the user’s mobile device on which the CyberArk Mobile app is installed, only if the function has been activated by the SWS administrator and the end user has given its consent. SWS is aware that the user walked further than the administrator configured threshold (number of steps) from the sensitive web-session by utilizing the pedometer in the said mobile device they took with them combined with the awareness that the sensitive web-session is still open. When the mobile device is aware that it has moved more than a certain number of steps and the browser extension knows that the high-risk web-session has not ended, then the prompt is triggered. The prompt is also triggered if the connection with the end user’s device is lost.

D. Will the user be made aware of the recording?

Yes, the SWS interface makes it clear to the user that the sensitive session will be monitored. The user will see the following visual cues to indicate that the session will be/is being monitored:

At the Identity user portal:

  • The web applications for which SWS has been enabled will be visually identifiable with a small purple shield over the app logo.
  • In addition, the end-user can click on the browser extension at any time to see a list of SWS security policies applied to the current tab – if any.

Once the web application is selected by the user:

  • Prior to the start of the recording a loader-page with an information notice is shown letting the user know that certain steps are being put in place to secure the session (these steps depend on what is configured for them so up to and including – step recording, continuous authentication, and session protection).
  • This page will also include a note that the protection layers will be disabled when the tab is closed or where the user navigates to a different web application.

Once the protected session has begun:

  • The SWS extension icon will show the ‘recording state’
  • An operating system notification will pop up saying CyberArk Secure Web Sessions step recording of the selected application started.

A. Does CyberArk Identity allow CyberArk to access any data in addition to that outlined under question 1 above?

Where the Mobile Device Management service has been purchased and activated, CyberArk can collect device enrollment details from users and GPS data, only if the user has consented to this data being collected.

B. How does CyberArk process personal data to detect invalid login attempts?

CyberArk analyses users’ typical behavior in order to spot anomalous user behavior. User behavior analytics is based on IP address, usual time and location of access to applications, device and browser information and App usage analytics. Anomalous behavior leads to alerts to your admin, allowing for additional authentication steps to be requested from the user in question on the basis of your company’s pre-determined policies.

C. How is user behavior data protected by CyberArk?

The CyberArk Identity App does not access any additional personal data. Users can provide the app with permission to use the smartphone Camera and/or Photo Library if they choose to upload a profile photo or scan a QR code for login purposes. The CyberArk Identity App does not use access to the Camera or Photo Library for any other purpose.

D. Does CyberArk Identity App provide CyberArk with access to additional personal data?

The CyberArk Identity App does not access any additional personal data. Users can provide the app with permission to use the smartphone Camera and/or Photo Library if they choose to upload a profile photo or scan a QR code for login purposes. The CyberArk Identity App does not use access to the Camera or Photo Library for any other purpose.

The FAQ responses in this Document are up to date as of December 19, 2022. Any use of CyberArk Services shall be subject to CyberArk’s Terms of Service and Privacy Notice.