CyberArk privacy notice

This privacy notice (“Privacy Notice”)  describes how CyberArk will process your personal data, where CyberArk acts as a controller of your personal data; namely,  in connection with your use of the CyberArk owned and operated websites including without limitation www.cyberark.com and any of its related or  subdomains (the “Website(s)“), including the CyberArk portals (such as Technical Community, Partners Community, Training and Certification Portal and the Marketplace) (the “Portals“); in connection with certain instances of your use of CyberArk’s products, services, and other technical applications and tools (the “Services“), where CyberArk acts as the controller of your personal data; in connection with CyberArk’s relationship with our business-to-business contacts, such as with the representatives of our service providers, processors, or suppliers; and in connection with other occasions where CyberArk collects and processes your personal data, as further detailed in this Privacy Notice.

References to “we”, “us” or “CyberArk” in this Privacy Notice mean CyberArk Software Ltd, and any of its affiliated entities, as far as they are related to the operation of the Websites, the Portals or the Services or as otherwise relevant under this Privacy Notice. Our contact details for these entities and their respective office locations can be found here. The CyberArk entity that will be responsible for processing your personal data will depend on how you use CyberArk Services and your geographical location.

References to “you” or “your” mean the individual who has or may in the future enter into a relationship with CyberArk as a user of CyberArk mobile applications (excluding: (i) when you are using  CyberArk Mobile on behalf of your employer or customer; or (ii) CyberArk’s Identity mobile application, in which case CyberArk will be processing the data on behalf of our customer), a representative of a prospective or existing customer or authorized channel partner, a user of our Website or Portals, an investor, or otherwise use the CyberArk Websites or Services. When you are browsing our Websites or using our Services for your own benefit, CyberArk is the “controller” (as such term is used in the EU General Data Protection Regulations (“GDPR“) and the “business” (as such term is used under the California Privacy Rights Act (“CPRA”) of your personal data.

References to “personal data” mean information that identifies you or is reasonably capable of identifying you. It also includes similar terms under data privacy laws, such as “personal information” and “personally identifiable information.”

If you are an end user of CyberArk Services, this Privacy Notice does not apply to our processing of your personal data. The controller and/or the business of your personal data is your employer or the organization to which CyberArk is providing services and which is a CyberArk customer. CyberArk is the “processor” or “service provider” of such personal data under the GDPR and CPRA, respectively. In such case, the processing of the personal data by us is subject to a data processing agreement between the applicable CyberArk entity and such customer, and this Privacy Notice does not apply to you.

General

At CyberArk, we pride ourselves on being an organization that has a privacy-minded culture consistent with legal requirements.

You can contact CyberArk at any time to request more information about the way we process personal data by using this form or sending an email to [email protected]. We will respond to your request in the timescales prescribed by applicable laws.

You should read this Privacy Notice in conjunction with the terms and conditions of the Website, or in conjunction with the terms and conditions applicable to you in the specific context.

The following describes the types of personal data that CyberArk processes about you, in which instances this personal data is collected and processed, the purposes of processing, and the lawful bases for processing (where the GDPR applies). We collect the personal data described below from you or the company you represent during your interactions with us.

When you use one of our Websites
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you browse our Websites • Names, usernames or similar identifiers used on our Websites
• information from your web browser (such as browser type and browser language), your Internet Protocol (“IP”) address, internet service provider (“ISP”), operating system, date/time stamp, clickstream data and analytics data regarding the actions you take on the Websites (such as the web pages viewed and the links clicked on)
• Administer our Websites
• provide you with relevant website content
• measure the effectiveness of the content served to you and of our marketing efforts
• analyze and improve the use of the Websites
• provide more relevant and personalized information, promote our business in various platforms and assess the success of our promotional activities
• fraud prevention and security of our Websites
Our legitimate interests in monitoring and improving our Websites and/or your consent where necessary under applicable law.
When you submit a contact form or request a demo form through the Websites, download any whitepapers or other downloadable materials from the Websites, and/or when you subscribe for a free trial • First and last name, email address, telephone number, company name, role, job title, department, and country • To reply to your request or query
• to set up a demo at your request
• to send the requested materials to you, if requested
• to send you communications related to our products, services, and/or events through different channels
Our legitimate business interests and/or your consent where necessary under applicable law (e.g. where you have provided your consent for CyberArk or our Partners to send you marketing communications).
When you use our Portals (either as a representative of a customer/prospective customer, channel/alliance partner, or a prospective channel/alliance partner
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you set up an account in our Portals • First and last name, telephone number, mobile phone number, country, language, email address, job function, organization, and address • To set you up as an authorized user of the Portal and create a user profile for you
• to manage and administer your use of the Portals
• to send you communications (including marketing) related to our products, services or events via different channels
• to operate our business, for example, transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Our and/or our customers’ legitimate business interests and/or your consent where necessary under applicable law (e.g. where you have provided your consent to be included in our marketing mailing lists)
When you log into and use our Portals • Credentials used to log into our Portals
• Browser type and browser language, referring URL, your IP address, ISP, operating system, date/time stamp, and clickstream data and the actions you take on the Portals (such as the web pages viewed, the links clicked on and searches performed)
• To provide you with support and training related to the Portals
• to understand how our partners/customers use the Portals and analysis thereof for the purpose of monitoring and improvement of Portals
• measure the effectiveness of the content served to you
• to send you communications (including marketing) related to our products, services or events via different channels
Our and/or our customers’ legitimate business interests and/or your consent where necessary under applicable law (e.g. where you have provided your consent to be included in our marketing mailing lists)
When you download and use CyberArk Mobile (excluding when you are using the applications on behalf of your employer or customer)

 

Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you set up an account for use of any of our Services • First name, last name, phone number, phone model and operating system, and, if you choose to provide this, a profile picture • To allow you access to the services, in accordance with the specific functionality for which you have access rights and authorizations
• provide technical support
• measure our marketing efforts and performance
• to operate our business, for example, transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing
• to notify you about transactional issues, or other issues relating to CyberArk services (such as new features, version releases) or invitations to our customers related events
Fulfilment of our contractual obligation
Our legitimate business interest
When you attend a CyberArk hosted or sponsored physical or virtual conference or event
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When you register to the event • First and last name, email address, telephone number, company name, role, job title, department, and country • To set you up as a registered participant in the event
• to manage and administer your participation in the event including sending your communications related to your attendance
• to send you communications (including marketing) related to our products, services or events via different channels
• to operate our business, for example, transmitting your personal data within the CyberArk group for internal administrative purposes, such as auditing and accounting
Fulfilment of our contractual obligation, our legitimate business interest and/or your consent where necessary under applicable law
When you log into the event and during the event in which you participate (online events) • Log in and out time, time spent, any information that you choose to provide for networking purposes, and chat stream • To manage and enable your access to the event
• to provide you with technical support related to the event
• to keep records regarding our events and analysis thereof for the purpose of planning of future events
• to improve our understanding of your needs and interests
• understand how you and other participants benefit from the events, including to assess which content is the most useful
• to send you communications (including marketing) related to our products, services or events via different channels
Fulfilment of our contractual obligation, our legitimate business interest and/or your consent where necessary under applicable law
During the event in which you participate (in person) Business card information • To send you communications (including marketing) related to our products, services or events via different channels Fulfilment of our contractual obligation, our legitimate business interest and/or your consent where necessary under applicable law
prospective customer
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When we request and you submit feedback to a survey, for example, following closing of a support ticket, delivery of our services or following training; • Your responses to the survey • To consider your feedback and assess the level of service we have provided, and to improve our processes and services
• follow-up with you depending on the nature of your feedback
Our legitimate business interests including as necessary for the performance of the contract with the relevant customer/partner/investor
When delivering communications to you (including marketing communications and advertising) • Your email address, display name of your email account, information about your interactions with our communications (e.g. links clicked on) =, actions that you take on our and our partners’ websites such as your visits or interactions with such websites • To monitor and analyze electronic communications sent or received by our users, including to tailor our communications accordingly and measure our marketing efforts
• security and fraud prevention
• to cater to your requests, for example, to reply to your inquiry, arrange a meeting for you, arrange a demo for you, etc.
• measure the effectiveness of our (online) advertising, improve our marketing practices, and helps us deliver more relevant communications and advertising to you and people like you (including on social media)
Our legitimate business interests and/or your consent where necessary under applicable law
When you conduct business dealings with us as a representative of a service provider, contractor, processor or supplier • Your contact information, such as name, title, company name, email address, address, and phone number • To enter into and perform under a contract providing us certain services
• to communicate with you about potential business dealings
Fulfilment of our contractual obligation, our legitimate business interest, and/or your consent where necessary under applicable law
When you use our Products and Services
Instance of data collection Personal Data Processed Purposes of Processing Lawful Bases for processing where the GDPR applies
When, as an end user of our Services, you use or are accessing systems which are secured by CyberArk. • Statistical, de-identified and/or aggregated information that relates to the use and configuration of our Services and data derived from it. • To prevent fraudulent or illegal use of our Services and ensure compliance with our software license agreement.
• To improve and develop our Services, including by using AI and machine learning capabilities.
• To comply with applicable laws, including to comply with disclosure or reporting obligations and for dispute resolution purposes.
Our legitimate business interests to improve and develop our Services.
As necessary to comply with our legal obligations and to ensure compliance with our terms.

In addition to the above, under some circumstances we may collect and process other types of personal data; in these cases, we will provide an in-time notification with respect to the additional personal data collected and processed.

In addition to the above uses of your personal data, we will also process your personal data for the following purposes:

  1. To prevent, detect and fight fraud or other illegal or unauthorized activities
  2. To ensure legal compliance – from our side (to legal requirements that apply to us (such as various records keeping) and to our obligations under the Terms of Use) and from your side (compliance with laws applicable to you and with the Terms of Use)
    For some of the above processing, we may rely on multiple legal grounds. For example, we process some information both for our legitimate interests as a business regarding user compliance with applicable terms of use and to comply with legal obligations applying to us (GDPR Article 6(1)(f) and 6(1)(c)).

We may disclose your personal data with other parties when outsourcing certain tasks or processes to service providers or subcontractors, whether in relation to our services, website operation or internal requirements. We use the following categories of service providers or contractors who are only authorized to process your personal data as necessary to provide these services to us:

  • Relationship management software
  • Marketing automation platform
  • Webinar software
  • E-mail platforms
  • Hosting provider, including website hosting
  • Customer success software
  • Online community platforms
  • Human Resources Information Systems
  • Background check service providers
  • Analytics providers
  • Customer reference management software
  • Survey tool service providers
  • Learning management system software

We may also disclose your personal data with our partners when we run or sponsor events with them and with social media and/or advertising companies to personalize our communications and your experience on our and other websites. These third parties may also disclose your personal data with us where you have provided your information to them, and they have the right to disclose this information to us under applicable law. This includes contact details and other identifiers.

For CyberArk’s applications available on the Google Play Store, our use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Where you are a member of staff at a CyberArk Customer or Partner and you register for a CyberArk event, this information may be shared with that Customer or Partner.

We may use or disclose personal data if required by applicable law or if we reasonably believe that use or disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud and/or to comply with a judicial proceeding, court order, legal process or other governmental authority; provided, however, that unless prohibited by law, we will use reasonable efforts to give you notice to enable you to seek a protective order or take other appropriate action.

We may also disclose your information to third parties in and outside your country only to the extent allowed by applicable law. We may also transfer your information if we sell, buy, merge or partner with other companies or businesses, undergo a reorganization, bankruptcy, or liquidation; or otherwise undertake a business transaction or sell some or all of our assets. In such transactions, your information may be among the transferred assets.

Where information is transferred outside the EEA, and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the European Commission data is adequately protected by European Commission approved standard contractual clauses or a vendor’s Binding Corporate Rules.

We will retain your personal data for such periods of times required or permitted by law or subject to our retention policies as may be in place from time to time. CyberArk takes the following considerations into account in order to determine the retention period:

  • The time required to retain personal data to fulfill business purposes, including providing products and services
  • Maintaining corresponding transaction and business records
  • Controlling and improving the performance and quality of the Websites
  • Handling possible user queries or complaints and locating problems
  • Whether the user agrees to a longer retention period
  • Whether we reasonably believe that this data will be needed for the handling of any litigation
  • Whether the laws, contracts, and other equivalencies pose any requirements for data retention.

We will maintain administrative, physical and technical safeguards designed to protect the security, confidentiality and integrity of your personal data processed by us as part of your use of our products/services, our Websites and any other aspects of our business as described in this Privacy Notice; and will not materially decrease the overall security of such items. However, no method of data security is 100% effective. Therefore, we cannot guarantee or warrant its absolute security.

Our Websites, Portals and Services are not intended for or directed at children under the age of 18. In addition, we do not knowingly collect personal data from children under the age of 18.

CyberArk provides community forums on some of the Company’s Websites, Portals or Services. Any personal data you choose to submit in such a forum may be viewed by others who visit these forums. CyberArk is not responsible for any misconduct by any person or entity of any personal data you choose to submit in these forums.

If you submit a Deal Registration Form via the Portal, we will also collect the following information: corporate name of end customer and contact details for your point of contact within the end customer (including name, job title and address).

Any marketing consents opt-ins/opt-outs or other preference details provided to us in connection with another website or service operated by us (such as the CyberArk community or our transactional websites) will be recorded and administered separately from any preferences or consents provided in connection with the Portal. You have the option to change your preferences registered in connection with any of our Websites or Services at any time.

If you are an authorized channel partner and no longer want us to contact you related to marketing events or information, please contact us at [email protected].

You may contact us at any time by completing this form, or sending an email to [email protected] to request to fulfill any of your rights in relation to your personal data, depending on the laws applicable to you. We will respond to your request in the timescales prescribed by the relevant local laws.

Depending on your location (e.g., if you are a California resident or in the United Kingdom, Switzerland, or European Economic Area) and on the laws that are applicable to you (e.g., CPRA or GDPR), you may be entitled to some or all of the following rights:

The right to access – You have the right to request CyberArk for copies of your personal data, which includes the right to obtain confirmation as to whether or not personal data concerning you are being processed.

The right to rectification/correct – You have the right to request that CyberArk rectify or correct any information you believe is inaccurate. You also have the right to request CyberArk to complete the information you believe is incomplete.

The right to erasure/deletion – You have the right to request that CyberArk erase/delete your personal data, under certain conditions.

The right to restrict processing – You have the right to request that CyberArk restrict the processing of your personal data, when: (a) you contest the accuracy of your personal data, for a period allowing CyberArk to verify the accuracy of said data; (b) if you believe personal data has been unlawfully processed and you wish to restrict processing rather than delete it; (c) CyberArk no longer needs the personal data but you require to keep it in order to establish, exercise or defend a legal claim; or (d) you have exercised your right to object to the processing (below) for a period allowing CyberArk to consider whether your legitimate grounds override those of CyberArk.

The right to object to processing – You have the right to object to the processing of a part or all of your personal data at any time. When relating to processing for marketing purposes, you have an absolute right to object; while for other purposes, the existence of the right depends on what lawful basis the processing relies on and on the existence of our compelling legitimate grounds to continue the processing.

The right to data portability – You have the right to request that CyberArk transfer the data that we have collected to another organization, or directly to you, under certain conditions. This includes receiving your personal data in a portable, structured, commonly used, and machine-readable format so that you may transmit the data to another entity without hindrance.

The right not to be discriminated against – You have the right not to be discriminated against for exercising any of your privacy rights, which includes us not: (i) denying you goods or services; (ii) charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing you a different level or quality of goods or services; (iv) suggesting to you that you will receive a different price or rate for goods or services or a different level or quality of goods or services; and (v) retaliating against you for exercising your privacy rights.

If allowed by applicable laws, you have the right to withdraw your consent at any time when CyberArk processes your personal data based on your consent. However, withdrawal does not affect the legitimacy and effectiveness of how we process your personal data based on your consent before the withdrawal is made.

Although we will make reasonable efforts to accommodate your requests, in some circumstances we may deem your request unfounded or not eligible under applicable law. In such instances we reserve the right to refuse your request. We may require, as pre-requisite to fulfilling any request, to verify your identity which we may do by asking you to provide certain information or identification to ensure that all data subjects’ privacy is protected. We may charge you a small fee for the exercise of some of your rights under certain conditions and if permitted by applicable laws.

You may also exercise your privacy rights through an authorized agent. If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please email us at [email protected]. We will ask for further information confirming your authority to act on behalf of the person you represent once we receive your request.

While we would always appreciate the chance to deal with your concerns before you approach an external regulator, you can also contact a data protection supervisory authority in any of the countries in which CyberArk is established and/or the country in which you are based, such as the Information Commissioner’s Office in the United Kingdom, and lodge a complaint. You can obtain the contact information for all of the EEA data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.

To opt-out of receiving communications relating to marketing, events or promotions from CyberArk, you can contact us at any time by completing this form or sending an email to [email protected]. Please note that if you are an existing customer then we may need to retain business contact information in order to provide you with CyberArk services, however, this will not be used for marketing purposes.

We will make periodic updates to our Privacy Notice via this statement and will note the date the then-existing version takes effect. If you have any queries concerning such changes then please contact us via [email protected].

What are cookies?

A cookie is a very small text document, which often includes a unique identifier. Cookies are created when your browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the website’s server. Find out more about the use of cookies at www.allaboutcookies.org.

We also use other forms of technology which serve a similar purpose to cookies, and which allow us to monitor and improve our Websites. When we talk about cookies, this term includes these similar technologies.

What cookies do we use and what information do they collect?

Category Purpose
Required cookies These cookies are required to enable core functionalities of our Websites. Without these cookies, services you have asked for, like identifying you while you are logged in, cannot be provided. If you disable these cookies certain parts of the Websites will not function for you.
Functional cookies These cookies help us improve, analyze or optimize the experience we provide. In particular, these allow us to measure how visitors interact with our Websites and we use this information to improve the user experience and performance of our Websites. These cookies are used to collect technical information such as the number of pages visited, which parts of our website are clicked on and the length of time between clicks.
Advertising cookies We use these cookies to collect information about your browsing habits in order to make advertising more relevant to you and your interests. They are also used to limit the number of times you see an advert as well as help measure the effectiveness of an advertising campaign.  We may share this information with other parties who help manage online advertising – please see the “Third Parties” section below for more details.

Third parties

Your use of our Websites may result in some cookies being stored that are not controlled by us. This may occur when the part of the Websites you are visiting makes use of a third party analytics or marketing automation/management tool or includes content displayed from a third party website.

How do you manage these technologies?

If you want to delete any cookies that are already on your device, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

To manage your cookie consent preferences, please click here.

This section is only applicable to California residents for purposes of compliance with the CPRA and other California privacy laws. The CPRA requires businesses like CyberArk to provide certain disclosures and offer certain rights in their privacy policies.

You can learn more about these rights and how to exercise them in the Your choices and rights and instructions section above.

Prior 12-month personal information handling practices

You can find a list of the categories of personal information we collect as well as the purposes for which we use it under the section entitled What personal data does CyberArk process and for what purposes? This also covers the instances and sources from which we obtain your personal information.

For additional details regarding how we disclose personal information to third parties please see the above section entitled How will CyberArk disclose your personal data with other parties?

Selling or Sharing of Personal Information

Our use of tracking technologies may be considered a “sale”/ “sharing” under California law. You can opt-out of being tracked by these third parties by clicking the “Cookie Choices” link at the bottom of our website and selecting your preferences.

You can also contact us at [email protected] or by completing this form.

Additional Disclosure for California Residents

California law permits residents of California to request certain details about how their information is disclosed to third parties for direct marketing purposes. If you are a California resident and would like to make such a request, please email us at [email protected].

CyberArk does not monitor or respond to Do Not Track browser requests. Hence please ensure to change any settings of your browser and/or our Services, whenever you wish cookies to cease.

Contacts

You may contact CyberArk’s Data Protection Office and make the relevant requests permitted pursuant to applicable law by completing this form or sending an email to [email protected]

Last Updated: January 9th, 2024