We at Morphisec Information Security 2014 Ltd. and our affiliates (Collectively, “Morphisec”, “we”, “us”, “our”) operate various on-premises software security and cloud services (the “Solution”) to provide end-to-end protection against the most damaging cyberattacks for companies (the “Customer”). Such include Guard, Keep and Shield for real-time server and end-point protection and Scout for vulnerability management.

We respect data privacy. This Privacy Policy (the “Policy“) describes the ways that the Customer, using the Solution, handles personal data of its employees, or contractors (“Users”). The Policy outlines how the Solution collects, receives, uses, stores, shares, transfers, and processes personal data on behalf of the Customer in connection with our Solution. It also describes the rights and options available to Users concerning their personal data.

Please note that this Policy covers the Solution’s privacy practices in general matters. The Customer may have an additional privacy notice explaining its own specific privacy practices related to its Users’ personal data (the “Customer’s Notice”). If the Customer’s Notice conflicts with this Policy, then the Customer’s Notice will prevail.

Our Role in this Policy 

The Customer is the data controller that determines the purposes and means of the data processing on the Solution.

We are the data processor on behalf of the Customer.

For the purposes of this Policy, Customers are entities that execute subscription agreements with us to use our Solution to provide end to end protection from cyberattacks.

The Customer uses our Solution to process Users’ personal information, such as employees’ computer-related activities. We have no direct relationship with Users and therefore do not obtain directly from them the personal information which we process on behalf of the Customer as a result of our agreement with the Customer. We impose contractual requirements on our Customers that require adherence to privacy requirements.

We process personal information from Users under the direction of the Customer. We have no direct control or ownership of the personal data we process on behalf of the Customer. 

The Customer determines the purposes and means of processing its Users’ data and is responsible for complying with any regulations or laws requiring notice, disclosure, and obtaining consent concerning the collection, share, and use of all their processing purposes. The ultimate nature, scope, and use of information that we collect from Users are subject to the Privacy Notices of our Customers and not us.

Customer legitimate interest may provide a lawful basis for the Customer and us under EU Data Protection laws to process personal data. We process personal data on behalf of the Customer to the extent strictly necessary and proportionate for the purposes of ensuring network and information security.

This Privacy Policy does not apply to any information or data collected by us as a controller for other purposes. We will use Users’ data only for the purposes we agree with the Customer, except as listed below, or if a User gives us a separate explicit consent.

Personal Information We Process

Data protection law means that we can only use your data for certain reasons and where we have a legal basis to do so. Here are the reasons for which we process your data:

We process personal information you share with us on our Solution about Users’ computer activities relating to potential information security threats. 

Users are not legally required to provide such personal information to us.

When Customers install or connect to our Solution, we may process information such as email address, IP address, active URL in case of an attack on Users’ browsers, logged-in username, and other computer anomalous activities and logs.  

Users do not have a legal obligation to provide any of the above information. However, the data is necessary for the Customer to use our Solution.

Anonymized data.

At any time, we may anonymize (de-identify) personal information we have collected. We may use the de-identified information in any way, including by selling, or making it available, to any other third party.

How and Why We Use Users' Personal Information

The Customer will use User data on our Solution to identify information security threats to provide end-to-end protection against the most damaging cyberattacks.

We process Users’ personal information on our Solution to deliver our service to the Customer. The Customer determines the purposes and means of the processing. The Customer may use our Solution to identify information security threats to provide end-to-end protection against the most damaging cyberattacks, as the case may be, in accordance with its processes and policies all as further described and under the Customer’s Notice.

We process Users’ information shared with us by the Customer as they direct us and in accordance with our agreement with the Customer, and we store it on our service providers' servers. 

Our agreement with the Customer prohibits us from using that information, except as necessary to provide and improve the service, as permitted by this Privacy Policy, and as required by law.

How and When We Share Personal Information

We will not sell or share Users’ information with third-party recipients, except as listed below, or if the Users give the Customer their explicit consent.

We share the Users’ personal information with the Customer.

We share Users' personal data we process and various insights about the Users’ computer activities and threats we infer from it on our Solution on behalf of the Customer with the Customer.

We share Users' personal information with our service providers to help us operate our Solution and provide service to the Customer.

We will share Users’ personal information with our service providers, such as AWS for data storage and hosting services and Pendo for product and Solution analytics. Our service providers are authorized to use Users’ information only as necessary to provide their specific relevant services to us and not for their purposes. They are required to maintain the confidentiality of Users’ data.

We will share Users’ information with competent authorities or other parties if a User violated the law or abused our agreement or our Solution with the Customer.

If a User has violated this Privacy Policy, or any other agreement the Customer has with us, abused the Solution, or violated any applicable law, we will share such Users’ information with competent authorities and third parties such as legal counsels and advisors to handle the violation or breach.

We will share Users’ information if we are legally required.

We will share Users’ personal information if we are required to disclose it by a judicial, governmental, or regulatory authority.

We will share Users’ information with a third party in the event of a change in our structure.

 We may assign the agreement with the Customer in the event of a corporate merger or sale of assets related to the performance of the Solution to the acquiring or merging third party. In such an event, we may share personal information provided by the Customer, provided that the assignee assumes Morphisec’s stead for all rights, obligations, performance, and liability under the subscription agreement and this Privacy Policy.

 

We will share the User’s information in case of an emergency concerning the User.

 We will share the User’s information if we need to act immediately to protect the User’s personal safety.

International Information Transfer

We transfer Users’ information internationally in accordance with the applicable data protection law.

We will transfer information internationally in accordance with applicable data protection laws. We may store and process information in the EU and other countries such as the United States and India. We may also process information using cloud services. The laws in those other countries may provide a lower degree of data protection than the laws of your own country. You agree to the transfer Users’ information to such other countries for the purpose of the processing as described in this Policy, including through cloud services.

Where we transfer Users' Data outside of EU, the United States or India (for example, to third parties who provide us with services), we will do it subject to data protection laws.

Information Security

We implement technical and organizational measures to secure Users’ personal information.

We implement appropriate safeguards to reduce the risks of damage, loss of information, and unauthorized access or use of the information we collect and maintain. Users’ data is always encrypted during transit and rest. However, these measures do not guarantee absolute information security. Therefore, although we take reasonable precautions and make an appropriate effort to secure Users’ information, you cannot expect that the Service will be immune to information security risks.

Data Retention

Users have certain rights subject to possible restrictions under the applicable law.

Users may have certain rights on their data to access, obtain a copy or update their data, subject to possible restrictions under the applicable law. Users may ask the Customer or us to receive a copy of their personal information stored on the Solution or have the Customer or us update or correct, their information. If Users wish to exercise any of these rights, they should contact the Customer through the channels listed on the Customer’s Notice or write to us at legal@morphisec.com.

If we receive a Users’ request to exercise one or more of their rights, we will, first, redirect them to make their request directly to the Customer. The Customer is responsible for responding to any such request. We will reasonably assist the Customer responding to such data subject requests if we still hold User data.

Customer have the right to ask for reasonable evidence to confirm Users’ identity before asking us to provide Users with the data. Where the Customer is unable to provide Users with the data that they have requested, the Customer will explain the reason for its inability to do so.

If Users are a resident of the EU, they may have additional rights, subject to possible restrictions under the law, to delete, restrict, or object processing.

If Users are a resident of the EU, they may have the following additional rights to:

Object to the processing of their personal data for Customer legitimate interests. However, Customer may override User objection if Customer demonstrate compelling legitimate grounds, or for the establishment, exercise or defense of legal claims. 

Restrict the processing of User personal data for the duration Customer require to verify its accuracy. Users have the right to restrict the processing of their personal data if they consider it an unlawful processing. Users can also request the restriction of the processing during the time we review their objection to Customer legitimate interest. 

Withdraw Consent to processing Users’ personal data, at any time. If Users do that, we will still process certain information on legal basis other than consent, as described in this Policy. Withdrawing User’s consent will not affect the lawfulness of data processing we carried out based on User’s consent before such withdrawal.

Erase Users’ personal data when it’s no longer needed. For example, when the lawful base of our Solution is Users’ consent, Users can withdraw their consent and have the right to ask us to erase their data relating to that. However, we may still process Users’ personal data if we need to in order to comply with a legal obligation, or if we are subject to do so under the law, or for the establishment, exercise, or defense of legal claims.

 

Additional information for users in the EU

We are data processor of the personal data we process about Users through our Solution.

Morphisec is the data processor for the personal data we process through our Solution. Our registered address is at 77 HaEnergia St., Gav Yam Park, Beer Sheva, Israel. You can contact us by email at legal@morphisec.com.

Additional information for users in the EU

We are data controllers of the personal data we collect about you through our Website. 

Morphisec is the data controller for the personal data we collect through our Website. Our registered address is at 77, Haenergia St. Gav Yam Park Bldg. 1, Beer-Sheva, Israel 8470912. Contact us by email at Legal@morphisec.com.

To contact our representative in Europe or the United Kingdom.

Our European representative for this Policy, pursuant to Article 27 of the GDPR, is European Data Protection Office (EDPO). If you are within the European Economic Area, you may contact our European representative at:

Our representative in the United Kingdom for this Policy, pursuant to Article 27 of the UK GDPR, is EDPO UK Ltd. If you are within the United Kingdom, you may contact our UK representative at:

The legal basis for sharing your data in a case of emergency is to protect your or another natural person's vital interests.

You have a right to complain to the relevant supervisory data protection authority.

Subject to applicable law, you have the right to complain to your local data protection authority. If you are in the EU, you can complain to the supervisory authority, in particular in the state of your residence, place of work, or place of an alleged infringement of the GDPR. 

Names and contact information of the competent supervisory authorities in the European Union can be found at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

To contact our representative in Europe or the United Kingdom.

Our European representative for this Policy, pursuant to Article 27 of the GDPR, is European Data Protection Office (EDPO). If you are within the European Economic Area, you may contact our European representative at:

Our representative in the United Kingdom for this Policy, pursuant to Article 27 of the UK GDPR, is EDPO UK Ltd. If you are within the United Kingdom, you may contact our UK representative at:

How We Make Changes to this Policy

We may change this Policy from time to time, and if we do, we’ll provide  prior notice.

 Morphisec may change this Policy from time to time, and if we do, we shall provide a 14 days’ prior written notice. If a Customer continues to use our Solution after those changes are in effect, the Customer agrees to the new Policy.

Contact us

You can contact us at:

 The best way to get in touch with us if Customers or Users have any questions, complaints, or suggestions, or to exercise the Users' options described above is to write to us at legal@morphisec.com. We will do our best to resolve the issue promptly.

Additional Information for Users in California

The table below summarizes which personal information (referenced in the table below as PI) we receive by reference to the statutory categories specified in the California Consumer Privacy Act (referenced herein as CCPA). It then describes the practices we implemented during the 12 months preceding the effective date of this Privacy Policy. It refers to what we described above in the general section of this Privacy Policy:

 

Specific pieces of PI collected

Sources of PI collected

 

(A) Identifiers

Unique User identifier, Internet Protocol address, Name, email address.

From User's computer devices

(B) Physical characteristics or description

Telephone number

From Users
(F) Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

 

An active URL

From Users' computer devices

Personal information does not include de-identified or aggregated consumer information.

The table below summarizes how we use the personal information (referenced in the table below as PI) we receive by reference to the statutory categories specified in the CCPA. It refers to what we described above in the general section of this Privacy Policy: 

Category of (PI)

Business or commercial purpose for collecting and selling personal information.

 

(A) Identifiers

To provide our Service to the Customer.

(B) Physical characteristics or description

To provide our Service to the Customer.

(F) Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

To provide our Service to the Customer. To improve and enhance our Service. 

Our hosting provider AWS and service providers for solution analytics such as Pendo may have access to all categories of personal information for our business purposes (referenced in the table above as PI). We do not share or sell Users’ information with third parties. In the preceding twelve (12) months we have not sold any personal information.

If the User is a resident of California, they have certain rights subject to possible restrictions under the law to know, request deletion, opt-out of the sale of personal information, and protect against discrimination.

If Users are a resident of California, they have the following rights:

Right to Know.  Users have the right to know subject to a verifiable request the categories of personal information the Customer shares with us and we process about them; The categories of sources from which the personal information is collected; Our business or commercial purpose for collecting personal information; The categories of third parties with whom we share personal information if any, and the specific pieces of personal information the Customer shares with us and we process about its Users. 

Right to Request Deletion. Users have the right to request the deletion of their personal information from the Customer and direct the Customer to ask any of its service providers to delete their personal information from their records on receipt of a verifiable request from the User and subject to certain exceptions set out below. 

Please note that we may not delete Users’ personal information if it is reasonably anticipated within the context of our ongoing business relationship with the Customer, or otherwise perform a contract between Customer and its Users; Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided Customer or us have obtained User’s informed consent; Enable solely internal uses that are reasonably aligned with Users’ expectations based on the Customer relationship with the User; Comply with an existing legal obligation; or Otherwise use Users’ personal information, internally, in a lawful manner that is compatible with the context in which Users’ provided the information to the Customer.  

Right to Opt-Out. We do not share or sell Users' information with third parties for monetary consideration. Users may exercise their right to opt-out from our processing of their information, on behalf of the Customer, by contacting the Customer as described below.

Right to Non-Discrimination. Users have the right to not be discriminated against by us because they exercised any of their rights under the CCPA. 

If Users would like to exercise any of their CCPA rights as described above, Users should contact the Customer through the channels listed on the Customer’s Notice or write to us at legal@morphisec.com.

 

Users have the right to designate an authorized agent to submit a request on their behalf.

Users may designate an authorized agent to make a request under the CCPA on their behalf. To do so, Users need to provide the authorized agent with written permission to do so and the agent will need to submit to the Customer proof that they have been authorized by the User. The Customer will also require that the User verify their own identity, as explained below.

Verification of Requests

The Customer may ask the User for additional information to confirm their identity and for security purposes before disclosing personal information or deleting information. 

For Password Protected Accounts. The Customer shall verify User identity through their service records. The Customer shall also require a User to re-authenticate before disclosing or deleting User information.

For Non-Accountholders. 

The Customer will verify the User's identity by using two or three points of the information verification process, or together with a signed declaration under penalty of perjury that the User is the consumer whose personal information is the subject of the request depending on the type of information User require.

Timing Format and Fees

We endeavor to support the Customer in responding to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform the Customer of the reason and extension period in writing. We will deliver our written response by email. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. For information portability requests, we will select a format to provide personal information that is readily useable and should allow the Customer to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will inform the Customer why we made that decision and provide the Customer with a cost estimate before completing a request.