This Privacy Notice (“Notice”) describes how Tufin Software Technologies Ltd. and its affiliated companies (“Tufin”, “we”, “our” or “us”) processes personal data about Tufin’s business and channel partners, resellers, distributors and providers of professional services (“Partners”). 

This Notice only applies to the processing of personal data (as described in Section 1 below) of our Partners, including in relation to their use of the partners portal available at portal.tufin.com (“Portal”). Any other processing activities performed by Tufin, which are not covered by this Notice, are governed by our Privacy Policy

You are not legally required to provide us with any personal data. If you do not wish to provide us with your personal data, or to have it processed by us or any of our Service Providers (as defined below), please do not provide it to us and avoid any interaction with us or with our Portal.

1.      Data Collection & Processing

We collect the following categories of personal data:

a.     Partner Data

·       User Data: information associated with the accounts of our Partners’ regular users and admins – collectively “Users”) within the Portal, such as a User’s name, email address, phone number, workplace, and position;

·       Usage Data: information relating to the manner in which a User uses the Portal, including connectivity, technical and aggregated usage data, user agent, IP addresses and approximate location based upon such IP addresses, digital identifiers, device data (e.g., type, OS, device id, browser version, locale and language settings used), activity logs, log-in credentials to the Portal, the cookies and pixels installed or utilized on their device, and inferred or presumed data on generated from their use of the Portal – to the extent they constitute personal data;

·       Communications: personal data contained in communications we have with our Partners, such as when personal data received when we provide technical support or other channels of communication;

b.     Prospect Data: personal data relating to prospective customers (i.e., leads) with whom our Partners engage to distribute or resell our products (“Prospects”) which is submitted by our Partners into the Portal or provided to us by our Partners via other channels.

Categories of sources from which personal data is collected. We obtain personal data from the following categories of sources:

·       Data collected directly from our Partners. We receive User Data and Prospect Data directly from our Partners, e.g., when a Partner creates an account in the Portal or when they provide us with a list of Prospects with whom they engage to sell our products. 

·       Data collected from third parties. We may receive personal data from third parties, e.g., from our Service Providers who utilize cookies at the Portal or data enrichment services who may provide us with contact details of our Partners. 

·       Data that is automatically generated. Some personal data is automatically generated when a User uses the Portal (i.e., Usage Data), by using cookies (as described in Section 6 below) or by the services of our Service Providers (as described in Section 5 below).

2.      Data Uses

a.       We use Partner Data for the following purposes and in reliance on the legal bases for processing noted next to them, as appropriate:

To facilitate, operate, enhance, and provide our Portal (including to provide support and fix bugs).

  • Performance of a contract with our Partners (to the extent applicable)

  • Legitimate Interest

To gain a better understanding of how Users use the Portal, analytics purposes, and improvement of the Portal’s user experience.

  • Legitimate Interest

To track the performance metrics of our Partners who participate in our Partner program.

  • Legitimate Interest

To contact our Partners with general or personalized service-related messages, as well as to pursue mutual business opportunities and establish new partnerships. 

  • Legitimate Interest

  • Consent (to the extent applicable)

 

To support and enhance our data security measures.

  • Legitimate Interest

  • Legal Obligation (to the extent applicable)

To support our sales and marketing activities, e.g., to provide Partners with marketing materials which they use when they sell our products.

  • Legitimate Interest

  • Performance of a contract with our Partner (to the extent applicable)

To enforce our Terms & Conditions, to resolve disputes, to carry out our obligations and enforce our rights, and to protect our business interests and the interests and rights of third parties.

  • Legitimate Interest

 

b.      This Notice does not cover our privacy practices in relation to the processing of Prospect Data we receive from our Partners. To learn about our processing practices in relation to Prospect Data, see our Privacy Policy.

3.      Data Location

We store and process personal data in the USA, Israel, EU, and in other locations as may be necessary to provide the Portal or as may be required by law. When we transfer personal data from the EEA, Switzerland or UK to Israel, we rely on the adequacy decision of the European Commission, the Swiss FDPIC, or the UK Secretary of State, respectively. For data transfers from such jurisdictions to the US and other third countries, we and the relevant data exporters and importers have entered into the relevant Standard Contractual Clauses. You can obtain a copy by contacting us at DPO@tufin.com

4.      Data Retention

We retain personal data for as long as we deem it as reasonably necessary in order to maintain and expand our relationship with our Partners and to provide our Portal; in order to comply with our contractual obligations; or to protect ourselves from any potential disputes, all in accordance with our data retention policy.

To determine the appropriate period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and the applicable legal requirements.

If you have any questions regarding our data retention practices, please contact us by email at privacy@tufin.com.  

5.      Data Disclosure

We may disclose personal data of Users with their respective Partners; with our selected service providers who support the provision of our services and Portal, including hosting and infrastructure services, communication tools, data security services, LMS providers, fraud detection and prevention services, analytics and performance measurement, data enrichment services, support, and our legal, financial and compliance advisors (collectively, “Service Providers”); with government and law enforcement officials in response to a legal request to access personal data or in compliance with applicable laws and regulations (we will only do so if we believe in good faith that we are compelled to do so and that disclosure is appropriate); and with Tufin’s subsidiaries and affiliated companies.

6.      Cookies and Data Collection Technologies

We and our Service Providers use cookies and other similar technologies to enable and improve the Portal, to track its performance, perform analytics and gain insights on the use of our Portal, and for personalization purposes if we have obtained your consent, where applicable. For more information on our cookie practices, please see our Cookie Policy. A list of the cookies used in connection with the Portal is available here.

7.      Communications

Service Communications: Tufin may contact you with important information regarding our Portal. For example, we may notify you (through any of the means available to us) of changes or updates to our Portal, billing issues, service maintenance or changes, password retrieval notices, etc. You will not be able to opt-out of receiving such service-related communications, as they are integral to the use of the Portal.

Notifications and Promotional Communications: We may send you notifications concerning new features, offerings, events, and opportunities or any other information we think you will find valuable. We may provide such notices through any of the contacts means available to us (e.g., phone, mobile or email), through the Portal, or through our marketing campaigns on any other websites or platforms.

If you do not wish to receive such promotional communications, you may notify us at any time by sending an email to privacy@tufin.com or by following the “unsubscribe”, “stop” or “change email preferences” instructions contained in the promotional communications you receive.

8.      Data Security

Tufin and its Service Providers take and implement industry-standard measures to secure your personal data. However, please be aware that regardless of any security measures used or implemented, we cannot and do not guarantee the absolute protection and security of any personal data stored with us or with any third parties. 

9.      Data Subject Rights

If you wish to exercise any of your privacy rights under applicable privacy laws (including, if applicable, the EU or UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended, or other privacy laws applicable to you), please contact us by email at privacy@tufin.com

Your privacy rights may include, to the extent applicable, the right to know/request access to (specific pieces of personal data collected; categories of personal data collected; categories of sources from whom the personal data was collected; purpose of collecting personal data; categories of third parties with whom we have shared personal data), to request rectification or erasure of your personal data held with Tufin, or to restrict or object to its processing (including the right to direct us not to sell your personal data to third parties now or in the future), or to port such personal data, or the right to equal services and prices (e.g., freedom from discrimination) (each to the extent available to you under the laws that apply to you). If you are a GDPR-protected individual, you also have the right to lodge a complaint with the relevant supervisory authority in the EU or the UK, as applicable.

Please note that in some cases we may request that you direct your request to the respective admin of your account within the Portal. In some cases, we will not fulfill your request unless you have provided sufficient information that enables us to reasonably verify that you are the individual about whom we collected the personal data. Such additional information may be then retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request, or proof of request fulfillment).

10.    Additional Notices and Contact Details

Updates and Amendments: We may update and amend this Notice from time to time by posting an amended version on the Portal. The amended version will be effective as of the published date. We will provide prior notice if we believe any substantial changes are involved. After such notice period, all amendments to this Notice shall be deemed accepted by you.

Requirements Under Applicable USA Privacy Laws. This policy describes the categories of personal information we may collect and the sources of such information (in Section 1 above), and our retention (Section 4) and deletion practices (Section 9). We also included information about how we may process your information (in Sections 2 through 7), which includes for “business purposes” under the California Consumer Privacy Act (CCPA), as amended/Virginia Consumer Data Protection Act (VCDPA)/Colorado Privacy Act (CPA) and similar privacy laws of other states, as applicable. We do not “sell” or “share” your personal information for the intents and purposes of the CCPA (as amended), nor disclose personal information that we “control” to any third party for their direct marketing purposes. We may disclose personal data to third parties or allow them to collect personal data from our Portal as described in Section ‎5 above, if those third parties are our Partners (with respect to personal data of Users under their control), or our authorized Service Providers, or if you direct us to disclose your personal data to third parties, or as otherwise described in Section 5 above. You may also designate, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights be emailing us. Note that we will not discriminate against you by withholding our services from you or providing a lower quality of service to you for requesting to exercise your rights under the law. If you have any questions or would like to exercise your rights under the CCPA/CPRA/VCDPA/CPA or other similar applicable privacy laws of other states, you can contact privacy@tufin.com or our DPO at dpo@tufin.com

External Links: While our Portal may contain links to other websites or services, we are not responsible for their privacy practices, and encourage you to pay attention when you leave our Portal for the website or services of such third parties and to read the privacy policies of each and every website and service you visit.

Children’s Privacy: Our Portal are not intended for use by children under the age of 18. We do not knowingly collect personal data from minors under the age of 18 and do not wish to do so. In the event that it comes to our knowledge that a minor is using the Portal, we will prohibit and block such user from accessing the Portal (to the extent reasonably possible) and will make all efforts to promptly delete any personal data stored with us with regard to such user.

EU Representative: Tufin has designated Tufin Software Germany GmbH as its representative in the European Union, for data protection matters pursuant to Article 27 of the GDPR. Tufin Software Germany GmbH may be contacted only on matters related to the processing of personal data. To make such an inquiry, please send an email to privacy@tufin.com.  

UK Representative: Tufin has designated Prighter as its representative in the United Kingdom for data protection matters pursuant to Article 27 of the UK GDPR. Inquiries regarding our UK privacy practices may be sent to: Prighter (Attn: Tufin), Kemp House 160 City Road, EC1V 2NX, London, United Kingdom.

Data Protection Officer: Tufin has appointed PrivacyTeam Ltd. As its Data Protection Officer, for monitoring and advising on Tufin’s ongoing privacy compliance and serving as a point of contact on privacy matters for data subjects and supervisory authorities. If you have any comments or questions regarding this Notice, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is being processed by Tufin, you can contact privacy@tufin.com or our DPO at dpo@tufin.com

Contacting Us: If you have any comments or questions about this Notice or if you have any concerns regarding your personal data held with us, please contact us privacy@tufin.com or our DPO at dpo@tufin.com

Last Updated: July 2023.