Trust Center
Privacy
Data Processing & Global Privacy Regulations
Overview
Protecting your privacy
Our business is built on integrity, and SailPoint is committed to protecting the personal information of its customers, business partners, employees, and stakeholders. SailPoint utilizes privacy by design to build privacy into our products, services, policies, and procedures to ensure compliance with evolving regulations and customer expectations.
At SailPoint, we are committed to respecting your privacy. We recognize that when you choose to provide us with information about yourself, you trust us to act in a responsible manner and to protect and safely manage any personal information that you share with us. This Privacy Statement explains who we are, how we collect, share and use personal information we collect about you and how you can exercise your privacy rights. If you apply to work as an employee or contractor, please see our Job Applicant Privacy Notice for specific information on how we use your personal information.
In the course of providing products and services, SailPoint may process personal data provided to SailPoint by our customers. SailPoint offers a Data Processing Addendum (DPA) to incorporate relevant provisions of the General Data Protection Regulation (GDPR) and the UK Data Protection Act of 2018 (UKDPA) into customer agreements.
SailPoint makes an affirmative commitment to adhere to the EU-US and Swiss-US Data Privacy Framework Principles, as well as the UK Extension to the EU-US Data Privacy Framework, and maintains a Data Privacy Framework Certification. The Data Privacy Framework Principles define a set of requirements that govern the use and handling of personal data transferred from the European Economic Area (EEA) as well as access and dispute resolution mechanisms that participating companies must provide to EEA citizens. The European Commission has adopted the EU-US Data Privacy Framework, and the UK has adopted the UK extension of it (UK-US Data Bridge), and both concluded that the United States ensures adequate protection under these respective frameworks – comparable to that of the European Union and the UK – for personal data transferred from the EEA and the UK to US companies certified under these frameworks.
Where personal data originates from Switzerland and is transferred to the US, SailPoint is certified with the Swiss-US Data Privacy Framework and is committed to adhering to the principles of this framework. SailPoint acknowledges that organizations cannot rely on this framework for data origination from Switzerland until the Swiss Federal Administration grants its adequacy decision on the framework. Therefore, in addition to the Swiss-US Data Privacy Framework, our DPA incorporates the protections afforded by the EU SCCs. Our DPA is included in our standard terms for EMEA customers and is an option for all other customers where appropriate. Our standard contract terms are available at https://www.sailpoint.com/legal/customer-agreements/.
As required by the GDPR, UKDPA, and other privacy regulations, SailPoint provides users with information regarding affiliates and third-party vendors we engage as sub-processors to assist in providing SailPoint solutions and services.
Further details on SailPoint’s privacy and data protection practices are set forth in our Privacy Statement, Terms of Use, Cookie Notice, and other notices.
Resources
How SailPoint Protects Your Data
FAQ
All your privacy questions answered
Find answers to common data privacy questions below.
What services does SailPoint provide?
SailPoint provides identity governance software solutions. SailPoint is a data processor for personal data received from or on behalf of our customers in connection with our Software-as-a-Service services (“SaaS Services”), support and maintenance services, and professional services. We offer Data Processing Addendums (“DPAs”), including SCCs, with our customers for the processing of personal data outside the EEA, UK, and Switzerland. Our DPA terms are available at: https://www.sailpoint.com/legal/customer-agreements/.
What types of data does SailPoint process?
(https://www.sailpoint.com/why-us/trust/privacy/#collapsetypes-faqs-privacy)
The types of data processed through our services include: identification and contact data (e.g., name, email address, title, contact details), employment details (e.g., job title, role, manager), and/or IT information (e.g., entitlements, IP addresses, usage data, cookies data, and geolocation) for the customer’s employees, contractors, and/or (where licensed under the Agreement) the customer’s business partners and/or end-users authorised by the customer. This type of data is typically not of interest to government or law enforcement agencies.
SailPoint discourages and/or prohibits customers from loading sensitive personal data into our products, including special categories of personal data as referenced in Art. 9 GDPR, such as health data, political opinions, religious or philosophical beliefs, trade union membership, race or ethnic origin, sexual orientation, genetic data, biometric data, criminal activity data, or financial account number or tax ID number.
Whose data will SailPoint process?
Our products are typically licensed for use in managing the customer’s employees and contractors, in which case only employee and contractor data is processed. Again, this type of data is typically not of interest to government or law enforcement agencies.
Our customers control the types of personal data they provide to us. Our customers determine from whom the data is collected and whether this is done on an automated or voluntary basis. SailPoint will not collect personal data on the customer’s behalf.
Our customer is also solely responsible for determining the legal basis for its data processing. The customer’s legal basis for processing may be legitimate business interests and/or legal requirements. We would not expect customers to process employee data on the basis of consent, but the customer is responsible for that determination.
Consistent with the GDPR’s “data minimization” principle, we limit the collection and transfer of data to that which is necessary in relation to the purposes for which it is processed.
Where does SailPoint process data?
For SailPoint’s SaaS Services, the customer determines the location where the SaaS Services are hosted. SailPoint leverages Amazon Web Services (AWS) or Microsoft Azure for hosting its SaaS solutions. The solutions can be run from any one of several AWS/Azure Regions, based on customer proximity and preference. Although the data in the solutions will physically reside in the chosen location, the customer’s SaaS Services environment will be managed, maintained, and accessed by SailPoint from its relevant locations.
A list of SailPoint’s affiliates as well as third parties who may have access to personal data in connection with the SailPoint’s provision of the services, as well as each of their respective locations, is available at https://www.sailpoint.com/legal/sub-processors/.
If the data will be transferred from the EEA, UK, or Switzerland to the US, what measures does SailPoint have in place to legitimize those data transfers?
SailPoint makes an affirmative commitment to adhere to the EU-US and Swiss-US Data Privacy Framework Principles, as well as the UK Extension to the EU-US Data Privacy Framework, and maintains a Data Privacy Framework Certification. The Data Privacy Framework Principles define a set of requirements that govern the use and handling of personal data transferred from the European Economic Area (EEA) as well as access and dispute resolution mechanisms that participating companies must provide to EEA citizens. The European Commission has adopted the EU-US Data Privacy Framework, and the UK has adopted the UK extension of it (UK-US Data Bridge), and both concluded that the United States ensures adequate protection under these respective frameworks – comparable to that of the European Union and the UK – for personal data transferred from the EEA and the UK to US companies certified under these frameworks.
Where personal data originates from Switzerland and is transferred to the US, SailPoint is certified with the Swiss-US Data Privacy Framework and is committed to adhering to the principles of this framework. SailPoint acknowledges that organizations cannot rely on this framework for data origination from Switzerland until the Swiss Federal Administration grants its adequacy decision on the framework. Therefore, in addition to the Swiss-US Data Privacy Framework, our DPA incorporates the protections afforded by the EU SCCs. Our DPA is included in our standard terms for EMEA customers and is an option for all other customers where appropriate. Our standard contract terms are available at https://www.sailpoint.com/legal/customer-agreements/.
SailPoint has also conducted a Data Transfer Impact Assessment (DTIA) as required by the SCCs.
SailPoint’s affiliates have also entered into an Intra-group Data Transfer Agreement (IGDTA) with one another, which binds the affiliates to the SCCs in connection with their processing of personal data.
What controls does SailPoint have in place with sub-processors?
SailPoint will not engage a sub-processor unless we enter into a written agreement with the sub-processor imposing data protection terms that require the sub-processor to protect the customer’s personal data to the same standard as SailPoint.
We also require our sub-processors to ensure that they have appropriate technical and organizational measures to protect against and report a personal data breach, appropriate to the harm that might result from such personal data breach, having regard to the state of technological development and the cost of implementing any measures. Such measures may include where appropriate: pseudonymising or encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after a physical or technical incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it.
How long does SailPoint retain data?
SailPoint will only retain customer data in the SaaS Services that it processes on behalf of a customer for the duration of the SaaS Services subscription term. Data in the SaaS Services can be downloaded by the customer at any time. Within 30 days of termination or expiration of the SaaS Services, where required, SailPoint will delete all customer data from the SaaS Services unless prohibited by law. Customer data archived on back-up systems will be securely isolated and protected from any further processing.
Does SailPoint have a Data Protection Officer?
Yes, SailPoint has appointed a Data Protection Officer who can be reached at [email protected].