Netskope, Inc.

United States

● Event/Log Transaction Data: Netskope only stores log transaction data resulting from the analysis of logs and cloud service activity processed through Netskope. Customer log transaction data is retained for 90 rolling days by default unless specifically requested by customers for longer retention periods. After the 90-day period, Netskope automatically deletes the log transaction data from Netskope’s NoSQL database using scheduled daily jobs run against our databases. Data, while stored, is replicated between database clusters running across multiple systems for redundancy but is not otherwise retained in backups or otherwise beyond 90 days following the daily data purge jobs. Administrators of the Netskope tenant can also delete all log transaction data from their UI and can download the log transaction data that is stored from within the UI using REST API at any time. Data is additionally backed up to secure GCP locations (geo-mapped to the chosen customer management plane and retained for an additional 30 days). ● User Data (User ID/Email): User data uploaded to Netskope for administering the service and tracking users retained as long as the service is active, and users are active. Users are removed dynamically through directory sync tools or can be manually removed by customer admins. Users that are deleted by customers from our portal or through directory connectors are also deleted immediately from the Netskope platform and removed from our user DB backups after 30 days. ● Additionally, Netskope does not store any customer data on removable devices or media, and maintains documented data retention and destruction policies and procedures for system drives when retired or replaced.

Netskope ensures that when a customer contract expires and is not renewed or at POC completion, processes are in place to ensure proper data migration and deletion. Netskope performs a full and complete data removal process and backups are rotated out after 30 days.

● Netskope does not store cloud service data on its systems or in its data centers except log transaction data. ● Log transaction data is only stored in the client’s selected Home MP location and is backed up only within the same geographic region within Google GCP. ● Netskope log transaction data may contain personal data (PD) or personally identifiable information (PII), as defined by EU GDPR and other privacy regulations, guidelines, and/or enterprise/user confidential information; however, it doesn’t contain what is typically considered as “sensitive” PII (Tax ID #s, ID #s, Financial Account #s, race or ethnic information, etc.) by U.S. laws and compliance frameworks, and doesn't contain data from within the end-user files/structured data processed by Netskope other than the file name. Netskope log transaction data elements can include the following: ○ User ID (both enterprise User ID and any other alias the user used to log in to Netskope and various cloud applications) ○ Service (Application) Name ○ Service (Application) Instance ○ Category ○ Cloud Confidence Level (enterprise-readiness score) ○ DLP Profile and Rule Triggered ○ Data Classification ○ Policy Name ○ Activities ○ Device ○ OS ○ Browser or Native Client Used ○ Device Classification ○ File Object (like file name or email subject) ○ Bytes Uploaded and Downloaded ○ Length of Connection ○ Access Method (Reverse Proxy, Forward Proxy, Introspection, Agent, IOS Mobile Profile) ○ Operating Unit (OU) ○ Active Directory (AD)/LDAP Group ○ Source, Destination, and Private IP addresses ● For more information on Netskope privacy practices, please refer to Netskope’s Privacy Package available on request. The Privacy Package provides far more detailed information pertaining to privacy and data protection compliance. ● Netskope does not use client log transaction data or share client log transaction data with third parties for any purposes outside of the Netskope service. Netskope may generate aggregated cloud usage reports based on this data; however, all PD/PII is removed prior to aggregation and use. ● Netskope also provides an encryption feature for designated PI or enterprise sensitive fields within our log transaction data; however, this feature is currently only supported for our “Discovery” service and requires Netskope on-premises appliances that can be integrated with customer HSMs that support KMIP.

no

no

You may make a request to delete any personal information we have collected from you, subject to certain lawful exceptions. To exercise the right to delete, requests may be made by emailing: privacy@netskope.com. To make a valid request, please describe it with sufficient detail to allow us to properly understand what type of request you are making (i.e., which rights you are exercising) and verify the personal information related to you. We may not be able to comply with your request if we are unable to confirm your identity or to connect the information you submit in your request with the personal information in our possession. We will respond to your request consistent with the applicable data privacy law. For California residents, this includes confirming receipt of your response within 10 business days. We aim to fulfill access and deletion requests within 30 calendar days; 15 business days for opt-out requests.

no

no

yes

contact@netskope.com

no

no

no

no