Deep Instinct’s GDPR Compliance

Last updated: May 2023

  1. Introduction.

    Deep Instinct (“Company”, “We”, “Us”, “Our”) is a provider of a cybersecurity platform and services, which apply end-to-end deep learning to cybersecurity, using neural networks and similar technologies for the benefit of Our Customers (“You” or “Your”) to predict and prevent cybersecurity threats such as malware, zero-days, ransomware, and APT attacks. The use of Our services may also form part of Our Customers’ data protection compliance programs, with the objective of preventing data breaches and security incidents and creating records of relevant events.

    As Deep Instinct strives to provide its Customers with as much visibility on its data processing activities, We wish to be transparent regarding Our data processing practices. In addition, Deep Instinct is in compliance with the requirements of the General Data Protection Regulation 2016/679 (known as the GDPR) and any other applicable laws and regulations.

  2. The GDPR.

    Since 25 May 2018, the GDPR has been the main regulation governing the protection of personal data throughout the European Union, the European Economic Area (EEA - European Union plus Iceland, Liechtenstein and Norway) and Switzerland, and beyond due its extraterritorial scope.

    Until January 2020, the United Kingdom was considered as part of the European Union. In January 2020 the UK had excluded itself from the EU and as such is no longer a part of the EU legal regimes. Therefore, companies such as Deep Instinct must comply themselves with the requirements of the GDPR and with the data protection requirements of the UK Data Protection Act of 2018, which are materially similar to the GDPR.

    Under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”), which may include not only personally identifying data, but also device identifiers such as IP addresses or other pseudonymous data.

    The GDPR identifies two types of entities which process personal data: a Controller and a Processor. When You purchase or use any of Deep Instinct's products, Deep Instinct process Your data on Your behalf, which makes You a Controller and Deep Instinct a Processor.

    We continually monitor developments of worldwide data protection regulations and will update Our policies, contracts and processes, in order to remain aligned with applicable laws.

  3. The Personal Data Deep Instinct is Processing.

    All cyberattacks leave traces. While providing Our services, Deep Instinct processes a variety of data categories from end-user devices and systems like desktops, laptops, and mobile devices, which are located world-wide. However, the use of Our services includes the processing of the following information:

    1. device and deployment information;
    2. device properties and network information;
    3. suspicious events data;
    4. activity Logs;
    5. data regarding affected files;
    6. policy attributes;
    7. contact details;
    8. audit logs;
    9. allow lists;
    10. servers information; and
    11. active directory.

    In certain cases, the abovementioned information may include residual personal data (i.e., IP address). The sets of personal data that may be collected vary from Customer to Customer, as the files provided to Us by each of our Customers can be materially different.

  4. Deep Instinct Products that Process Personal Data.
    1. Deep Instinct™ Neural Network: The deep learning neural networks are located at the Deep Instinct™ labs. It is the core component of the deep learning cyber defense solution developed by Deep Instinct™. It continuously learns, reflecting the ever-evolving cyber threat arena. The output of its continuous deep learning process is a lightweight prediction model (D-Brain). The D-Brain is then distributed to all managed D-Clients.
    2. D-Brain (Prediction Model): D-Brain is a lightweight prediction model, which is the output of the training phase that detects cyber threats. It is installed on the client software (D-Client). Once installed on the devices, the prediction model is used to autonomously detect and prevent cyber threats on the devices, enabling on-device zero-day and APT protection.
    3. Deep Instinct™ Servers: The liaison component between Deep Instinct™ Neural Network and all the management servers. It sends the latest prediction model (D-Brain) to the management server, which updates the D-Clients.
    4. D-Cloud: The D-Cloud Intel is the database composed of billions of files, collected from various data sources, and labelled into different verdicts and classes. It serves as the dataset for training and testing of the D-Brain. The D-Cloud Live provides a second layer of protection. Using the D-Cloud services, files can be re-classified using the D-Cloud database of intellectual information on known files and the right verdict is updated in real-time.
    5. D-Appliance (Management Console): Management and monitoring server, hosted in the cloud. It provides the security administrator with an effective visualization of security events for easy monitoring, including management tools for configuring the organization's security policy.
    6. D-Client: A lightweight client software installed on the device according to its platform (Windows, macOS, Linux, Android, Chrome OS, iOS and iPadOS). It encompasses the essence of the Deep Instinct™ prediction model (D-Brain) enabling on-device Deep Static Analysis, Deep Behavioral Analysis and other key protection engines in a lightweight, autonomous and real-time way. It communicates with the management server for receiving policy and software updates, and for sending events.
  5. How Deep Instinct Ensures the Security of Personal Data.

    We are fully committed to keep all of Your personal data safe, and to make sure We follow all the requirements of the GDPR, including but not limited to:

    1. Deep Instinct maintains SOC 2 Type 2, ISO 27001, ISO 27017 and 27018 certifications. These are assessed by an external advisor and provide Customers with the best assurance of Deep Instinct’s dedication to providing secure services;
    2. Entering into data protection agreements (DPAs) with all Our vendors;
    3. Preforming reviews, audits, gap analyses and data protection impact assessments to mitigate any risks that can result from processing personal data;
    4. Updating all internal and external data protection policies;
    5. Retaining solely necessary, minimum amounts of personal data which we are required to retain by law;
    6. Training Our employees to be aware of all the risks that could arise from processing personal data;
    7. Storing, transferring and handling Your personal data outside the EEA according to adequate transfer mechanisms;
    8. Ongoing investing, updating and monitoring Our security systems (including but not limited to Our transport, storage, access control and physical security in all of Deep Instinct's servers to prevent any unauthorized access to Your personal data; and
    9. Support from expert law firms and independent GDPR consultants.
  6. International Data Transfers.

    As an international Company, Deep Instinct process personal data on secure servers in several locations, including within the EEA and outside the EEA. Deep Instinct must transfer personal data outside the EEA to provide all the elements of its services and products.

    To make sure all international transfers are secure and are consistent with the requirement of the GDPR or any other applicable data protection law, Deep Instinct has in place the following measures:

    1. All of Deep Instinct subsidiaries have entered into an intra-group data sharing agreement. This agreement incorporates all the relevant obligations of Deep Instinct under data protection laws, and incorporated the EU Commission approved "Standard Contractual Clauses";
    2. When transferring personal data to a third party, Deep Instinct enters into a data sharing agreement with said third party. These agreements adhere to the requirements of applicable data protection laws and the abovementioned Standard Contractual Clauses; and
    3. In addition, some of Deep Instinct subsidiaries are located within countries that are deemed as providing adequate protection to personal data under local data protection laws (i.e., Israel and the United Kingdom).
  7. Learn More.

    To further understand Our commitment to the GDPR, We encourage You to review Our privacy policy. Please also refer to Our Data Processing Addendum (“DPA”) to understand Our role as a Data Processor.