Imperva Transfer Impact Assessment (TIA)

Last Updated: May 31, 2022

Imperva has prepared the following Transfer Impact Assessment (“TIA”) to assist our End Users located in the European Economic Area (“EEA”) and United Kingdom (“UK”) with their obligations to assess the risk of data transfers which may occur in connection with Imperva Products and Services.

In its Schrems II decision, the Court of Justice of the European Union determined that data controllers are required to perform transfer impact assessments for transfers of personal data from the EEA to a country which has not been designated as adequate by the EU Commission. This TIA provides an overview of the transfers of personal data which may occur in connection with our Products and Services, a description of our processing activities, an assessment of the United States laws and legal practices applicable to Imperva Products and Services, as well as the supplementary measures Imperva has implemented. For the purposes of this TIA, Imperva is considered the data importer and the EEA or UK based End User is the data exporter.

Overview of Transfers

In the provision of Products and Services, Imperva may transfer and process End User personal data to and in the United States and anywhere else in the world where Imperva, our Group Companies or our subprocessors maintain data processing operations. In each case, Imperva complies with the requirements of Applicable Data Protection Laws and the governing Data Processing Agreement (“DPA”).

Description of Processing Activities

Categories of data subjects whose personal data is transferred	Imperva may transfer personal data related to End User’s employees and visitors to End User’s websites or users of End User’s products and services using Imperva Products and Services. As the data controller, the End User is best positioned to determine the categories of data subjects whose information is provided to Imperva.
Categories of data subjects whose personal data is transferred	The categories of personal data Imperva may transfer include the following: (i) End User Account Data. Imperva may transfer account data and contact information of End User’s employees, billing information of individuals that End User has associated with its account, and data used for identity verification. (ii) End User Usage Data. Imperva may process and transfer telephone number, date, time and type of communication, and IP address. (iii) End User Data. Imperva may process and transfer personal data related to visitors to End User’s websites or users of End User’s products and services using Imperva Products and Services (e.g., IP address). As the data controller, the End User is best positioned to determine the categories of personal data provided to Imperva.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved	In many cases, the Products and Services are configured to hash personal data during processing, including sensitive personal data. Imperva does not have visibility into whether an End User is transferring sensitive data to Imperva through End User’s use of the Products and Services.
The frequency of the transfer	Personal data is transferred on a one-off basis when Imperva identifies, detects, suspects, or prevents security threats such as DDoS attacks or malicious bots (e.g., in the context of providing our Software-as-a-Service (“SaaS”) solutions) and when providing support to End User for on premise products. Personal data is transferred on a continuous basis for the purpose of providing Imperva Products and Services to End Users.
Nature of the processing	Personal data is collected, recorded, organized, structured, stored, retrieved, consulted, used, disclosed by transmission, restricted, and erased by Imperva.
Purpose(s) of the data transfer and further processing	In each case, the purpose of the data transfer is to provide Imperva Products and Services including SaaS and on premise services and support under the terms and conditions of the applicable contractual agreements with End Users. This includes delivering functional capabilities as licensed, configured, and used by Imperva End Users, as well as troubleshooting and improvements to the user experience, efficiency, reliability and security. It also includes Imperva’s legitimate business interests.
Impact of processing and transfer on the data subject	The impact of processing and transfer is minimal because where personal data is transferred it is hashed prior to transfer, with few exceptions.

Assessment of U.S. Laws and Legal Practices

Within the United States, there is a legal framework which permits U.S. government authorities to collect data, including personal data, from electronic communication services providers pursuant to certain laws and regulations. In its Schrems II decision, the Court of Justice of the European Union found that certain laws in the United States related to surveillance programs allowed for the collection of personal data beyond what is strictly necessary, and thus violated the principle of proportionality required by EU law. Specifically, the Court held that neither Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) nor Executive Order 12333 (E.O. 12333) provides the minimum safeguards required under EU law.

FISA Section 702 is a provision of the FISA Amendments Act of 2008 that permits U.S. government authorities, specifically the Attorney General and the Director of National Intelligence, to issue written directives compelling U.S. electronic communication service providers to assist with the collection of information related to authorized 702 targets. The determination of whether an individual has been properly targeted is overseen by the Foreign Intelligence Surveillance Court.

Under FISA 702, government authorities may obtain communications data from electronic communication service providers to further these purposes. FISA Section 702 defines electronic communication service providers as companies that provide to users the ability to send or receive any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectric or photo optical system that affects interstate or foreign commerce.

Executive Order 12333 provides the authority under which U.S. intelligence agencies may collect, retain, analyze, and disseminate foreign signals intelligence information. The principal application of Executive Order 12333 is the collection of communications by foreign persons that occur wholly outside the United States. Executive Order 12333 does not empower United States intelligence agencies to compel private companies to disclose data.

Application to Imperva Products and Services

Is Imperva subject to FISA 702 or Executive Order 12333?

Like most cyber security SaaS providers, Imperva may be considered an “electronic communications service provider” subject to FISA Section 702 directives. Because Executive Order 12333 does not empower United States intelligence agencies to compel private companies to disclose data, Imperva is not subject to Executive Order 12333.

How many FISA 702 requests does Imperva receive annually?

Imperva is not aware that it has received any FISA 702 requests.

How does Imperva respond to third party requests for End User data?

In every case, Imperva thoroughly scrutinizes every third party request for End User data we receive. Where there is a legal basis to do so, Imperva challenges or objects to requests for End User data that we believe are overbroad or otherwise inappropriate.

Supplementary Measures

Imperva has implemented the following supplementary measures to protect data transferred in the provision of the Imperva Products and Services:

Technical measures

We have implemented the following technical measures to protect the data:

Encryption and Event Logging: We encrypt, or enable End Users to encrypt End User data that is transmitted over public networks. We log, or enable End Users to log, access and use of information systems containing End User data registering the access ID, time, authorization granted or denied, and relevant activity.
Protection from Disruption: We use a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Deletion and Retention Policy: We use industry standard processes to delete End User data when it is no longer needed, unless retention is required under applicable law.

Contractual measures

Imperva has implemented the following contractual measures:

Imperva is pleased to offer a DPA that is neatly tailored to our Products and Services, as well as to our business processes. We have endeavored to provide industry leading practices and commitments. Imperva’s DPA represents the commitments we can make to our End Users and flow down to our vendors, as required by applicable laws.
Security Measures: In the DPA, Imperva commits to appropriate technical and organizational security measures that are designed to preserve the security and confidentiality of End User data in accordance with our security standards.

Organizational measures

Imperva has implemented the following organizational measures:

Policies and Training: We maintain security documents describing our security measures and the relevant procedures and responsibilities of Imperva personnel who have access to End User data. We inform our personnel about relevant security procedures and their respective roles. We also inform our personnel of possible consequences of breaching the security rules and procedures.
Employee Confidentiality: Imperva personnel who are involved in the processing of End User data are obligated to maintain confidentiality.
Organization of Information Security: We have appointed security officers responsible for coordinating and monitoring the security rules and procedures.
Risk Assessments: We perform ongoing risk assessments related to processing End User data.

Conclusion

Imperva strives to provide industry leading compliance for our End Users. To support this, we constantly monitor developments in data privacy regulations and regulatory guidance. From time to time, we may update this TIA to reflect regulatory, technical, or other developments.

The importance of a resilient CDN for digital performance

Imperva named a security leader in the SecureIQlab CyberRisk Report

IDC Spotlight: Effective Multicloud Data Security

Global DDoS Threat Landscape Report

The State of Security within eCommerce 2022

Imperva reimagines partner program: Imperva Accelerate

Protect your Cloudera data with Imperva

Quálitas continues its quality services using Imperva Application Security

Discovery Inc. tackles data compliance in public cloud

New Vulnerability in Popular Widget Shows Risks of Third-Party Code

Cyber Threat Index

Browse the Imperva Learning Center for the latest cybersecurity topics

Imperva ESG Reports

Transfer Impact Assessment (TIA)