Expel notices

Howdy! Welcome to Expel’s Privacy Center. At Expel, we believe security can’t exist without privacy. We believe transparency is at the heart of what we do and in the security services we provide you. We’d like to make sure you understand your privacy rights and the who, what, when, how, and why we manage and use your personal information.

Security and privacy stuff should be painless, and that’s why we’ve created these privacy artifacts below to ensure you have the information you need. Please take the time to review these painless, yet important, privacy artifacts below.

Privacy Policy

Cookie Policy

Workbench Privacy Policy

Subprocessors

Expel Online Privacy Policy

Last Updated: February 16, 2024

Thanks for visiting Expel, and double thanks for checking out our privacy policy.

We know privacy policies can sometimes be pretty boring to read, so we’ll try to keep ours (somewhat) entertaining because you’re legally bound to the provisions below if you use our site or services.

Expel provides a web-based security platform that businesses use to monitor their network security and react to security issues.

Expel’s Privacy Principles are held in high regard by our employees and are not meant to disrupt our managed detection and response services. They are meant to demonstrate how easy we enable and safeguard your privacy within our practices and culture.

This online privacy policy describes how Expel (collectively “Expel,” “we“, “us”, or “our“) handle personal info that we collect though our websites, through social media, in connection with our marketing activities, and through other activities described in this privacy policy.

If you’re a current customer using Expel Workbench (‘Workbench’) and is receiving our Managed Detection and Response services via our Security Operations Center, please refer to our Transparent Managed Security Privacy Policy.

This privacy policy does not apply to info that we process on behalf of our business customers while delivering Workbench and our Managed Detection and Response services. Our use of this info is restricted by our agreements with those business customers. If you have concerns regarding personal info that we process on behalf of a business, you should direct your concerns to that business.

1. Our Privacy Principles

Of Expel’s core values, transparency and accountability are held in high regard. Our Privacy Principles listed below help guide privacy decisions throughout Expel so that we can fulfill our objectives in allowing security and privacy to be readily available, accessible, and easy to fulfill.

  1. We respect individuals’ privacy by transparently promoting informed choice
  2. We are transparent about the personal info that we use, and we’re accountable for how our partners and third parties use it.
  3. We will only collect personal info that we need, pseudonymize, anonymize, or securely dispose of personal info that we don’t require.
  4. We factor security and privacy into everything we do.
  5. We engineer security and privacy into our ideas and products.

2. What we collect, why, and how we use it

While you’re on our website, we might collect, use, store, or transfer different kinds of data about you. These kinds of data fall into different categories:

  • “personal info” is info that allows someone to identify or contact you, directly or indirectly — like your name, your email address, or your phone number.
  • “non-personal info” is data that’s not associated with or linked to you or your personal info.

Info you provide to Expel:

  • We may collect personal info from you, such as your first and last name, email and mailing addresses, professional title, company name, phone number, country of residence, state of residence, and other personal info and special categories of personal info you have voluntarily chosen to share when you submit a form on expel.com (our “site”) or attend one of Expel’s events or other in person meetings.
  • If you provide us feedback or request information by contacting us via email or website chatbot, we’ll collect your name and email address, as well as any other content included in the email or chatbot conversation, in order to send you a reply.
  • If you visit Expel offices, we’ll collect your name, email address, phone number, and time and date of arrival for physical security purposes.
  • If you provide Expel with personal info as part of the managed security services received by Expel or via your use of Expel Workbench (‘Workbench’), please see the Transparent Managed Security Privacy Policy section. Note that you cannot use our managed security services or Workbench without accepting the terms of our Workbench Privacy Policy.
  • When you apply for a job at Expel via our site, we’ll ask you to provide personal info about yourself so we can evaluate your application. If this info isn’t provided, our ability to consider you as a candidate may be limited. You may also provide us with your personal info that we don’t specifically request (for example, your resume/CV may contain info about your hobbies and social preferences).
    • The types of personal info we collect about you may include:
      • First/last name, email, phone, info on how you may have heard about the open role, inclusions identifying you within your resume/CV, inclusions identifying you or other individuals in a cover letter (optional submission by you), and the link to your LinkedIn profile (optional submission by you).
    • Regarding special categories of info within the Expel hiring process:
      • In connection with your application on our careers site, Expel doesn’t require special categories of personal info regarding religion, race or ethnic origin, gender, health, sexual orientation, membership of a trade union, or political affiliation.
        • If you do provide us with special categories of info (religion, race or ethnic origin, gender, health, sexual orientation, membership of a trade union, or political affiliation), you expressly authorize Expel to handle this info in accordance with this policy.
      • If you have a disability and would like for us to consider an accommodation, you may provide that info during the recruitment process.
  • Other info that we may collect which is not specifically listed here, which we will use as described in this privacy policy or as otherwise disclosed at the time of collection.

Info collected via our site:

If you opt-in to our mailing lists online or in person, you’ll receive communications that may include Expel news, updates, related product or service info, and other Expel related info.

Our site gathers info when interacting with you, some of which may be considered personal info in your jurisdiction. Info collected and used by means of technology may include, among other things:

  • Internet Protocol (IP) address
  • Browser info
  • Device ID
  • the type of computer and technical info about your means of connection to our site or web portal.

Expel may also use tracking technologies to collect info that will enhance your experience and use of our site:

  • “Cookies” are small pieces of info that a website sends to your computer’s hard drive while you’re viewing the website. For additional info regarding cookies, please visit our Cookie Policy.
  • “Pixel Tags” (also referred to as clear Gifs, Web Beacons, or Web Bugs). Pixel tags are tiny graphic images with unique identifiers, similar in function to cookies, that are used to track online movements of web users. For additional info regarding pixel tags, please visit our Cookie Policy.
  • Google Analytics: We use Google Analytics to help analyze how users like you utilize our site. This leverages the use of Cookies to collect info such as how often users visit our site, what pages they visit, and what other sites they used prior to coming to our site.

Do not track browser settings:

Some Internet browsers like Firefox, Internet Explorer, and Safari include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, we do not currently process or respond to “DNT” signals. To learn more about “DNT”, please visit “All About Do Not Track“.

Info collected or shared via third party sources:

When we collect personal info, there’s a chance it’ll be shared with third-party vendors who help us operate and maintain our site and services. Examples of those third parties include, but are not limited to:

  • Email or direct mail delivery;
  • Telephone calls or text messages;
  • Marketing automation; and
  • Cloud infrastructure services.

Examples of third parties where Expel receives or provides personal info:

  • From time to time, we may receive personal info about you from third parties where they have indicated that they have your consent or are otherwise legally permitted or required to disclose your personal info to Expel. For example, we may be provided with info about individuals who could be interested in using our offerings (for example, LinkedIn Sales Navigator, ZoomInfo, etc.);
  • From a business2business (B2B) sales perspective, another individual at your company or organization may provide us with your business contact info for the purposes of obtaining services;
  • From time to time, Expel may obtain info about you with the purpose of conducting a background screening if you’re selected to join our awesome Expel team via our careers and recruitment process. We conduct background screenings through a third-party service provider and verify info that you have in your job application that relates to your past education, employment, credit and/or criminal history, as allowed by applicable law;
  • For the purposes of recruiting, Expel may share or exchange your personal info with recruitment agencies. If your personal info is shared in this way, Expel will only do so on a “need-to-know’ basis, and we’ll seek to ensure it’s only used in connection with our recruitment process; and
  • You may also choose to provide Expel with access to certain personal info stored by third parties such as job-related social media sites (for example, LinkedIn). By authorizing Expel to have access to this info, you agree that Expel may collect, store, and use this info in accordance with this Privacy Policy.

Our third party service providers only receive personal info about you for the limited purposes of providing us with their services. When we engage a third party who will need to access and process your personal info as part of their services, we require contractual obligations to provide at least the same level of data privacy and security protections we hold ourselves to. Our subprocessor list can be accessed here.

Our third parties are required to notify us if they can no longer meet the expected level of protections required to safeguard personal info. We still continuously monitor for compliance, pursuant to our third party security assessment procedures, depending on the nature of the services being provided.

Why we collect and process personal info when you visit our site:

We may collect your personal info for the following purposes outlined below:

  • Personal info you submit to us is used either to respond to requests that you make, or to help us serve you better. Expel uses your personal info to achieve the following:
    • respond to your inquiries related to employment opportunities or other requests;
    • send you a welcome email to the email address provided when your personal info is first submitted;
    • make telephone calls to you, from time to time; and
    • send newsletters, surveys, offers, and other promotional materials related to our services and for other marketing purposes of Expel.
  • To manage our relationship with you which includes notifying you about changes to our terms.
  • To administer and protect Expel and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
  • To provide relevant website content and measure or understand the effectiveness of the content we provide you.
  • To use data analytics for research and development purposes and to improve our site, our products, marketing efforts, client relationships, and experiences. As part of these activities, we may create aggregated, de-identified, or other anonymous data from personal info we collect. We make personal info into anonymous data by removing info that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
  • To make suggestions and recommendations to you about Expel products and services that may be of interest to you.
  • To assist within the recruitment, selection, evaluation, and appointment of job candidates (temporary or permanent) for the job(s) you may have applied for.
    • Also to include the performance of any satisfaction surveys (optional submission by you) which would help Expel manage and improve the recruitment process.
  • For compliance and protection, in particular to:
    • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
    • protect our, your, or others’ rights, privacy, safety or property (including by making and defending legal claims);
    • audit our internal processes for compliance with legal and contractual requirements and internal policies;
    • enforce the terms and conditions that govern the Service; and
    • prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks and identity theft.

3. Third party websites accessed via Expel.com

Our site contains some links to third-party websites. When you click on a link to a website that we don’t operate, you’ll leave our site and go to another website and that website might collect personal or anonymous data from you. Remember that we don’t have control over and aren’t responsible for these non-Expel websites or their content. And just because we link to another website doesn’t mean we endorse those third parties, their products, their content, or the website itself.

4. Legal basis for processing personal info

Expel will only use your personal info when the law allows us to do so. Expel’s legal basis for collecting and using personal info will depend on the personal info concerned and the specific context in which we collect it.

Note that we may process your personal info for more than one legal basis depending on the specific purpose for which we are using your data.

Usually, we collect your personal info in the following circumstances:

  • When you provide consent to process the personal data for a specific purpose.
  • Where the collection of personal info is needed for the performance of a contract we are about to enter into or have entered into with you.
  • Where the processing of the personal info is in our legitimate interests and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where the collection of personal info is required for your or another’s vital interests.

If you have provided your consent to receive communications from us, you have the right to withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal info conducted in reliance on lawful processing grounds other than consent.

5. We go to great lengths to keep your info safe…

We care a whole lot about the security of your personal info, which is why we use what we think are appropriate administrative, organizational, technical, and physical measures to protect the personal info you provide to us. Only authorized personnel have access to the personal info you provide, and each Expel employee with access to personal info is obligated to maintain its integrity and confidentiality.

While we follow generally accepted standards to protect personal info, no method of storage or transmission is 100% secure. If you have reason to believe that your interaction with us is no longer secure, you should immediately contact us.

6. …and you can choose what to share (or not to share) at any time.

You’ve got choices as to what we share with you and what you share with us. For example:

  • Email communications. We often send emails that talk about our services or share our latest blog posts. When you receive promotional communications from us, you may indicate a preference to stop receiving further communications from us and you’ll have the opportunity to “opt-out” by following the unsubscribe instructions provided in the email you receive or by contacting us.
  • If you decide at any time that you no longer wish to accept cookies, other than those necessarily required for the function and operation of our site and for any of the purposes described above, please reference our Cookie Policy for further info.

7. Your data privacy rights and choices

Expel respects you, your privacy, and your data protection rights. Depending on where you live, the kinds of personal info we’ve collected about you and the nature of how we process it, you’ll be able to exercise certain rights over your personal info based on regulations and laws that apply.

Residents of the European Economic Area (EEA), the United Kingdom, and Switzerland:

Expel responds only to verifiable privacy requests received from individuals who wish to exercise their privacy and data protection rights in accordance with the European Union General Data Protection Regulation (EU GDPR).

  • If you wish to access, correct, update, or request deletion of your personal info, you can do so at any time by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.
  • You can object to processing of your personal info, ask us to restrict processing of your personal data, or request portability of your personal info. You can exercise these rights by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.
  • You can opt-out of marketing communications we send to you at any time by clicking on the “unsubscribe” link in the marketing emails we send you or by contacting us directly via the Expel Privacy Webform.
  • Telephone Marketing (‘telemarketing’): You can exercise this right by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.
  • If Expel has collected and processed your personal info with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the legal grounds of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal info conducted in reliance on legal processing grounds other than consent.
  • We prefer to answer your questions, requests, and concerns about how we handle personal info directly. We make good faith efforts to honor reasonable requests submitted to us. You do have the right to lodge a complaint with EU Data Protection Authorities (DPAs) about Expel’s collection and use of your personal info. For the contact info of the Data Protection Authorities for each European Union Member State, please click here.

Aligning with Articles 37 – 39 of the EU GDPR, Expel has appointed a Data Protection Officer (DPO), who informs and advises Expel of its obligations pursuant to the EU GDPR and other applicable privacy and data protection laws and regulations. The Expel DPO can be reached at privacy@expel.io.

California residents rights under the California Consumer Privacy Act (‘CCPA’), as amended by the California Privacy Rights Act (CPRA):

Expel operates as a Business to Business (‘B2B’) security operations company, and the CCPA provides consumers (California residents) with specific rights regarding the processing of their personal info.

We’ll never knowingly sell, trade, or rent your personal info — it goes against our company’s DNA.

Subject to exceptions, you may request disclosure, deletion of your personal info, correction of your personal info, and opt out of any sharing of your personal info by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.

Expel will not discriminate against you (e.g., through denying goods or services, or providing a different level or quality of goods or services) for exercising any of the rights afforded to you.

Expel responds to verified requests received from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. When contacting us, please provide us with detailed info about the personal info you’re requesting we access, correct, update, restrict, or delete, and the timeframe and manner in which you believe we came to collect your personal info.

If Expel obtained your personal info via an Expel customer or a third party acting on your behalf, you should contact the company/entity or person you provided your info to.

8. Law enforcement, regulatory, and statutory compliance

Under certain circumstances, we may be required to disclose your personal info in response to valid requests by public authorities, law enforcement officials, or other third parties as necessary to comply with national security or legal process requirements. This may be required to protect the rights, privacy, safety, or property of Expel, you, or others as required by applicable laws.

9. How long we keep your info

We keep your personal info only for as long as it’s warranted to provide our Services or otherwise operate under this privacy policy, fulfill our commitments to you, and/or adhere to legal or regulatory requirements.

Customer and prospect data, which is contact info and details on Expel’s relationship with current, former, and prospective customers, is retained indefinitely (which aligns with common industry practices). If an individual expresses that they do not wish to receive any direct marketing communications or other forms of outreach, Expel will deactivate such contacts and systematically enforce a suppression list.

Recordings of phone calls or video conferences made to you by our Sales team are retained for 60 days from the date of the phone call or video conferencing meeting.

When personal info is expired, or is no longer needed and does not have to be retained, we shall securely delete, destroy, or anonymize it, depending on what method is systematically and procedurally possible, most secure, and what our related retention commitments are. If there is any personal info that we are unable, due to technical limitations, to delete from our systems, we will implement appropriate safeguards to prevent any further use of such personal info.

10. International data transfers

Expel only permits cross border (‘international’) transfers of personal info made between countries or regions when supported by an appropriate legal agreement or an alternative provision that ensures sufficient safeguards and obligations to personal info rights are commensurate. The sufficiency of these agreements and provisions depend on the countries or regions the personal info is transferred from and to. Examples of agreements and provisions that may be suitable for transfers (depending on the nature of the international exchange) include, but are not limited to, the following:

  • The nation or region where personal info is transferred from recognizes the nation or region where personal info is transferred to as having adequate protections in place.
  • Standard data protection clauses are established.
  • An approved code of conduct is in place that’s paired with binding and enforceable commitments set upon the organization in the third country.
  • An approved certification mechanism is in place that’s paired with binding and enforceable commitments set upon the organization in the third country.
  • Where applicable, an approved certification mechanism paired with binding and enforceable commitments set upon the organization in the third country.

EU-U.S. Data Privacy Framework, U.K. Extension and Swiss-U.S. Data Privacy Framework

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) entered into force. The EU-U.S. DPF Principles entered into effect as of the same date. Expel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Expel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Expel has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Expel commits to resolve complaints about our collection or use of your Personal Data. If you have any questions, complaints and/or other concerns, please first contact us at: privacy@expel.io or via the Expel Privacy Webform.

You may also lodge a complaint with your local data protection authority, with the Data Protection Authority in Ireland, namely the Data Protection Commission, at dpo@dataprotection.ie, the UK Information Commissioner’s Office (ICO), at https://ico.org.uk/, or Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/edoeb/en/home.html.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Expel commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF.

The Federal Trade Commission has jurisdiction over compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF for Expel.

In the context of an onward transfer, Expel has responsibility for the processing of personal data it receives under privacy principles including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Expel shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

11. A note to users outside of the United States

If you’re a non U.S. user of the Expel site, by visiting our site and providing us with your personal info, you acknowledge and agree that your personal info may be processed for the purposes identified in this privacy policy. In addition, your personal info may be processed in the country in which it was collected and in other countries, including the United States, where laws regarding processing of personal info may be less stringent than the laws in your country. By providing your personal info to Expel, you consent to this transfer.

We take the security of your data seriously. Any transfers of your personal info will have sufficient safeguards in place that are in line with industry leading security and privacy standards.

12. Children’s privacy

We do not knowingly collect info relating to children. If we learn that we’ve collected personal info from an individual deemed to be under the age of 16, we’ll take appropriate measures to investigate and address the issue promptly.

13. Changes to this privacy policy

We’re constantly looking to improve our site and services, so we may need to update this privacy policy from time to time.

We’ll notify you of any substantive changes to our online privacy policy by, for example, placing a notice on our site/and or by sending you an email (if you have registered your email details with us) when we are required to do so by applicable law. You’ll be able to see when this privacy policy was last updated by checking the “Last Updated” date above. You should consult this online privacy policy regularly for any changes.

Contact us

If you have any questions or requests about this privacy policy, our Services, or how we manage your personal info, please contact us through our Expel Privacy Webform or by contacting:

Expel, Inc.
Attn: Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170
+1 (844) 397-3524
Email: privacy@expel.com


Last Updated:  May 1, 2023

Who loves cookies?!

We sure do. Especially when they’re straight out of the oven.

Our cookie policy might not bring you quite as much joy as gooey chocolate chip goodness… but it’s pretty important.

We promise to keep this short and sweet, though. (Pun definitely intended.)

1. What are cookies?

What you’ll see below are descriptions of a different type of cookie – it’s a technical type of cookie (chocolate chips not included). “Cookies” are small pieces of information that a website places on your computer’s hard drive while you’re viewing the Expel website (referred to from here on out as ‘our site’). These cookies serve different purposes — they help us run our site better and let you navigate between pages more efficiently.

We may use ‘session’ cookies (which expire once you close your web browser) and ‘persistent’ cookies (which stay on your computer until you delete them) to provide you with a more personal and interactive experience on our site. In plain English, this means we use cookies so that we can provide our services, understand how they are used, and for advertising/analytics purposes.

Also, Cookies that we set are called “first party cookies”, while cookies set by other parties are called “third party cookies”. Third party cookies enable features or functionality from such third parties to be provided on our site. The parties that set these third party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites. More on this below…

2. What types of cookies and similar tracking technologies does Expel use?

On our site, we use the cookies and pixel tags listed in the following categories described in the table below.

If you’re really into learning about different types of technical cookies … well, this section’s for you.

Cookies deployed on our site

Type Description and purpose Where used
Strictly Necessary Cookies These cookies are necessary to provide you with the services needed to deliver our site to you.

All the strictly necessary cookies are deemed persistent, except for the session cookies set by Cloudflare and WordPress.

CloudflareMarketo

OneTrust

WordPress

Functional Cookies These cookies allow our sites to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, personalized features.

For instance, a website may be able to provide you with local weather reports or traffic news by storing in a cookie the region in which you are currently located.

These cookies may also be used to provide services you have asked for, such as watching a video.

Github

Google Analytics

Marketo

WordPress

Targeting and Advertising Cookies These cookies record your visit to our site, the pages you have visited, and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.

Acuity Platform cookies are used to hold the advertising ID of users on their mobile device and used for tracking user actions.

Audience Manager cookies help perform basic functions such as visitor identification, ID synchronization, segmentation, modeling, and reporting.

Bing cookies collect anonymous information about how visitors use our site to determine what ads to show on the site that may be relevant to the site visitor perusing the site.

Bluekai cookies collect anonymized data about users’ web usage as well as aggregate anonymous activities to build a profile to provide more targeted and relevant marketing and advertising.

Casale Media cookies collect anonymous data related to the user’s visits to the site, such as the number of visits, average time spent on the site and what pages have been loaded, with the purpose of displaying targeted ads.

Drift identifies site users anonymously for the purpose of personalized robot chat functionality on the site.

Doubleclick cookies collects how many times you have seen an ad and, for example, whether you need to see the UK or US version of the ad. It cannot find out any personal information about you, however, it does track IP addresses.

Google uses a cookie called ‘NID’ in their browser. When you visit a Google service, the browser sends this cookie with your request. It contains a unique ID where Google remembers your preferences and other information.

The LinkedIn cookie typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active Linkedin profile, or agreed to their terms and conditions.

Pubmatic cookies are used to correlate IDs with those of Pubmatic partners. Pubmatic passess information stored by the partner in this cookie to the partner when it is considering whether to purchase advertisements.

Twitter acts as a social networking service for both advertising and tracking our traffic (both for sponsored content [ads] and our organic posts).

YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. Youtube cookies act as a unique identifier to track viewing of videos.

Acuity Platform

Audience Manager (Adobe)

Bing (Microsoft)

Bluekai

Casale Media

Doubleclick (Google)

Drift

Google

LinkedIn

Pubmatic

Twitter

YouTube

Performance Cookies These cookies collect information about how visitors use our sites, for instance which pages visitors go to most often, and if they get error messages from our site. These cookies don’t collect information that identifies a visitor.

Datadog cookies allow for monitoring the performance of web and mobile applications. These are deemed to be session cookies.

Github cookies are used for a temporary application and framework state between pages (e.g. what step the site user is on in a multiple step form).

Google Analytics cookies are used to register a random client identifier that is used to generate statistical data on how the visitor uses the site.

Marketo cookies allow the tracking of visitor behavior on our sites, and it links a site visitor to the recipient of an email marketing campaign in order to measure campaign effectiveness. Tracking through Marketo cookies is performed anonymously until a user identifies himself by submitting information via a contact form, etc.

Wistia cookies collects anonymized data about users’ engagement with videos on the site.All the information these cookies collect are aggregated and only used to improve how our sites work via website analytics.

If you do decide to live without these cookies, certain functions of our site may not work.

Datadog

Github

Google Analytics

Marketo

Wistia

Cookies deployed through the use of Workbench

Type Description and purpose Where used
Functional Cookies Expel’s Workbench uses cookies to track sessions.

The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.

Expel Workbench
Performance Cookies Mixpanel and cookies are used for analytics purposes only (i.e., record Workbench user activity and to report on what pages and features users utilize and dwell on more or less frequently, etc.).

These cookies are used to enhance the Workbench platform and optimize usability and utility. Mixpanel stores a Workbench user name, as it has the capacity to drill down to specific user history, however, recordings are not personally revealing and do not amount to profiling.

Mixpanel

 

Expel doesn’t sell your personal information/cookie info that is gathered through the use of our site.

3. Other tech we use

Aside from cookies, we also use something called “pixel tags” — if you’re a tech geek like all of us, you might also know them as clear GIFs or web beacons. The TL;DR on pixel tags is this: they’re tiny graphic images with unique identifiers, similar to cookies, that are used to recognize when someone has visited our sites or opened an email that we have sent them. In contrast to cookies, which are stored on a user’s computer hard drive, pixel tags are embedded invisibly in web pages. They can analyze web traffic patterns from one page within our sites to another, communicate with cookies, and understand whether you came to our sites from an online advertisement or post displayed on a third-party website.  We do not tie information gathered by pixel tags to our users’ personal information.  Among other uses, they enable us to compile statistics about usage of our sites, so that we can manage our content more effectively.

4. You’ve got some choices

The copy below was written by our lawyers (bear with us).

The Cliff’s Notes version is this: You’ve got options, and can switch ‘em up thanks to your nifty browser settings.

If you decide at any time that you no longer wish to accept cookies from Expel’s site, then you can instruct your browser by changing its settings. Most browsers let you remove or reject cookies. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org. Please note that if you set your browser to disable cookies, our sites may not work properly and you may experience some inconvenience in your use of our sites. For example, we may not be able to recognize your computer or mobile device and you may need to log in every time you visit our sites.

Find out how to manage cookies on popular browsers:

Google Analytics

For more info about what you can do to understand how Google safeguards your data, click here. More info on specifics regarding how Google Analytics cookies operate on websites, click here. You can prevent the use of Google Analytics relating to your use of our sites by downloading and installing a browser plugin available here.

Google’s ability to use and share information collected by Google Analytics pertaining to your visits to our site are restricted by the Google Analytics Terms of Use and the Google Privacy Policy.

Opt-out options regarding targeted advertising

If you’d like to opt-out from receiving targeted advertising on websites through members of the Network Advertising Initiative, click here or the Digital Advertising Alliance by clicking here. Please note that we also may work with companies that offer their own opt-out mechanisms and may not participate in the opt-out mechanisms linked above.

European users can opt out of receiving targeted advertising on websites through members of the European Interactive Digital Advertising Alliance by clicking here, selecting the user’s country, and then clicking “Choices” (or similarly-titled link).

5. Get in touch

Information about the cookies we use may be updated from time to time, so please check back on a regular basis for any changes. Have questions about this policy? Feel free to reference our Expel Privacy Policies or give us a shout and we’ll be glad to help you.


Expel Workbench™ and Services Privacy Policy

Last Updated: February 16, 2024

Thanks for visiting Expel, and double thanks for checking out our Transparent Managed Security Privacy Policy. This policy applies to info that we process on behalf of our business customer (“customer(s),” “consumers,” or “your Organization”) and their end-users (“You”) via the Expel Workbench™ (“Workbench”) and our Managed Detection and Response services (“Services”). Our use of this info is restricted by our agreements with our customers.

This policy is not meant to disrupt our managed detection and response operations, but to the contrary, it’s to articulate how we enable and safeguard your privacy. We know privacy policies can sometimes be pretty boring to read and super long, so we’ll try to keep ours (somewhat) entertaining and easy to understand per our Privacy Principles noted below.

By sharing your personal info with us, and continuing to use our services, you confirm that you have read and understood the terms of this policy.

1. Scope

This policy applies to the personal info made available by our customers and partners and through the use of Workbench. All Expel employees, partners, customers, and vendors, who have access to and are responsible for processing personal info in Workbench and via the Services that Expel provides, are subject to this policy.

In regards to any personal info that we collect via our site (https://www.expel.com), product feedback or surveys, in connection with our events, sales and marketing activities, and when you apply for a job role with Expel through our site or otherwise, please visit our Expel Online Privacy Policy.

Workbench and our Services are intended for use by organizations, administered to you by your Organization, and are subject to your Organization’s policies, if any. This means that in most cases we are collecting and processing your personal info on behalf of your Organization.

This policy applies to the limited personal info we collect and use for our own purposes as a data controller in connection with user authentication into Workbench, user experience (UX) research, and covers personal info we process on behalf of your Organization as a ‘data processor through the use of Workbench and Services received by your Organization from the Expel’s Security Operations Center (SOC). It’s primarily your Organization, as the data controller, that controls what personal info about you that we collect and how we use it.

If you have privacy related questions or concerns about how your Organization’s privacy practices or the choices your Organization has made to share your personal information with us or any other third party, you should refer to your Organization’s privacy policies, and reach out to the individual(s) who manage the Expel vendor relationship/Workbench administrator at your Organization.

Expel is not responsible for your organization’s privacy or security requirements outside of the Services we provide; which may differ from those set forth in this policy.

If you have any questions about this policy, please reach out to our security and privacy team provided under the “Contact Us” section of this policy.

2. Our Privacy Principles

Of Expel’s core values, transparency and accountability are held in high regard. Our Privacy Principles below help guide privacy decisions throughout our business so that we can fulfill our objectives in allowing security and privacy to be readily available, accessible, and easy to fulfill.

  1. We respect individuals’ privacy by transparently promoting informed choice
  2. We are transparent about the personal info that we use, and we’re accountable for how our partners and third parties use it.
  3. We will only collect personal info that we need, pseudonymize, anonymize, or securely dispose of personal info that we don’t require.
  4. We factor security and privacy into everything we do.
  5. We engineer security and privacy into our ideas and products.

3. What we collect, why, and how we use it

At Expel we take the security of personal info very seriously. We’ve established reasonable security measures designed to ensure personal info is safeguarded and accessed by those only with a need to know. We collect personal info directly from our customers and their users in connection with the provision of Workbench and our Services. Workbench collects info from our customer’s security products and applications, and that info is used to facilitate the delivery of our Services to our customers, including managing and monitoring the infrastructure, providing support (“Security Operations Data”), and for Expel’s own analytics and product improvement purposes (“Usage Data”) as mentioned in Table 1.1 below.

Processing Activity Categories of Individuals Categories of Personal Information Role and Purpose of Processing
Account creation on the Expel Workbench Corporate Customers and Expel employees

(only employees with a need to know)

Name (full name)

Contact data (email)

Profession/ career data (employer)

Operational classification (office/HQ location)

Data Controller

The purpose of processing is to allow customers and employees to create accounts and use Workbench

(only for employees providing customers with direct support/with a need to know)

Alert triaging, investigation, and remediation Corporate Customers and employees

(only employees with a need to know)

Name (full name);

Contact data (email);

Customer access data (username);

Usage data;

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, login activity, URLs accessed, file paths, browser history, machine names, and system activity)

Data Processor

The purpose of processing is to carry out Expel’s security monitoring, investigation, and response services

Platform and security services architecture Customers and employees

(only employees with a need to know)

Name (full name);

Contact data (email);

Customer access data (username);

Usage data;

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, URLs accessed, file paths, machine names, and system activity)

Data Processor

The purpose of processing is to carry out Expel’s managed security services to promote the safety and security of Workbench and Expel Services

Expel for Phishing Customers and employees (only employees with a need to know) Name data (full name) and Email address

Email content that may contain PII

Data Processor

The purpose of processing is to carry out the Expel for Phishing service

Expel Threat Hunting Customers

Expel employees and contractors (only employees and contractors with a need to know)

Name (full name);

Contact data (email);

Customer access data (username);

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, URLs accessed, file paths, machine names, and system activity)

Data Processor

The purpose of processing is to carry out the Expel Threat Hunting service

Expel Vulnerability Prioritization Customers

Expel employees and contractors (only employees and contractors with a need to know)

Name (full name);

Contact data (email);

Customer access data (username);

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, URLs accessed, file paths, machine names, and system activity)

Data Processor

The purpose of processing is to carry out the Expel Vulnerability Prioritization service which encompasses both MDR with Vulnerability Scanning enrichment and Managed Vulnerability Prioritization

Free Trials Customers

Expel employees and contractors (only employees and contractors with a need to know)

Name (full name);

Contact data (email);

Customer access data (username);

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, URLs accessed, file paths, machine names, and system activity)

Data Processor

The purpose of processing is to carry out the a 14 day free trial of the Expel MDR for cloud infrastructure services aligned with the Alert triaging, investigation, and remediation processing activity

UX Research Customers and employees

(only employees with a need to know)

Customer access data (username);Name data (full name);

Contact data (email);

Usage data;

Measured values (Workbench activity)

Data Controller

The purpose of processing is to derive insights on what features Workbench users may prefer / use more and dislike / use less, to continually enhance the platform and security services

Table 1.1

Information collected or shared via third party sources:

Our third party providers (also known as ‘subprocessors’) only receive personal info about our customers for the limited purposes of providing us with their services. When we engage a third party who will need access to process personal info as part of their services provided to Expel, we ascertain that the third party is capable and obligated to provide at least the same level of data privacy and security protections we hold ourselves to. Examples of those third parties include, but are not limited to:

  • Email delivery;
  • Customer collaboration and communications solutions;
  • Software development and analytics solutions;
  • Application log aggregation systems; and
  • Cloud infrastructure services.

Our third parties are required to notify us if they can no longer meet the expected level of protections required to safeguard personal info. We still monitor compliance of our subprocessors, pursuant to our third party security assessment procedures, depending on the nature of the services being provided.

Our subprocessor list can be accessed here.

Information collected via cookies:

Personal info may be collected via cookies and tracking technologies embedded within Workbench. Cookies are small pieces of info that a website sends to your computer’s hard drive while you are viewing the website. We use tracking cookies, such as Mixpanel and Pendo, to record Workbench user activity and report on what pages and features users utilize. In particular, we use analytics services provided by Mixpanel to provide us with analytics data regarding users’ interactions with our Site and Services.

You may opt-out of Mixpanel’s automatic retention of data that is collected while using our Services by visiting https://mixpanel.com/optout/. To track opt-outs, Mixpanel uses a persistent opt-out cookie placed on your device. Please note that if you get a new computer, install a new browser, erase or otherwise alter the browser’s cookie file (including upgrading certain browsers), you may delete the Mixpanel opt-out cookie.

If you’d like additional info regarding cookies, or if you decide at any time that you no longer wish to accept cookies, other than those necessarily required for the function and operation of Workbench and the delivery of our Services, please reference our Expel Cookies Policy for further details.

Do not track browser settings:

Some Internet browsers like Firefox, Internet Explorer, and Safari include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, we do not currently process or respond to “DNT” signals. To learn more about “DNT”, please visit “All About Do Not Track“.

4. Legal grounds for processing personal info

When the law allows us to, Expel will only use personal info that is tied specifically to our customer (i.e., the entity with whom we have a business/contractual relationship with and with whom an employee at that entity has an employment contract). This means that in most cases we are collecting and processing your personal info on behalf of your organization.

Expel’s legal grounds for collecting and using personal info will depend on the individual from whom the personal info is collected, the actual personal info concerned, and the specific context in which we collect it.

Note that we may process personal info for more than one legal basis depending on the specific purpose for which we are using data.

Usually, we collect personal info in the following circumstances:

  • Where the collection of personal info is needed for the performance of a contract we are about to enter into or have entered into with you.
  • Where the processing of the personal info is in our legitimate interests and the interests and fundamental rights of the individual do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where the collection of personal info is required for the vital interests of the individual or another person.

In limited cases where we may rely on consent (i.e., receiving consent from you or any customer representative who registers for an Expel Workbench account), you have the right not to provide consent or to withdraw consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal, nor will it affect the processing of personal info conducted in reliance on lawful processing grounds other than consent.

5. We go to great lengths to keep personal info safe

We care a whole lot about the security of personal info, which is why we use what we think are the most appropriate administrative, organizational, technical, and physical measures designed to protect the personal info our customers provide to us. For example, Expel employs at various points in our infrastructure logical and physical access controls, encryption, firewalls, intrusion detection and network monitoring, and secure development practices.

Only authorized personnel have access to the personal info you provide, and each Expel employee with access to personal info is obligated to maintain its integrity and confidentiality.

While we follow generally accepted standards to protect personal info, no method of storage or transmission is 100% secure. If you have reason to believe that your interaction with us is no longer secure, you should immediately contact us.

6. Your data privacy rights and choices

Expel respects you and your privacy and data protection rights. Depending on where you live, the kinds of personal info we’ve collected about you, and the nature of how we process it, you’ll be able to exercise certain rights over your personal info based on regulations and laws that apply.

Residents of the European Economic Area (EEA), the United Kingdom, and Switzerland:

Expel responds to only verifiable privacy requests received from individuals who wish to exercise their privacy and data protection rights in accordance with the European Union General Data Protection Regulation (EU GDPR).

In relation to the personal info we are responsible for as a data controller in Workbench and via our Services (as referenced in Table 1.1.), if you would like to have your personal info corrected, updated, restricted, or deleted, please submit a privacy request via the Expel Privacy Webform.

Specific to the personal info we are responsible for as data processor in Workbench and via our Services (as referenced in Table 1.1), if you would no longer like to be contacted by one of our customers or would like to have your personal info corrected, updated, restricted, or deleted, please contact your organization (the Expel customer and data controller) that you interact with directly. Requests submitted via our Expel Privacy Webform, which pertain to personal info we hold as a data processor, will be deferred to your organization.

We prefer to answer your questions, requests, and concerns about how we handle personal info directly. We’ll make good faith efforts to honor reasonable requests submitted to us. You do have the right to lodge a complaint with EU Data Protection Authorities (DPAs) about Expel’s collection and use of your personal info. For the contact info of the Data Protection Authorities for each European Union Member State, please click here.

Aligning with Articles 37 – 39 of the EU GDPR, Expel has appointed a Data Protection Officer (DPO), who informs and advises Expel of its obligations pursuant to the EU GDPR and other applicable privacy and data protection laws and regulations. The Expel DPO can be reached at privacy@expel.io.

California residents rights under the California Consumer Privacy Act (‘CCPA’), as amended by the California Privacy Rights Act (CPRA):

Expel operates as a Business to Business (‘B2B’) security operations company, and the CCPA provides consumers (California residents) with specific rights regarding the processing of their personal info. Expel only responds to verifiable requests received from individuals who wish to exercise their privacy and data protection rights in accordance with applicable data protection laws. When contacting us, please provide us with detailed info about the personal info requesting we correct, update, amend, or remove, and the timeframe and manner in which we came to collect your personal info.

We will not sell, trade, or rent personal info of a California resident. Specific to the personal info we are responsible for as a data processor in Workbench, if you would no longer like to be contacted by one of our customers or would like to have your personal info corrected, updated, amended, or removed, please contact our Expel customer (“the data controller”) directly. Requests submitted via our Expel Privacy Webform, which pertain to personal info we hold as a data processor, will be deferred to your Organization.

Expel will not discriminate against you or our customers (e.g., through denying Workbench or Services, or providing a different level or quality) for exercising any of the privacy and data protection rights afforded to you.

Subject to exceptions, we can receive requests for disclosure, deletion of personal info, correction of your personal info, and opt out of any sharing of personal info that we handle as a Data Controller. Requests may be submitted via the Expel Privacy Webform.

If Expel obtained your personal info via a third party acting on your behalf, you should contact the company/entity or person you provided your info to.

7. Law enforcement, regulatory, and statutory compliance

Under certain circumstances, we may be required to disclose your personal info in response to valid requests by public authorities, law enforcement officials, or other third parties as necessary to comply with national security or legal process requirements. This may be required to protect the rights, privacy, safety, or property of Expel, you, or others as required by applicable laws.

8. How long we keep personal info

We keep your personal info only for as long as it is warranted to provide our Services, fulfill our commitments to your Organization, and/or adhere to legal or regulatory requirements. Certain personal info may be kept and archived beyond our relationship or the end of our Services, as required for legitimate interests such as recordkeeping, backing up Services data, statistical insights/metrics for product enhancement purposes, for example.

According to Expel’s Data Retention Policy, retention-limited data can be split into the following categories:

  • “Source Alert data” is data automatically sent to Expel by Licensee’s security technologies and is ingested into Expel’s platform. Examples of Source Alert Data include alerts generated by firewalls, anti-malware endpoint technologies, and SIEM’s that are automatically sent to Expel for processing.
  • “Expel Alert data” are alerts presented in Expel Workbench, generated from Expel’s detection engine making decisions on the ingested Source Alert Data. These alerts will be represented as an Expel Alert, with one or more associated Vendor Alerts (a normalized version of the Source Alert data above).
  • “Investigative data” is data that is polled from the Licensee as a result of potential or active security investigations. This data may be gathered manually by an analyst or automatically by Expel technology due to the creation and actions associated with a security investigation. Examples of Investigative data include log files, results of SIEM queries, process username with arguments, and process traces.
  • “Derived data” is data and work product that is generated, both manually and automatically, through the investigative process that is the result of multiple investigative actions and includes Confidential information of the Licensee. Examples of Derived data include incident reports, summary information of an incident, and presentations containing Confidential information of the Licensee.
  • “Self Assessment Data” is data, collected by Expel or provided by the Licensee, which is used to assess the state of security, privacy, or other aspects of Licensee’s systems. Examples of Self Assessment Data include responses to periodic evaluations based on the NIST Cybersecurity Framework (NIST CSF) or Privacy Framework (NIST PF).
  • “Derived Labeled Data” is data generated by automated or manual processing that creates a label, classification or other summary statistic (that can be used in further research). Examples of Derived Label Data generated by manual processing include analysts changing an investigation to an incident and, the parameters they provided when taking investigative actions. Examples of Derived Label Data generated by automated processing systems include file paths and associated number of times Expel has observed the given artifact.
  • “Configuration Data and Credentials” is configuration and credential information for Licensee’s systems and network used for the purposes of enabling Expel technologies and analysts to interact with Licensee’s technologies as part of the Expel service. Examples of Configuration Data and Credentials include usernames, passwords, and API keys for accessing security consoles, IP addresses of security devices, and usernames of Licensee administrative users.
  • “Insights” are anonymous profiles, summary statistics, and other derivative works based on the Licensee Content that Expel may use in connection with its business purposes; provided, however, that such Insights do not disclose any Confidential Information of Licensee or otherwise disclose the identity of Licensee or any Authorized User. Examples of these include trend reporting, new attack signatures, and actor profiles. Expel will own all such Insights.
  • “Customer/Prospect Contact and Relationship Data” is information and details captured about a current, former, or prospective customer of Expel. Examples of Customer/Prospect Contact and Relationship Data may include a customer/prospect employee’s name, title, office location, phone number, email address, among other information.

Data Retention Periods

Notwithstanding outside legal, regulatory, or contractual restrictions, Expel will retain the following Workbench and Services data based on the schedule outlined below:

  • Alert data – By default for up to 15 months from time of collection or longer if configured by the customer, or for up to 30 days after termination of Agreement, whichever comes first.
  • Email data (as it pertains to the Expel for Phishing service) – By default for up to 15 months from time of collection or longer if configured by the customer, or for up to 30 days after termination of Agreement, whichever comes first.
  • Derived data (associated alerts) – By default 15 months from time of collection (which can be configured upon request), or 30 days after termination of Agreement, whichever comes first.
  • Self Assessment Data – For up to 30 days after termination of Agreement.
  • Derived Labeled Data – Expel can retain this data indefinitely.
  • Configuration data and credentials – For up to 7 days after termination of Agreement.
  • Insights/statistical data – Expel can retain this data indefinitely.
  • Slack Communications – Expel will archive customer channels in Slack upon termination of Agreement, and 30 days post termination date, customer channels will be deleted.
  • Zendesk Communications – Expel will delete customer data from Zendesk upon termination of Agreement.

Expel adopts a data minimization approach when it comes to personal info we retain beyond fifteen (15) months.. When personal info is deemed expired, no longer needed, and does not have to be retained, we follow industry leading standards with the secure deletion, destruction, and anonymization of personal data, depending on what method is systematically and procedurally possible, most secure, and what our related retention commitments are. As retention periods lapse, we use automated processes through periodic audits to identify and securely delete personal info. If automated deletion is not possible, secure manual deletion may be performed. For additional detail regarding Expel’s data retention practices, Expel’s Data Retention Policy can be provided upon request.

9. International data transfers

Personal info may be transferred, stored, and processed by us or our third party vendors in countries whose data protection laws and regulations may be different to those of your country.

Expel only permits cross border (‘international’) transfers of personal info made between countries or regions when supported by an appropriate legal agreement or an alternative provision that ensures sufficient safeguards and obligations to personal info rights are commensurate. The sufficiency of these agreements and provisions depend on the countries or regions the personal info is transferred from and to. Examples of agreements and provisions that may be suitable for transfers (depending on the nature of the international exchange) include, but are not limited to, the following:

  • The nation or region where personal info is transferred from recognizes the nation or region where personal info is transferred to as having adequate protections in place.
  • Standard data protection clauses are established.
  • An approved code of conduct is in place that is paired with binding and enforceable commitments set upon the organization in the third country.
  • An approved certification mechanism is in place that is paired with binding and enforceable commitments set upon the organization in the third country.
  • Where applicable, an approved certification mechanism paired with binding and enforceable commitments set upon the organization in the third country

EU-U.S. Data Privacy Framework, U.K. Extension and Swiss-U.S. Data Privacy Framework

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) entered into force. The EU-U.S. DPF Principles entered into effect as of the same date. Expel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Expel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Expel has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Expel commits to resolve complaints about our collection or use of your Personal Data. If you have any questions, complaints and/or other concerns, please first contact us at: privacy@expel.io or via the Expel Privacy Webform.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

You may also lodge a complaint with your local data protection authority, with the Data Protection Authority in Ireland, namely the Data Protection Commission, at dpo@dataprotection.ie, the UK Information Commissioner’s Office (ICO), at https://ico.org.uk/, or Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/edoeb/en/home.html.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Expel commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and Swiss-U.S. DPF.

The Federal Trade Commission has jurisdiction over compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF for Expel.

In the context of an onward transfer, Expel has responsibility for the processing of personal data it receives under privacy principles including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Expel shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

10. Children’s privacy

We do not knowingly collect info relating to children. If we learn that we’ve collected personal info from an individual deemed to be under the age of 16, we’ll take appropriate measures to investigate and address the issue promptly. The use of Workbench and our Services are specifically for delivering security operations solutions to businesses and not children.

11. Changes to this privacy policy

We’re constantly looking to improve our site and services, so we may need to update this privacy policy from time to time. We’ll notify you of any substantive changes to our Privacy Policy by, for example, placing a notice on our site/and or by sending you an email (if you have registered your email details with us) when we are required to do so by applicable law. You’ll be able to see when this Privacy Policy was last updated by checking the “Last Updated” date above. You should consult this Privacy Policy regularly for any changes.

12. Contact us

If you have any questions or requests about this privacy policy, our Services, or how we manage your personal info, please contact us through our Expel Privacy Webform or by contacting:

Expel, Inc.
Attn: Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170
+1 (844) 397-3524

Email: privacy@expel.com


Expel Subprocessors

Updated:  September 30, 2022

In the spirit of transparency and in compliance with applicable data protection laws, we would like to provide you with a current list of our subprocessors for the managed detection and security services we provide.

Expel has authorized these subprocessors to process your personal information on our behalf to ensure we can effectively provide you with our services.

We take a risk based approach within our third party security and privacy assessment practices to ensure these subprocessors have sufficient mechanisms and safeguards in place to protect your personal data.

If you have any questions regarding this list please email us at privacy@expel.com.

Subprocessor Activity Hosting Location
Atlassian Internal wiki and collaboration

Agile software development tracking

United States
Analytica42 Supporting Expel’s Co-Managed SIEM Services United States
AskNicely Zendesk ticket, NPS, and offboarding survey tool United States
Clearbit Data Enrichment Services United States
Courier Customer Notification Management United States
DataDog System processing monitoring and metrics United States
Elastic Application search capability and visualization United States
Fastly Signal Sciences Web Application Firewall for Workbench United States
Functional Software, Inc. (Sentry) Application monitoring and error tracking United States
Gainsight PX User activity/analytics — platform enhancement United States
Guidepoint Security Supporting Expel’s Co-Managed SIEM Services United States
Google Cloud Infrastructure, Data Hosting, Office Productivity, and Data Analytics United States
Hex.Tech Jupyter Notebooks Management and Analytics United States
Mailgun Email solution United States
Matik Data Driven Content Creation – Customer Success United States
Mio Customer Notification Management United States
Mixpanel User activity/analytics — platform enhancement United States
Okta Single Sign On United States
OneTrust Data privacy management and compliance system United States
Pagerduty Incident Alerting Services United States
PM2Net Supporting Expel’s Co-Managed SIEM Services United States
Salesforce Customer relationship management, internal analytics, benchmarking, and support United States
Sisense Business Intelligence and Analytics United States
Slack Collaboration and internal messaging tool United States
Solarwinds Log Aggregation United States
SumoLogic Cloud data analytics (security, operations, business intelligence) United States
Variedy Supporting Expel’s Co-Managed SIEM Services United States
VMRay Email analysis application United States
Zendesk Ticketing and support United States