AnnouncementCase StudyCheckmarkcustomer-story-iconData Sheethow-to-logoposts
skip to Main Content
X

It’s time to talk. And listen. And learn. And listen some more. Read a few words from Expel’s CEO.

X

Expel notices

Howdy! Welcome to Expel’s Privacy Center. At Expel, we believe security can’t exist without privacy. We believe transparency is at the heart of what we do and in the security services we provide you. We’d like to make sure you understand your privacy rights and the who, what, when, how, and why we manage and use your personal information.

Security and privacy stuff should be painless, and that’s why we’ve created these privacy artifacts below to ensure you have the information you need. Please take the time to review these painless, yet important, privacy artifacts below.

Expel Online Privacy Policy

Last Updated: July 1, 2020

Howdy!

Thanks for visiting Expel, and double thanks for checking out our privacy policy.

We know privacy policies can sometimes be pretty boring to read, so we’ll try to keep ours (somewhat) entertaining because you’re legally bound to the provisions below if you use our site or services.

Expel provides a web-based security platform that businesses use to monitor their network security and react to security issues.

Expel’s Privacy Principles are held in high regard by our employees, and are not meant to disrupt our managed detection and response services.  They are meant to demonstrate how easy we enable and safeguard your privacy within our practices and culture.

This online privacy policy describes how Expel (collectively “Expel,” “we“, “us” or “our“) handle personal info that we collect though our websites, through social media, in connection with our marketing activities, and through other activities described in this privacy policy.

If you’re a current customer using Expel Workbench (‘Workbench’) and is receiving our Managed Detection and Response services via our Security Operations Center, please refer to our Transparent Managed Security Privacy Policy.

This privacy policy does not apply to info that we process on behalf of our business customers while delivering Workbench and our Managed Detection and Response services.  Our use of this info is restricted by our agreements with those business customers. If you have concerns regarding personal info that we process on behalf of a business, you should direct your concerns to that business.

1. Our Privacy Principles

Of Expel’s core values, transparency and accountability are held in high regard.  Our Privacy Principles listed below help guide privacy decisions throughout Expel so that we can fulfill our objectives in allowing security and privacy to be readily available, accessible, and easy to fulfill.

  1. We respect individuals’ privacy by transparently promoting informed choice
  2. We are transparent about the personal info that we use, and we’re accountable for how our partners and third parties use it.
  3. We will only collect personal info that we need, pseudonymize, anonymize, or securely dispose personal info that we don’t require.
  4. We factor security and privacy into everything we do.
  5. We engineer security and privacy into our ideas and products.

2. What we collect, why, and how we use it

While you’re on our website, we might collect, use, store or transfer different kinds of data about you. These kinds of data fall into different categories:

  • personal info” is info that allows someone to identify or contact you, directly or indirectly — like your name, your email address or your phone number.
  • non-personal info” is data that’s not associated with or linked to you or your personal info.

info you provide to Expel:

  • We may collect personal info from you, such as your first and last name, email and mailing addresses, professional title, company name, phone number, country of residence, and state of residence when you submit a form on expel.io (our “site”) or attend one of Expel’s events.
  • If you provide us feedback or contact us via email, we’ll collect your name and email address, as well as any other content included in the email, in order to send you a reply.
  • If you visit Expel offices, we’ll collect your name, email address and phone number for physical security purposes.
  • If you provide Expel with personal info as part of the managed security services received by Expel or via your use of Expel Workbench (‘Workbench’), please see the Transparent Managed Security Privacy Policy section. Note that you cannot use our managed security services or Workbench without accepting the terms of our Workbench Privacy Policy.
  • When you apply for a job at Expel via our site, we’ll ask you to provide personal info about yourself so we can evaluate your application. If this info isn’t provided, our ability to consider you as a candidate may be limited.  You may also provide us with your personal info that we don’t specifically request (for example, your resume/CV may contain info about your hobbies and social preferences).
    • The types of personal info we collect about you may include:
      • First/last name, email, phone, info on how you may have heard about the open role, inclusions identifying you within your resume/CV, inclusions identifying you or other individuals in a cover letter (optional submission by you), and the link to your LinkedIn profile (optional submission by you).
    • Regarding special categories of info within the Expel hiring process:
      • In connection with your application on our careers site, Expel doesn’t request or require special categories of personal info regarding religion, race or ethnic origin, gender, health, sexual orientation, membership of a trade union, or political affiliation.
        • We request that you do not provide this info, but if you do we may delete it and it will not be considered as part of your application to Expel.
        • Further, if you do provide us with special categories of info (religion, race or ethnic origin, gender, health, sexual orientation, membership of a trade union, or political affiliation), you expressly authorize Expel to handle this info in accordance with this policy.
      • If you have a disability and would like for us to consider an accommodation, you may provide that info during the recruitment process.
  • Other info that we may collect which is not specifically listed here, which we will use as described in this privacy policy or as otherwise disclosed at the time of collection.

info collected via our site:

If you opt-in to our mailing lists online or in person, you’ll receive emails that may include Expel news, updates, related product or service info, and other Expel related info.

Our site gathers info when interacting with you, some of which may be considered personal info in your jurisdiction.  Info collected and used by means of technology may include, among other things:

  • Internet Protocol (IP) address
  • Browser info
  • Device ID
  • the type of computer and technical info about your means of connection to our site or web portal.

Expel may also use tracking technologies to collect info that will enhance your experience and use of our site:

  • “Cookies”are small pieces of info that a website sends to your computer’s hard drive while you’re viewing the website.  For additional info regarding cookies, please visit our Cookie Policy .
  • “Pixel Tags” (also referred to as clear Gifs, Web Beacons, or Web Bugs). Pixel tags are tiny graphic images with unique identifiers, similar in function to cookies, that are used to track online movements of web users. For additional info regarding pixel tags, please visit our Cookie Policy.
  • Google Analytics: We use Google Analytics to help analyze how users like you utilize our site.  This leverages the use of Cookies to collect info such as  how often users visit our site, what pages they visit, and what other sites they used prior to coming to our site.

Do not track browser settings:

Some Internet browsers like Firefox, Internet Explorer, and Safari include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, we do not currently process or respond to “DNT” signals. To learn more about “DNT”, please visit “All About Do Not Track“.

Info collected or shared via third party sources:

When we collect personal info, there’s a chance it’ll be shared with third-party vendors who help us operate and maintain our site and services. Examples of those third parties include, but are not limited to:

  • Email delivery;
  • Marketing automation; and
  • Cloud infrastructure services.

Examples of third parties where Expel receives or provides personal info:

  • From time to time, we may receive personal info about you from third parties where they have indicated that they have your consent or are otherwise legally permitted or required to disclose your personal info to Expel. For example, we may be provided with info about individuals who could be interested in using our offerings (for example, LinkedIn Sales Navigator, ZoomInfo, etc.);
  • From a business2business (B2B) sales perspective, another individual at your company or organization may provide us with your business contact info for the purposes of obtaining services;
  • From time to time, Expel may obtain info about you with the purpose of conducting a background screening if you’re selected to join our awesome Expel team via our careers and recruitment process. We conduct background screenings through a third-party service provider and verify info that you have in your job application that relates to your past education, employment, credit and/or criminal history, as allowed by applicable law;
  • For the purposes of recruiting, Expel may share or exchange your personal info with recruitment agencies. If your personal info is shared in this way, Expel will only do so on a “need-to-know basis, and we’ll seek to ensure it’s only used in connection with our recruitment process; and
  • You may also choose to provide Expel with access to certain personal info stored by third parties such as job-related social media sites (for example, LinkedIn). By authorizing Expel to have access to this info, you agree that Expel may collect, store and use this info in accordance with this Privacy Policy.

Our third party service providers only receive personal info about you for the limited purposes of providing us with their services.  When we engage a third party who will need to access and process your personal info as part of their services, we require contractual obligations to provide at least the same level of data privacy and security protections we hold ourselves to.  Our subprocessor list can be accessed here.

Our third parties are required to notify us if they can no longer meet the expected level of protections required to safeguard personal info.  We still continuously monitor for compliance, pursuant to our third party security assessment procedures, depending on the nature of the services being provided.

Why we collect and process personal info when you visit our site:

We may collect your personal info for the following purposes outlined below:

  • Personal info you submit to us is used either to respond to requests that you make, or to help us serve you better. Expel uses your personal info to achieve the following:
    • respond to your inquiries related to employment opportunities or other requests;
    • send you a welcome email to the email address provided when your personal info is first submitted;
    • make telephone calls to you, from time to time; and
    • send newsletters, surveys, offers and other promotional materials related to our services and for other marketing purposes of Expel.
  • To manage our relationship with you which includes notifying you about changes to our terms.
  • To administer and protect Expel and our site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
  • To provide relevant website content and measure or understand the effectiveness of the content we provide you.
  • To use data analytics for research and development purposes and to improve our site, our products, marketing efforts, client relationships and experiences. As part of these activities, we may create aggregated, de-identified or other anonymous data from personal info we collect.  We make personal info into anonymous data by removing info that makes the data personally identifiable to you.  We may use this anonymous data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
  • To make suggestions and recommendations to you about Expel products and services that may be of interest to you.
  • To assist within the recruitment, selection, evaluation, and appointment of job candidates (temporary or permanent) for the job(s) you may have applied for.
    • Also to include the performance of any satisfaction surveys (optional submission by you) which would help Expel manage and improve the recruitment process.
  • For compliance and protection, in particular to:
    • comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
    • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
    • audit our internal processes for compliance with legal and contractual requirements and internal policies;
    • enforce the terms and conditions that govern the Service; and
    • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

3. Third party websites accessed via Expel.io

Our site contains some links to third-party websites. When you click on a link to a website that we don’t operate, you’ll leave our site and go to another website and that website might collect personal or anonymous data from you.  Remember, that we don’t have control over and aren’t responsible for these non-Expel websites or their content. And just because we link to another website doesn’t mean we endorse those third parties, their products, their content or the website itself.

4. Legal grounds for processing personal info

Expel will only use your personal info when the law allows us to do so. Expel’s legal basis for collecting and using personal info will depend on the personal info concerned and the specific context in which we collect it.

Note that we may process your personal info for more than one legal basis depending on the specific purpose for which we are using your data.

Usually, we collect your personal info in the following circumstances:

  • Where the collection of personal info is needed for the performance of a contract we are about to enter into or have entered into with you.
  • Where the processing of the personal info is in our legitimate interests and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where the collection of personal info is required for your or another’s vital interests.

Generally, Expel does not rely on consent as a legal grounds for processing your personal info, other than sending direct marketing communications to you via email.  If you have provided your consent to receive email marketing from us, you have the right to withdraw your consent to email marketing at any time.  Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal info conducted in reliance on lawful processing grounds other than consent.

5. We go to great lengths to keep your info safe…

We care a whole lot about the security of your personal info, which is why we use what we think are appropriate administrative, organizational, technical and physical measures to protect the personal info you provide to us. Only authorized personnel have access to the personal info you provide, and each Expel employee with access to personal info is obligated to maintain its integrity and confidentiality.  If you have reason to believe that your interaction with us is no longer secure, you should immediately contact us.

 6. …and you can choose what to share (or not to share) at any time.

You’ve got choices as to what we share with you and what you share with us. For example:

  • Email communications. We often send emails that talk about our services, or share our latest blog posts. When you receive promotional communications from us, you may indicate a preference to stop receiving further communications from us and you’ll have the opportunity to “opt-out” by following the unsubscribe instructions provided in the email you receive or by contacting us.
  • If you decide at any time that you no longer wish to accept cookies, other than those necessarily required for the function and operation of our site and for any of the purposes described above, please reference our Cookie Policy  for further info.

 7.   Your data privacy rights and choices

Expel respects you, your privacy, and your data protection rights.  Depending on where you live, the kinds of personal info we’ve collected about you, and the nature of how we process it, you’ll be able to exercise certain rights over your personal info based on regulations and laws that apply.

Residents of the European Economic Area (EEA), the United Kingdom, and Switzerland:

Expel responds only to verifiable privacy requests received from individuals who wish to exercise their privacy and data protection rights in accordance with the European Union General Data Protection Regulation (EU GDPR).

  • If you wish to access, correct, update or request deletion of your personal info, you can do so at any time by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.
  • You can object to processing of your personal info, ask us to restrict processing of your personal data, or request portability of your personal info. You can exercise these rights by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.
  • You can opt-out of marketing communications we send to you at any time by clicking on the “unsubscribe” link in the marketing emails we send you or by contacting us directly via the Expel Privacy Webform.
  • Telephone Marketing (‘telemarketing’): You can exercise this right by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.
  • If Expel has collected and processed your personal info with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the legal grounds of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal info conducted in reliance on legal processing grounds other than consent.
  • We prefer to answer your questions, requests, and concerns about how we handle personal info directly. We make good faith efforts to honor reasonable requests submitted to us.  You do have the right to lodge a complaint with EU Data Protection Authorities (DPAs) about Expel’s collection and use of your personal info. For the contact info of the Data Protection Authorities for each European Union Member State, please click here.

California residents rights under the California Consumer Privacy Act (‘CCPA’):

Expel operates as a Business to Business (‘B2B’) security operations company, and the CCPA provides consumers (California residents) with specific rights regarding the processing of their personal info.

We’ll never knowingly sell, trade, or rent your personal info — it goes against our company’s DNA.

Subject to exceptions, you may request disclosure or request deletion of your personal info by contacting Expel using the details provided in our ‘Contact us’ section or via the Expel Privacy Webform.

Expel will not discriminate against you (e.g., through denying goods or services, or providing a different level or quality of goods or services) for exercising any of the rights afforded to you.

Expel responds to verified requests received from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. When contacting us, please provide us with detailed info about the personal info you’re requesting we access, correct, update, restrict, or delete, and the timeframe and manner in which you believe we came to collect your personal info.

If Expel obtained your personal info via an Expel customer or a third party acting on your behalf, you should contact the company/entity or person you provided your info to.

8. Law enforcement, regulatory, and statutory compliance

Under certain circumstances, we may be required to disclose your personal info in response to valid requests by public authorities, law enforcement officials, or other third parties as necessary to comply with national security or legal process requirements.  This may be required to protect the rights, privacy, safety, or property of Expel, you, or others as required by applicable laws.

9. How long we keep your info

We keep your personal info only for as long as it’s warranted to provide our Services or otherwise operate under this privacy policy, fulfill our commitments to you, and/or adhere to legal or regulatory requirements.

Customer and prospect data, which is contact info and details on Expel’s relationship with current, former, and prospective customers, is retained indefinitely (which aligns with common industry practices).  If an individual expresses that they do not wish to receive any direct marketing communications or other forms of outreach, Expel will deactivate such contacts and systematically enforce a suppression list.

When personal info is expired, or is no longer needed and does not have to be retained, we shall securely delete, destroy, or anonymize it, depending on what method is systematically and procedurally possible, most secure, and what our related retention commitments are.

10. International data transfers

Expel only permits cross border (‘international’) transfers of personal info made between countries or regions when supported by an appropriate legal agreement or an alternative provision that ensures sufficient safeguards and obligations to personal info rights are commensurate. The sufficiency of these agreements and provisions depend on the countries or regions the personal info is transferred from and to.  Examples of agreements and provisions that may be suitable for transfers (depending on the nature of the international exchange) include, but are not limited to, the following:

  • The nation or region where personal info is transferred from recognizes the nation or region where personal info is transferred to as having adequate protections in place.
  • Standard data protection clauses are established.
  • An approved code of conduct is in place that’s paired with binding and enforceable commitments set upon the organization in the third country.
  • An approved certification mechanism (e.g., a safe harbor such as the Privacy Shield in the U.S.) is in place that’s paired with binding and enforceable commitments set upon the organization in the third country.

11. A note to users outside of the United States

If you’re a non U.S. user of the Expel site, by visiting our site and providing us with your personal info, you acknowledge and agree that your personal info may be processed for the purposes identified in this privacy policy. In addition, your personal info may be processed in the country in which it was collected and in other countries, including the United States, where laws regarding processing of personal info may be less stringent than the laws in your country.  By providing your personal info to Expel, you consent to this transfer.

We take the security of your data seriously.  Any transfers of your personal info will have sufficient safeguards in place that are in line with industry leading security and privacy standards.

12. Children’s privacy

We do not knowingly collect info relating to children. If we learn that we’ve collected personal info from an individual deemed to be under the age of 16, we’ll take appropriate measures to investigate and address the issue promptly.

13. Changes to this privacy policy

We’re constantly looking to improve our site and services, so we may need to update this privacy policy from time to time.

We’ll notify you of any substantive changes to our online privacy policy by, for example, placing a notice on our site/and or by sending you an email (if you have registered your email details with us) when we are required to do so by applicable law. You’ll be able to see when this privacy policy was last updated by checking the “Last Updated” date above. You should consult this online privacy policy regularly for any changes.

Contact us

If you have any questions or requests about this privacy policy, our Services, or how we manage your personal info, please contact us through our  Expel Privacy Webform or by contacting:

Expel, Inc.
Attn:  Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170
+1 (844) 397-3524
Email: privacy@expel.io

Transparent Managed Security Privacy Policy

Last Updated: July 1, 2020

Howdy!

Thanks for visiting Expel, and double thanks for checking out our Transparent Managed Security Privacy Policy. This policy applies to info that we process on behalf of our business customer (“customer(s),” “consumers,” or “your Organization”)  and their end-users (“You”) via the Expel Workbench (“Workbench”) and our Managed Detection and Response services (“Services”).  Our use of this info is restricted by our agreements with our customers.

This policy is not meant to disrupt our managed detection and response operations, but to the contrary, it’s to articulate how we enable and safeguard your privacy. We know privacy policies can sometimes be pretty boring to read and super long, so we’ll try to keep ours (somewhat) entertaining and easy to understand per our Privacy Principles noted below.

By sharing your personal info with us, and continuing to use our services, you confirm that you have read and understood the terms of this policy.

1. Scope

This policy applies to the personal info made available by our customers and partners and through the use of Workbench.  All Expel employees, partners, customers, and vendors, who have access to and are responsible for processing personal info in Workbench, are subject to this policy.

In regards to any personal info that we collect via our site (https://www.expel.io), product feedback or surveys, in connection with our events, sales and marketing activities, and when you apply for a job role with Expel through our site or otherwise, please visit our Expel Online Privacy Policy .

Workbench and our Services are intended for use by organizations, and administered to you by your Organization, and are subject to your Organization’s policies, if any.  This means that in most cases we are collecting and processing your personal info on behalf of your Organization.

This policy applies to the limited personal info we collect and use for our own purposes as a data controller in connection with user authentication into Workbench and user experience (UX) research, and it covers personal info we process on behalf of your Organization as a ‘data processor through the use of Workbench and Services received by your Organization from the Expel’s Security Operations Center (SOC). It’s primarily your Organization, as the data controller, that controls what personal info about you that we collect and how we use it.

If you have privacy related questions or concerns about how your Organization’s privacy practices or the choices your Organization has made to share your info with us or any other third party, you should refer to your Organization’s privacy policies, and reach out to the individual(s) who manage the Expel vendor relationship/Workbench administrator at your Organization.

Expel would not be responsible for the privacy or security requirements of our Customers outside of the services we provide; which may differ from those set forth in this policy.

If you have any questions about this policy, please reach out to our security and privacy team provided under the “Contact Us” section of this policy.

2. Our Privacy Principles

Of Expel’s core values, transparency and accountability are held in high regard.  Our Privacy Principles below help guide privacy decisions throughout our business so that we can fulfill our objectives in allowing security and privacy to be readily available, accessible, and easy to fulfill.

  1. We respect individuals’ privacy by transparently promoting informed choice
  2. We are transparent about the personal info that we use, and we’re accountable for how our partners and third parties use it.
  3. We will only collect personal info that we need, pseudonymize, anonymize, or securely dispose of personal info that we don’t require.
  4. We factor security and privacy into everything we do.
  5. We engineer security and privacy into our ideas and products.

3. What we collect, why, and how we use it

At Expel we take the security of personal info very seriously.  We’ve established reasonable security measures designed to ensure personal info is safeguarded and accessed by those only with a need to know. We collect personal info directly from our customers and their users in connection with the provision of Workbench and our Services. Workbench collects info from our customer’s security products and applications, and that info is used to facilitate the delivery of our Services to our customers, including managing and monitoring the infrastructure, providing support (“Security Operations Data”), and for Expel’s own analytics and product improvement purposes (“Usage Data”) as mentioned in Table 1.1 below.

Processing Activity Categories of Individuals Categories of Personal Information Role and Purpose of Processing
Account creation on the Expel Workbench Corporate Customers and Expel employees

(only employees with a need to know)

Name (full name)

Contact data (email)

Profession/ career data (employer)

Operational classification (office/HQ location)

Data Controller

The purpose of processing is to allow customers and employees to create accounts and use of Workbench

(only for employees providing customers with direct support/ need to know)

Alert triaging, investigation, and remediation Corporate Customers and employees

(only employees with a need to know)

Name (full name);

Contact data (email);

Customer access data (username);

Usage data;

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, login activity, URLs accessed, file paths, browser history, machine names, and system activity)

Data Processor

The purpose of processing is to carry out Expel’s managed security services and threat hunting capabilities

Platform and security services architecture Customers and employees

(only employees with a need to know)

Name (full name);Contact data (email);

Customer access data (username);

Usage data;

Measured values derived from customer endpoints (hostname, device identifier, IP/MAC address, geolocation, URLs accessed, file paths, machine names, and system activity)

Data Processor

The purpose of processing is to carry out Expel’s managed security services

Expel for Phishing Customers and employees(only employees with a need to know) Name data (full name)Email address

Email content that may contain PII

Data Processor

The purpose of processing is to carry out the Expel for Phishing service

UX Research Customers and employees

(only employees with a need to know)

Customer access data (username);Name data (full name);

Contact data (email);

Usage data;

Measured values (Workbench activity)

Data Controller

The purpose of processing is to derive insights on what features Workbench users may prefer/ use more and dislike/ use less, to continually enhance the platform and security services

Table 1.1

Information collected or shared via third party sources:

Our third party providers (also known as ‘subprocessors’) only receive personal info about our customers for the limited purposes of providing us with their services.  When we engage a third party who will need access to process personal info as part of their services provided to Expel, we ascertain that the third party is capable and obligated to provide at least the same level of data privacy and security protections we hold ourselves to.  Examples of those third parties include, but are not limited to:

  • Email delivery;
  • Customer collaboration and communications solutions;
  • Software development and analytics solutions;
  • Application log aggregation systems; and
  • Cloud infrastructure services.

Our third parties are required to notify us if they can no longer meet the expected level of protections required to safeguard personal info.  We still monitor compliance of our subprocessors, pursuant to our third party security assessment procedures, depending on the nature of the services being provided.

Our subprocessor list can be accessed here.

Information collected via cookies:

Personal info may be collected via cookies and tracking technologies embedded within Workbench. Cookies are small pieces of info that a website sends to your computer’s hard drive while you are viewing the website.  We use tracking cookies, such as Mixpanel and Pendo, to record Workbench user activity and report on what pages and features users utilize.  In particular, we use analytics services provided by Mixpanel to provide us with analytics data regarding users’ interactions with our Site and Services.

You may opt-out of Mixpanel’s automatic retention of data that is collected while using our Services by visiting https://mixplanel.com/optout/. To track opt-outs, Mixpanel uses a persistent opt-out cookie placed on your device. Please note that if you get a new computer, install a new browser, erase or otherwise alter the browser’s cookie file (including upgrading certain browsers), you may delete the Mixpanel opt-out cookie.

If you’d like additional info regarding cookies, or if you decide at any time that you no longer wish to accept cookies, other than those necessarily required for the function and operation of Workbench and the delivery of our Services, please reference our Expel Cookies Policy for further details.

Do not track browser settings:

Some Internet browsers like Firefox, Internet Explorer, and Safari include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, we do not currently process or respond to “DNT” signals. To learn more about “DNT”, please visit “All About Do Not Track“.

4. Legal grounds for processing personal info

When the law allows us to, Expel will only use personal info that is tied specifically to our customer (i.e., the entity with whom we have a business/contractual relationship with, and with whom an employee at that entity has an employment contract).  This means that in most cases we are collecting and processing your personal info on behalf of your organization.

Expel’s legal grounds for collecting and using personal info will depend on the individual from whom the personal info is collected, the actual personal info concerned, and the specific context in which we collect it.

Note that we may process personal info for more than one legal basis depending on the specific purpose for which we are using data.

Usually, we collect personal info in the following circumstances:

  • Where the collection of personal info is needed for the performance of a contract we are about to enter into or have entered into with you.
  • Where the processing of the personal info is in our legitimate interests and the interests and fundamental rights of the individual do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where the collection of personal info is required for the vital interests of the individual or another person.

In limited cases where we may rely on consent (i.e., receiving consent from you or  any customer representative who registers for an Expel Workbench account), you have the right not to provide consent or to withdraw consent at any time.  Withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal, nor will it affect the processing of personal info conducted in reliance on lawful processing grounds other than consent.

5. We go to great lengths to keep personal info safe

We care a whole lot about the security of personal info, which is why we use what we think are the most appropriate administrative, organizational, technical and physical measures designed to protect the personal info our customers provide to us. For example, Expel employs at various points in our infrastructure logical and physical access controls, encryption, firewalls, intrusion detection and network monitoring, and secure development practices.

Only authorized personnel have access to the personal info you provide, and each Expel employee with access to personal info is obligated to maintain its integrity and confidentiality.

If you have reason to believe that your interaction with us is no longer secure, you should immediately contact us.

6. Your data privacy rights and choices

Expel respects you and your privacy and data protection rights.  Depending on where you live, the kinds of personal info we’ve collected about you, and the nature of how we process it, you’ll be able to exercise certain rights over your personal info based on regulations and laws that apply.

Residents of the European Economic Area (EEA), the United Kingdom, and Switzerland:

Expel responds to only verifiable privacy requests received from individuals who wish to exercise their privacy and data protection rights in accordance with the European Union General Data Protection Regulation (EU GDPR).

In relation to the personal info we are responsible for as a data controller in Workbench and via our Services (as referenced in Table 1.1.), if you would like to have your personal info corrected, updated, restricted, or deleted, please submit a privacy request via the Expel Privacy Webform.

Specific to the personal info we are responsible for as data processor in Workbench and via our Services (as referenced in Table 1.1), if you would no longer like to be contacted by one of our customers or would like to have your personal info corrected, updated, restricted, or deleted, please contact your organization (the Expel customer and data controller) that you interact with directly.  Requests submitted via our Expel Privacy Webform, which pertain to personal info we hold as a data processor, will be deferred to your organization.

We prefer to answer your questions, requests, and concerns about how we handle personal info directly.  We’ll make good faith efforts to honor reasonable requests submitted to us.  You do have the right to lodge a complaint with EU Data Protection Authorities (DPAs) about Expel’s collection and use of your personal info. For the contact info of the Data Protection Authorities for each European Union Member State, please click here.

California residents rights under the California Consumer Privacy Act (‘CCPA’):

Expel operates as a Business to Business (‘B2B’) security operations company, and the CCPA provides consumers (California residents) with specific rights regarding the processing of their personal info. Expel only responds to verifiable requests received from individuals who wish to exercise their privacy and data protection rights in accordance with applicable data protection laws. When contacting us, please provide us with detailed info about the personal info requesting we correct, update, amend, or remove, and the timeframe and manner in which we came to collect your personal info.

We will not sell, trade, or rent personal info of a California resident.  Specific to the personal info we are responsible for as a data processor in Workbench, if you would no longer like to be contacted by one of our customers or would like to have your personal info corrected, updated, amended, or removed, please contact our Expel customer (“the data controller”) directly.  Requests submitted via our Expel Privacy Webform, which pertain to personal info we hold as a data processor, will be deferred to your Organization.

Expel will not discriminate against you or our customers (e.g., through denying Workbench or Services, or providing a different level or quality) for exercising any of the privacy and data protection rights afforded to you.

Subject to exceptions, we can receive requests for disclosure or deletion of personal info that we handle as a Data Controller.  Requests may be submitted via the Expel Privacy Webform.

If Expel obtained your personal info via a third party acting on your behalf, you should contact the company/entity or person you provided your info to.

7. How long we keep personal info

We keep your personal info only for as long as it is warranted to provide our Services, fulfill our commitments to your Organization, and/or adhere to legal or regulatory requirements. Certain personal info may be kept and archived beyond our relationship or the end of our Services, as required for legitimate interests such as recordkeeping, backing up Services data, statistical insights/metrics for product enhancement purposes, for example.  Notwithstanding outside legal, regulatory, or contractual restrictions, Expel will retain the following Workbench and Services data based on the schedule outlined below:

  • We retain incident data for the contract life of each customer, plus 30 days, except for data that is required to provide context for investigations and incidents, in which case that will be retained for up to the life of the Agreement
    • Incident data includes all investigative findings, derived data, investigative actions and outcomes, comments, timeline, etc.
  • Alert data – 1 year after time of collection, or 30 days after termination of Agreement, whichever comes first
  • Email data (as it pertains to the Expel for Phishing service) – 1 year after time of collection or 30 days after termination of Agreement, whichever comes first
  • Derived data (associated alerts) – 1 year, or 30 days after termination of Agreement, whichever comes first
  • Self Assessment Data – Until 30 days after termination of Agreement
  • Derived Labeled Data – Expel can retain this data indefinitely
  • Configuration data and credentials – 7 days after termination of Agreement
  • Insights/statistical data – Expel can retain this data indefinitely

Expel adopts a data minimization approach when it comes to personal info we retain beyond one (1) year.  When personal info is deemed expired, no longer needed, and does not have to be retained, we follow industry leading standards with the secure deletion, destruction, and anonymization of personal data, depending on what method is systematically and procedurally possible, most secure, and what our related retention commitments are.  As retention periods lapse, we use automated processes through periodic audits to identify and securely delete personal info. If automated deletion is not possible, secure manual deletion may be performed.

8. International data transfers

Personal info may be transferred, stored, and processed by us or our third party vendors in countries whose data protection laws and regulations may be different to those of your country.

Expel only permits cross border (‘international’) transfers of personal info made between countries or regions when supported by an appropriate legal agreement or an alternative provision that ensures sufficient safeguards and obligations to personal info rights are commensurate. The sufficiency of these agreements and provisions depend on the countries or regions the personal info is transferred from and to.  Examples of agreements and provisions that may be suitable for transfers (depending on the nature of the international exchange) include, but are not limited to, the following:

  • The nation or region where personal info is transferred from recognizes the nation or region where personal info is transferred to as having adequate protections in place.
  • Standard data protection clauses are established.
  • An approved code of conduct is in place that is paired with binding and enforceable commitments set upon the organization in the third country.
  • An approved certification mechanism (e.g., a safe harbor such as the Privacy Shield in the U.S.) is in place that is paired with binding and enforceable commitments set upon the organization in the third country.

9. Children’s privacy

We do not knowingly collect info relating to children. If we learn that we’ve collected personal info from an individual deemed to be under the age of 16, we’ll take appropriate measures to investigate and address the issue promptly.  The use of Workbench and our Services are specifically for delivering security operations solutions to businesses and not children.

10. Changes to this privacy policy

We’re constantly looking to improve our site and services, so we may need to update this privacy policy from time to time. We’ll notify you of any substantive changes to our

Privacy Policy by, for example, placing a notice on our site/and or by sending you an email (if you have registered your email details with us) when we are required to do so by applicable law. You’ll be able to see when this Privacy Policy was last updated by checking the “Last Updated” date above. You should consult this Privacy Policy regularly for any changes.

11. Contact us

If you have any questions or requests about this privacy policy, our Services, or how we manage your personal info, please contact us through our  Expel Privacy Webform or by contacting:

Expel, Inc.
Attn:  Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170
+1 (844) 397-3524

Email: privacy@expel.io

Expel Subprocessors

Updated:  July 1, 2020

In the spirit of transparency and in compliance with applicable data protection laws, we would like to provide you with a current list of our subprocessors for the managed detection and security services we provide.

Expel has authorized these subprocessors to process your personal information on our behalf to ensure we can effectively provide you with our services.

We take a risk based approach within our third party security and privacy assessment practices to ensure these subprocessors have sufficient mechanisms and safeguards in place to protect your personal data.

If you have any questions regarding this list please email us at privacy@expel.io.

Subprocessor Activity Hosting Location
Google Cloud Infrastructure, Data Hosting, and Office Productivity United States
Digital Ocean Cloud Infrastructure and Data Hosting United States
Slack Collaboration and internal messaging tool United States
Mailgun Email solution United States
Mixpanel User activity/analytics – platform enhancement United States
Pendo User activity/analytics – platform enhancement United States
SumoLogic Cloud data analytics (security, operations, business intelligence) United States
Okta Single Sign On United States
Functional Software, Inc. (Sentry) Application monitoring and error tracking United States
ElasticSearch Application search capability United States
Zendesk Ticketing and support United States
URLBox Email analysis application United States
VMRay Email analysis application United States
DocuSign Contract management United States
Atlassian Internal wiki and collaboration  Agile software development tracking United States
Solarwinds Log Aggregation

 

United States
Marketo Marketing Content and Demand Generation United States
Salesforce Customer Relationship Management (CRM) United States
OneTrust Data privacy management and compliance system United States
Back To Top