Privacy Notice
Introduction
This Privacy Notice (“Notice”) describes how SentinelOne, Inc. and its wholly owned subsidiaries and affiliates (collectively, “SentinelOne”, “we”, or “us”) collect, use, disclose and otherwise process your personal information in connection with the management of our business and our relationships with customers, visitors and event attendees.
This Notice explains your rights and choices related to the personal information we collect when:
- You interact with our websites, including www.sentinelone.com, support.sentinelone.com, www.scalyr.com, as well any other websites that we operate and that link to this Notice (our “Sites”)
- You visit, interact with, or use any of our offices, events, sales, marketing or other activities; and
- You use our platform, including software, mobile application, and other products and services (the “Solutions”)
This Notice does not cover:
- Applicant information. This Notice does not cover information related to our employment recruiting efforts. Please see our Applicant Privacy Statement for that information.
- Organizational Use. When you use our products or services on behalf of an organization (e.g., your employer), your use is administered and provisioned by your organization under its policies regarding the use and protection of personal data. If you have questions about how your data is being accessed or used by your organization, please refer to your organization's privacy notice and direct your inquiries to your organization's system administrator.
- Third Parties. This Notice does not apply to any products, services, websites, or content that are offered by third parties and/or have their own privacy statement.
SentinelOne determines the purposes for and means of the processing (i.e., we are the data controller) of your personal information as described in this Notice unless expressly specified otherwise.
Personal Information Collection
We may collect the following types of personal information:
- Business contact information, such as your first and last name, professional title, business affiliation and address, email, and phone number.
- Services account information, such as the Solutions you use, webinars and other events you sign up for, transactions, and business relationship information.
- Communications with us, including questions or inquiries you may send us, and any information that you create, input, submit, post, upload, transmit, store or display on our Sites.
- Information from cookies and other automated technologies, such as information about the devices you use to engage with our Solutions and Sites, and online activity data. For more details about the technologies we use, the categories of information we collect, and how we use this information, please review our Cookie Notice.
We may also obtain personal information from other sources, including:
- Third parties, such as business intelligence services, event co-sponsors, and other data providers.
- Public sources, such as company websites and our pages on social media platforms.
How we Use Personal Information
We use personal information for the following purposes:
- SentinelOne Site. When you visit our Sites, we use personal information to interact with you, provide you relevant marketing data and information, contact you about our Solutions, personalize or customize your experience (based on preferences or geography, for example), conduct research (such as to test the performance and layout of our Sites), and to improve the content and availability of the Sites. If you interact with any publicly accessible blogs, community forums, comments sections, discussion forums, or other interactive features on our Sites, we may display any information that you post and that information might be read, collected, and used by others who access it.
- Administering the Solutions. If you subscribe or are exploring a subscription to our Solutions, we use personal information to create and administer your account, manage our business relationship, and communicate with you about the Solutions, including to send you notifications and keep you informed of any updates to the Solutions. We also analyze trends in the purchase and use of our Solutions to understand our customers’ needs and interests, recommend additional Solutions, forecast business needs, and to improve and develop our Solutions. We may accept payments on our Sites using a payment service provider. The information provided to the payment service provider in connection with payment and transactions is handled in accordance with the payment service provider’s terms and privacy policies.
- Newsletters, events, marketing and advertising. If you sign up to receive newsletters or other additional information from us, attend a webinar or live event, or participate in any other offering, we use the information you provide, such as your name, company name, email address and phone number, to facilitate your request and to identify business opportunities. Subject to consent where required, we also use personal information to develop and send direct marketing communications, including by email, and to make sales and marketing calls promoting our Solutions, events, programs or other services that we believe are of interest to you. You can unsubscribe from our marketing communications as described in the Unsubscribe from marketing communications section below. We also use cookies and similar technologies to engage in interest-based advertising. Please review our Cookie Notice for more information.
- Testimonials. Where you permit us to share your experience with our Solutions, we may post testimonials on the Sites that may contain Personal Information. We obtain your consent to post your name along with your testimonial. If you wish to update or delete your testimonial, you can contact us at [email protected].
- Partners. If you partner with us to promote or provide the Solutions, including by using our Partner Portal, we use your information to maintain and administer our business relationship and to evaluate the performance of our partnership.
- Compliance and protection. We also use personal information to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities; protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims); audit our internal processes for compliance with legal and contractual requirements and internal policies; enforce the terms and conditions that govern our Solutions; and prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks and identity theft.
- At your option. Other than as set out above, you will receive notice when personal information about you might be shared with third parties, and you will have an opportunity to choose not to share that information.
We will only use your personal information as described in this section if we have a valid legal ground for the processing under applicable laws. Our legal grounds for processing include: consent, where you have consented to the use of your personal information (including, where applicable, to receive marketing communications); legitimate interests, such as to promote, develop and improve our Sites and Services, to protect our legal rights, and to establish, exercise, or defend legal claims, provided that such interests are not overridden by your interests or your fundamental rights and freedoms; and legal obligations, including to comply with tax and accounting obligations. We may also process your personal information when necessary to protect your or another individual’s vital interests.
How We Share Personal Information
We share personal information with:
- Affiliates. All SentinelOne entities in the US and worldwide, for purposes consistent with this Notice.
- Service providers. Companies and individuals that provide services on our behalf or help us operate our Services (such as hosting, information technology, customer support, email delivery, and website analytics services). SentinelOne contractually requires all its third-party business partners with whom it shares personal information to take commercially reasonable steps and implement policies to safeguard your personal information, and to not use your personal information for any purpose other than to assist SentinelOne in serving its customers.
- Advertising vendors. Third party advertising companies, including for the interest-based advertising purposes described above, that can collect information on our Sites through cookies and other automated technologies.
- Social media platforms. Our Sites also include social media features that may collect your IP address, which webpage you are visiting on our Sites, and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy notice of the company providing the feature.
- Third parties. We may also share your personal information with business partners and third parties, such as event sponsors when you attend one of our events, that may want to market products or services to you. If we share personal information with such unaffiliated third parties for their own marketing purposes, we provide you with an opportunity to opt out of such uses either at the point of collection or through the choice mechanisms set forth in this Notice.
- Professional advisors. Professional advisors, such as lawyers, auditors, bankers, and insurers, in the course of the professional services that they render to us.
- Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.
- Business transferees. Acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of all or any portion of the business or assets of, or equity interests in, SentinelOne (including in connection with a bankruptcy or similar proceedings). We may assign or transfer this Notice, as well as your account and related information and data, including any personal information, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.
SentinelOne does not sell the personal information we collect as “sale” is defined in Virginia, Nevada, Colorado, and California.
Use of Cookies and Web Technologies
SentinelOne Sites, Solutions, and advertisements may use automatic data collection tools such as cookies, embedded web links, and web beacons. Additional details about how we use these technologies, and how you may limit our use of online tracking technologies is described in our Cookie Notice.
Third-Party Links
The Sites may include links to third-party sites, products or services. Please note that your access to and use of these third-party sites, products or services may result in the collection of or sharing of your information, including personal information. These third parties have separate and independent privacy policies, and we are not responsible or liable for your interactions with such third-parties (as further described in our Master Subscription Agreement). The option to link to such third-party sites, products or services is not an endorsement or representation regarding any third-party sites, products or services, and we encourage you to review and understand such third-parties privacy policies.
Solutions
SentinelOne protects devices, workloads, and endpoints at scale. The SentinelOne Agent enables this protection by deploying agents to locations across customer environments, monitoring those locations, and then sending the relevant information to the Singularity XDR Management Console where customers can visualize, detect, and respond directly to events. And for devices on the move, Singularity Mobile provides AI-powered full-device protection to all three major mobile platforms, sending information to the same SentinelOne Management Console. Our agents and mobile solution help identify not just malicious activity but also associated events in order to provide customers with the complete Storyline picture of a suspected or actual compromise. And because hackers are constantly evolving their tactics, techniques, and procedures, SentinelOne monitors vast amounts of machine metadata to help ensure malicious activity is not only caught but is also contextualized and traceable. The overwhelming majority of this metadata is machine generated and contains non-attributable data such as process ID, operating system version, information about applications, and command line arguments. In limited situations however, file names, and generalized location inferred from public IP addresses of the endpoint where the metadata is located are collected. This personal information is almost exclusively considered Customer Data and is collected on behalf of customers in accordance with the directions provided to us in the Data Protection Addendum.
In addition to Customer Data, we also collect and process System Data to provide the Solutions. System Data is information that we collect or generate during the provision and administration of the Solutions and related technical support. System Data consists of:
- Technical and Operational Data. This is information about the Solutions you are using and about the systems and related environment from which you access the Solutions. Examples include agent type and version, license information, UUID, and third-party systems used in connection with the product.
- Console Data. This is information about your usage of the Management Console. Examples include configuration settings, dashboards, user roles, authentication credentials, and other administrative settings.
- Feature Usage Data. This is information about how the Solutions are used. Examples include details about which features are used and user interface metrics.
- Threat Data. This is information about threats and potential threats identified on endpoints. Examples include malware, URLs, processes or techniques, metadata, or other data that is potentially related to unauthorized third parties.
System Data is processed to deliver the Solutions that you and our other customers request. We use System Data to help us improve the performance and functionality of the Solutions, including Threat Data specifically which is used in our proprietary machine learning engines to detect and protect endpoints autonomously from malicious activity. Any limited personal information contained within System Data is never incorporated into the Solutions, nor is it used to contact or market products or services.
Security
SentinelOne maintains (and requires its service providers to maintain) appropriate organizational and technical measures designed to protect against unauthorized access, alteration, disclosure or destruction of personal information, taking into account the nature of the personal information and the processing, and the threats posed. We are constantly working to improve on these safeguards to help keep your personal information secure, however no security procedures or protocols are ever guaranteed to be 100% secure, and as such we do not guarantee the security of any personal information you provide to us or third parties.
International Transfer of Information Collected
SentinelOne is a U.S.-based company which operates globally. When you interact with our Sites, you provide your personal information to us in the United States. We transfer the personal information we receive to our affiliates and third parties as described in the How We Share Personal Information section above. When we transfer your personal information we will protect it in accordance with this Notice wherever it is processed by ensuring that an adequate level of protection is provided for the personal information by using one or more of the following approaches:
- We may transfer personal information to countries that have privacy laws that have been recognized by the country from which the data are transferred as providing similar protections for the data (“Adequacy”), including decisions adopted by (1) the European Commission, based on Article 45 of Regulation (EU) 2016/679 (GDPR); and (2) the UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018.
- We may enter into written agreements, such as the European Commission’s Standard Contractual Clauses and the UK Information Commissioner’s Office’s International Data Transfer Addendum, as applicable, and other data transfer agreements, with recipients that require them to provide the same level of protection for the data.
- We may seek your consent for transfers of your personal information for specific purposes.
- We may rely on other transfer mechanisms approved by authorities in the country from which the personal information is transferred.
To demonstrate our commitment to maintaining high data protection standards when transferring personal information between the EEA and the U.S., we participate in and comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. SentinelOne has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF program principles with regard to the processing of personal information received from the European Union under this Notice. In addition, SentienlOne has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF principles with regard to the processing of personal information received from Switzerland under this Notice as well as the UK Extension to the EU-U.S. DPF principles with regard to the processing of personal information received from the United Kingdom. If there is any conflict between the terms in this Notice and the EU-U.S. DPF principles, the Swiss-U.S. DPF principles, and/or the UK Extension to the EU-U.S. DPF principles (collectively the “Principles”), the Principles shall govern. The U.S. Federal Trade Commission has regulatory enforcement authority and jurisdiction over SentinelOne’s compliance with and processing of personal information received or transferred pursuant to the EU-U.S. DFP, the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF. To learn more about the EU-U.S DPF, the Swiss-U.S. DFP, the UK Extension to he EU-U.S. DPF, or the Principles, and to view our certification, visit the Data Privacy Framework website.
SentinelOne is responsible for the processing of personal data we receive under the EU-U.S. DPF, the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF which we subsequently transfer to a third party acting as an agent on our behalf. SentinelOne complies with the Principles for all onward transfers of personal data from the EEA, Switzerland, and the United Kingdom, including the onward transfer liability provisions.
As part of our compliance with the Principles, SentinelOne commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the U.S. If you are a European Union or Swiss individual with inquiries about our collection, use, and transfer of your personal information under this Notice, you should first contact SentinelOne: Attention Privacy Office, [email protected]. Upon receipt of your communication we will investigate and attempt to resolve any complaints or disputes regarding your personal information within 45 days. In addition, SentinelOne has further committed to refer unresolved privacy complaints under the Principles to an independent dispute resolution mechanism operated by JAMS. If your complaint cannot be fully resolved through the above means, under certain conditions more fully described on the Data Privacy Framework website, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For additional information, please refer to the JAMS website.
Privacy Choices
Unsubscribe from marketing communications. You can unsubscribe from marketing-related communications by following the instructions at the bottom of the emails you receive from us or by contacting us as provided in the Contact Us section below. If you do so, you will continue to receive service-related and other non-marketing communications until you cease using our Services linked to those service updates.
Privacy rights. Depending on your location, you could be entitled to submit the following requests about your personal information:
- Access. Request that we provide you with information about our processing your personal information and give you access to your personal information.
- Deletion. Request that we delete the personal information that we maintain about you.
- Correction. Request that we update or correct inaccuracies in your personal information.
- Transfer. Request that we transfer a machine-readable copy of your personal information to you or a third party that you designate.
- Restriction. Request that we restrict the processing (including sharing) of your personal information.
- Objection. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.
To exercise all other choices described above, please contact us at [email protected]. To avoid security breaches, we will need to authenticate your identity before we respond to the request and to assess whether these rights apply to you. Additionally, applicable law can limit these rights, for example, by prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. While we endeavor to satisfy the requests we receive, if you are unsatisfied with our response, you may have the right to complain to a privacy or data protection regulator in your country.
Children’s Personal Information
Our Solutions are not intended for use by children. If you have reason to believe that a child has provided personal information to us, please contact us at [email protected]. We will use commercially reasonable efforts to delete such personal information.
U.S. State Privacy Laws
Some U.S. state privacy and data protection laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA) require specific disclosures for state residents. If you are a resident of a state that has imposed specific privacy requirements, please refer to our U.S. State Privacy Notice.
Retention
We retain personal information for as long as necessary to fulfill the purposes for which we collect it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information, the purposes for which we process personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
Changes to This Notice
If there are any material changes to this Notice, you will be notified by our posting of a prominent notice on our Sites prior to the change becoming effective or as otherwise required by law. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of our Sites constitutes your agreement to be bound by such changes to this Notice.
Contact Us
If you have questions regarding this Notice or about our privacy practices, please contact us by email at [email protected] or at:
SentinelOne, Inc.
Attn: Privacy
444 Castro St., Suite 400,
Mountain View, CA 94041, United States
You may also send your questions or concerns regarding our privacy practices to our data protection officer by email at [email protected].
English Version Controls
Non-English translations of this Notice are provided for convenience only. In the event of any ambiguity or conflict between translations, the English version is authoritative and controls.