Darktrace Holdings Limited (“Darktrace”) is committed to protecting and respecting your privacy. Darktrace collects, uses and keeps information in compliance with the UK Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive)Regulations 2003, the General Data Protection Regulation (Regulation (EU)2016/679) (“GDPR”), the California Consumer Protection Act (CCPA) as amended by The California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), the Virginia Consumer Data Protection Act (CDPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA) and all relevant regulations.

This Privacy Notice (the “Notice”) is issued on behalf of the Darktrace Group (meaning Darktrace Holdings Limited, its affiliates and its or their subsidiaries) so when we mention “Darktrace”, “we”, “us” or “our” in this Notice, we are referring to the relevant company in the Darktrace Group responsible for processing your personal data.

This Notice aims to give you information on how Darktrace collects and processes your personal data. Please read the following Notice to understand how we collect and use your personal data, for example when you contact us, visit our website (Site), apply for a job, or use our products and services.

1. Information Darktrace may collect from you

Darktrace may collect and process the following data about you:

• Contact and Identity Data such as your name, email, address and phone number. Phone numbers are used for two factor authentication and support services.
• Recruitment Data such as your Resume or CV, including background check data, to assess your suitability for a role. You will separately be asked for information relevant to any reasonable adjustments you might require us to make to enable you to undertake a role with us, if employed.
• Demographic Data such as information about your ethnicity, gender identity, and other demographic traits and your background, to assist us with assessing our performance against our diversity, equity and inclusion (DE&I) targets.
• Technical Data including your Internet Protocol (IP) address, login data, operating system and web browser type, browser plug-in types and version, traffic data, location data and other communication data, and the resources that you access.
• Usage and Navigational Data including how you use our website, products, digital sales rooms and services. This may include but is not limited to the number of visits, pages visited, average time spent, number of clicks, pages referred from the landing page, etc.
• Profile Data including usernames, passwords, and feedback data.
• Marketing and Communications Data including your preferences in receiving marketing from us and your communication preferences.

‍

2. How Darktrace may collect your personal data

Darktrace may collect your personal data when you:

• Contact us and/or provide feedback.
• Enter and use our website: As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
• Provide contact details (e.g. giving business cards) at a marketing event.

• Request and receive marketing communications.
• Submit a job application: If you are making a job application or inquiry, you or your recruitment agent may provide us with a copy of your CV or other relevant information. We may use this information for the purpose of considering your application or inquiry. Except when you explicitly request otherwise, we may keep this information on file for future reference. You will also be asked if you would require any reasonable adjustments to be made in order to enable you to interview with us or to take on an employment or other role with us and this information will be used to identify measures that we could or would need to take to support you if you were offered and accepted a role with us.
• Complete a DE&I questionnaire as a job applicant: Any demographic information or information about your background you provide in response to our diversity, equity and inclusion questionnaire will be used to assist us with assessing our performance against our diversity, equity and inclusion targets, it will always be voluntary to provide such information which, if provided will have no bearing upon your application.
• Join our Partnership and/or channel scheme.
• An employee of ours gives your contact details as an emergency contact or a referee.
  

• Purchase our products and services: If you purchase or use our products or services, we may use your personal data for purposes which include but are not limited to:
  - Verifying your credentials,
  - Carrying out end user compliance checks for export control purposes and/or sanction checks,
  - Processing orders and generating billing information.

Additionally, Darktrace may collect data about you:

• Through our business relationships, contacts and data enrichment services (e.g. Zoominfo, Demandbase, etc.) to ensure the personal data that we hold to ensure is accurate and relevant.

3. How Darktrace may use your personal data

Darktrace may use the personal data held about you in the following circumstances:

• To perform the contract we are about to enter into or have entered into with you, including notification of changes to our products and services.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.
• To provide you with information, products or services that you request from us, or which Darktrace feel may interest you, where you have consented to be contacted for such purposes.
• To allow you to participate in interactive features of our products or service, when you choose to do so.
• To evaluate your suitability and candidacy for employment or other engagement by or with Darktrace.
• To identify reasonable adjustments that Darktrace could make to enable you to take on an employment role or other engagement with Darktrace.
• To assess Darktrace's performance against its diversity, equity and inclusion targets

We have set out below a description of the primary ways we may use your personal data, and which of the lawful basis we rely on to do so. Our lawful basis for collecting and using personal data will depend on the data concerned and the context in which we collect it.

In most circumstances, we collect personal data where it is needed for the performance of a contract with you, where you provide your consent, or where processing the personal data is in our legitimate interests. Your personal data may also be collected and processed to comply with our legal obligations.

Where we have identified Legitimate Interest as our Lawful basis for processing personal data we have also identified what our legitimate interests are where appropriate.

Purpose: Lawful basis

To manage our relationship with you: (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data): (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you: Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences: Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy

To make suggestions and recommendations to you about goods or services that may be of interest to you: Necessary for our legitimate interests (to develop our products/services and grow our business)

To contact you and send direct marketing and direct sales communications via email or telephone about our services and product range: (a) Necessary for our legitimate interest, where Business to Business Direct Marketing is permissible under the lawful basis legitimate interest. (b) Where applicable under relevant jurisdiction, consent will be used as the lawful basis. All Data Subjects have the right opt out of Marketing and Sales communication (see Marketing Section for further information).

For recruitment processing and assessment: (a) Necessary for our legitimate interest (to ensure an applicant’s suitability for a role). (b) Necessary to comply with a legal obligation as an employer to identify reasonable adjustments made to support a candidate in the workplace.

Diversity Equity and Inclusion Monitoring: Necessary to comply with our legal obligations as an employer (to assess our success against our DE&I targets and identify further measures needed). While consent is not the legal basis for processing this personal data we will only process data you provide to us and it is entirely voluntary to do so.

Call recording, either through Team, Zoom or Digital Sales Rooms: Necessary for our Legitimate Interest (for quality monitoring, training and development, gaining a better understanding of our customers, complaints and disputes and employee safety and wellbeing). All Data Subjects have the right to opt out of call recording.

4. Third party links

Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that Darktrace does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

5. Selling of Data

We do not sell any data captured as part of your use of Darktrace’s products or services. Our public website uses Google Analytics, which may be considered exchanging data for valuable consideration under CCPA.

You can find out more about the data Google Analytics collects in their privacy policy.

If you wish to opt out of Google Analytics, you can use the opt-out browser add-on from Google.

6. Marketing

If you are an existing customer, Darktrace will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those that were the subject of a previous sale to you.

You can ask us to stop sending you marketing or direct sales messages at any time by following the opt-out links on any marketing message sent to you OR by contacting us via email at any time at privacy@darktrace.com

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase.

We will not sell or rent your data to third parties or share your data with third parties for marketing purposes. We may use third party software to send you information for marketing purposes, but such third parties will not have access to or be able to read your personal information.

If you receive an email which claims to come from us but does not use our domain, or if you are suspicious that an email may not be approved by us, then please send a copy of the email to security@darktrace.com so we can investigate.

7. Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.

8. Transferring personal data

As a global company, we have international sites and users all over the world. When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA, who work for us or for one of our suppliers. Specific to our Products and Services, Darktrace provides a Master Services Agreement (“MSA”) to customers and end users that incorporates the EU Standard Contractual Clauses within its Data Processing Addendum.

Darktrace performs transfer impact assessments (“TIA”) and continually monitors the circumstances surrounding such transfers to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the EEA and UK data protection laws.

Darktrace places substantial importance on protecting the confidentiality of personal information and seeks the cooperation of all its suppliers in furthering this goal.

Darktrace will only transfer personal information to a supplier where the supplier has provided assurances that they will provide at least the same level of privacy protection as is required by this Notice. Where Darktrace has knowledge that a supplier is using or sharing personal information in a way that is contrary to this Notice, Darktrace will take reasonable steps to prevent or stop such processing.

Darktrace sub-processors can be found here.

9. Security

Darktrace endeavours to hold all personal data securely in accordance with our internal security procedures and applicable law. We update and test our security on an ongoing basis. Darktrace will do its best to protect your personal data, but Darktrace cannot guarantee the security of your data transmitted to our Site through the internet; any such transmission is at your own risk. Once Darktrace have received your information, Darktrace will maintain appropriate administrative, physical, technical and organizational measures to protect your personal data accessed or processed by Darktrace against unauthorized or unlawful processing or accidental loss, destruction, damage or disclosure.

10. Disclosure of your information

We may share or disclosure your personal data with the parties set out below:

• Within the Darktrace Group for the fulfilment of the activities described in the table above.
• To third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Notice.
  

• To third parties, if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Darktrace, or others.
• To our auditors and legal counsel, regarding our business. In some cases, the shared information may contain personal information, but the auditors and legal counsel may only use it for the purpose of providing their professional services, consistent with their obligations of confidentiality

11. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data can be requested via our Data Privacy Officer at the contact details provided below.

12. Your legal rights

GDPR gives you the right to access information held about you. If you’re an UK or EU citizen, your right of access can be exercised in accordance with the UK DPA and/or GDPR.

You have the right to request by contacting privacy@darktrace.com.

• Information about how your personal data is processed;
• a copy of your personal data, and;
• an immediate correction to your personal data.
  

You can also:

• Raise an objection about how your personal data is processed;
• request that your personal data is erased if there is no longer a justification for it;
• ask that the processing of your personal data is restricted in certain circumstances, and;
• opt out of the use of your personal data for any purposes or a specific purpose, such as the Darktrace Customer Portal.
  

If you are a resident of a US state that has applicable Data privacy legislation, you have certain rights:

‍

Where Darktrace acts as the Data Controller, i.e. for Direct Sales and Marketing activity, you can enact the above right by emailing privacy@darktrace.com. If you are customer employee wishing to enact your legal right, please contact your employer’s privacy team.

13. How to contact the appropriate authority

Should you wish to report a complaint or if you feel that Darktrace has not addressed your concern in a satisfactory manner you have the right to contact the appropriate authority.

Individuals within the EU and rest of the world have the right to raise a complaint with the supervisory authority in the Member State where they live, where they work, or where the infringement took place.

For UK GDPR (DPA18) you may contact the Information Commissioner’s Office:

Website: https://ico.org.uk/global/contact-us/

Telephone: 0303 123 1113.

For EU GDPR you may contact your local Supervisory Authority. Within the EU Darktrace is Registered with the Irish Data Protection Commission.

Website: https://www.dataprotection.ie/en/contact/how-contact-us

Telephone: 01 7650100 / 1800437 737

14. Data Protection Officer

Darktrace is headquartered in Cambridge, United Kingdom. Darktrace has appointed an internal Data Protection Officer for you to contact if you have any questions or concerns about Darktrace’s Privacy and Data Protection Notice. The contact information for the Darktrace Data Protection Officer is as follows:

Iain Pye Darktrace Holdings Limited Maurice Wilkes Building St John’s Innovation Park Cowley Road Cambridge United Kingdom CB4 0DS privacy@darktrace.com

15. Changes to our Privacy Notice

Darktrace reserves the right to amend this Privacy Notice at any time, for any reason, without notice to you, other than the posting of the amended Privacy Notice at this Site. You should check our Site to see the current Privacy Notice that is in effect and any changes that may have been made to it.

This Notice was last amended on 9th May 2024.

‍