Schedule A

Data Processing Profile

Radware's Cloud Web Application Firewall (CWAF) Service

This Data Processing Profile is supplemental to a Data Processing Agreement (“DPA”) between Radware Ltd./Inc. (“Radware” or “Processor”) and the entity that has executed or accepted the DPA (“Customer” or “Controller”). This Data Processing Profile describes the processing of personal data (or personally identifiable information) by Radware in connection with Radware’s Cloud Web Application Firewall (CWAF) Service (the “Service”). Capitalized terms used in this Data Processing Profile but not defined herein shall have the meanings ascribed to them in the DPA.

Service Overview

Radware's Cloud Web Application Firewall (CWAF) Service protects the Controller’s web applications and APIs (the “Protected Assets”) against Web application layer attacks.
 
The Service is provided through a global network of distributed Points of Presence (“PoPs”), using an optimized and highly available architecture, securing the customer's Protected Assets from multiple PoP locations, to ensure that they are fully protected.

The Service’s PoPs are located at major traffic hubs with connections to tier-1 ISPs, striving for low latency and minimal impact on Protected Assets’ performance.

The Service features a Service Portal, which provides visibility and self-service management of the Service elements.

The Service’s PoPs are located at major traffic hubs with connections to tier-1 ISPs, striving for low latency and minimal impact on web applications’ performance.

The Service features a Service Portal which provides visibility and self-service management of the Service elements.

Purpose of the Processing

Processing is performed to protect the Customer’s Protected Assets from web application attacks, and/or other type of attacks; all pursuant to and for the limited purpose of performing Radware’s obligations set out in the Principal Agreement (as defined in the DPA).

Processing of Data in Transit

The Service processes traffic (legitimate and malicious) targeted at the Protected Assets through a Radware PoP located in the same region as the Protected Assets. However, in case of a large DDoS attack, traffic load balancing, or Service failure (redundancy), attack traffic may be processed at a Radware PoP closer to the attack source.

Data in transit may include all categories of Personal Data. Only application data of malicious activity and malicious actors is decrypted, analyzed, and stored by the Service. Note that, in order to inspect SSL traffic, the Service requires securely uploading SSL keys onto the Service Portal.

Processing of Data in Transit

The Service does not store any information that can directly identify a natural person.

The Service only stores information on malicious actor activity (including malicious source IP addresses and malicious headers), alongside aggregated non-identifiable statistics about legitimate users. Furthermore, the Service allows encryption of malicious source IP values prior to storage.

Soon within our roadmap, the Service will allow storing all Protected Assets data in a location selected by the Customer.

Items of Data at Rest stored by the Service

Category

Data Description

Retention Period

 

Protected Assets Data

Security event metadata for the purpose of presenting status and statistics to the Customer through the Service portal, generating reports and managing the Service.

The following security alerts information is stored:

Attacker/malicious actor information:

  • Source IP
  • Source country
  • User-agent
  • Session and cookie data

Attack/malicious activity information:

  • OWASP category
  • Attack category
  • Attacked URL
  • Request headers
  • Response headers
  • Attack payload
  • Action taken

3 months

 

Audit Log

The following operations are stored as part of the Audit Log (resulting from user action or API invocation).

User Activity:

  • Login
  • Logout
  • Failed login attempts
  • User creation, modification, and deletion

Application Configuration Changes:

  • Application provisioning and deletion
  • Network configuration changes
  • Security policy modification

Account Configuration Changes:

  • Account provisioning and deletion
  • Account settings modifications

2 years

(3 months available for review through Service Portal)

 

Account Information

Data related to the account protected by the service.

Subscription:

  • Account name
  • Subscription period
  • Service plan
  • Contact information
  • Users

Stored as long as the Customer account is active. Deleted once Customer stops using the service.

The above data is stored in virtual private cloud (VPC) environments based in the United States (AWS). This data is only accessed by the Customer (and whomever the Customer gives permission to, e.g., a service provider) and by the Radware ERT team (for the purpose of providing the managed Service). The Customer may receive alerts of blocked attacks or view status via the online Service Portal.

Data Subjects

Individuals about whom data is provided to Processor through or in connection with the Service by (or at the direction of) the Customer or by the Customer’s end-users, which may include any natural person who accesses the Customer’s Protected Assets as well as employees, agents or advisors of the Customer.

Duration of the Processing

The duration of the processing is determined by the Principal Agreement or until deletion of all Customer’s Personal Data in accordance with the DPA and the “Retention Period” set forth in the table above.

Processing Locations

Approved Sub- Processor/Affiliate (Company Name)

Company
address 

Approved
scope of work

Approved Service Locations

Approved Service Locations - Address

Radware

Raoul Wallenberg Street 22, Tel Aviv-Yafo, Israel

Cloud WAF POP  

Frankfurt (FRA)

Weissmuellerstr. 13, 60314 Frankfurt, Germany

London (LON)

352 Buckingham Avenue, Slough, SL1 4NB, United Kingdom  

Ashburn (ASH)

21715 Filigree Ct, Ashburn, VA 20147, USA

Singapore (SIN)

IBM-SL / Digital Reality - 29A International Business Park, Jurong East, Singapore 609934

San Jose (SJC)

IBM San Jose

Tokyo (TKO)

I2B, 3-4-1 Inukura, Miyamae-ku, Kawasaki-shi, Kanagawa 216-0011 - Japan

Hong Kong (HKG)

ROYALE INTERNATIONAL COURIERS LTD, 585-609 CASTLE PEAK ROAD 3RD FLOOR GOODMAN KWAI CHUNG LOGIST HK

Sydney (SYD-SL)

273 Pyrmont St Ultimo, Sydney NSW 2007, Australia

Sydney (SYD2)

C/639 Gardeners Rd, Mascot NSW 2020, Australia

Johannesburg (JNB)

5 Brewery Street, Isando, Johannesburg, South Africa

Tel Aviv (TLV)

Ha-Sivim St 49, Petah Tikva, Israel

Chennai (MAA)

IBM Chennai

Sao Paolo (SAO)

IBM Sao Paolo

Chicago (ORD)

2200 Busse Rd, Elk Grove Village, IL 60007, USA

Toronto (YYZ)

45 Parliament St, Toronto, ON M5A 2Y5, Canada

Amazon Web Services (AWS)

 

Operate Cloud Portal

US– East

VA, USA

Microsoft Azure

 

Network Points of Presence (PoPs)

US East

VA, USA

US North Central

IL, USA

EU North

Dublin, Ireland

EU France Central

Paris, France

Industry Standard Certificates

Radware’s Cloud WAF Service complies with the following standards for cybersecurity and privacy:

·         ISO 27001           Information Security Management Systems
·         ISO 27032           Security Techniques -- Guidelines for Cybersecurity
·         ISO 27017          Information Security for Cloud Services
·         ISO 27018          Information Security Protection of Personally identifiable information (PII)   in public clouds
·         HIPAA                Health Insurance Portability and Accountability Act
·         PCI-DSS             Payment Card Industry Data Security Standard – Service Provider Schedule D

Radware is compliant with ISO 28000 Specification for Security Management Systems for the Supply Chain.

Compliance with these standards is audited annually by third party auditors.

Customers may find Radware’s latest cybersecurity and privacy certifications and attestations at https://www.radware.com/newsroom/certificationsindustry/  

An annual SOC2 type II report is being prepared for Radware’s Cloud Services.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center