Schedule A

Data Processing Profile

Radware's Cloud DDoS Protection Service

This Data Processing Profile is supplemental to a Data Processing Agreement (“DPA”) between Radware Ltd./Inc. (“Radware” or “Processor”) and the entity that has executed or accepted the DPA (“Customer” or “Controller”). This Data Processing Profile describes the processing of personal data (or personally identifiable information) by Radware in connection with Radware’s Cloud DDoS Protection Service (the “Service”). Capitalized terms used in this Data Processing Profile but not defined herein shall have the meanings ascribed to them in the DPA.

Service Overview

The Service is a cloud-based service designed to protect data centers, networks and servers of the Customer (the “Protected Assets”) against Distributed Denial of Service (DDoS) attacks, by providing multi-vector DDoS attack detection and mitigation.

The Service is powered by a global cloud security network with dedicated scrubbing centers spread globally (each, a “Radware Scrubbing Center”). Traffic directed at the Customer’s Protected Assets, is being redirected to a Radware Scrubbing Center. In the Radware Scrubbing Center, the Customer’s traffic is inspected for attempts to flood the network or overwhelm specific application resources, and cleaned of malicious DDoS attack traffic, where the remaining clean (legitimate) traffic is forwarded to the Customer’s . Application payload data is not processed or stored by the Processor. 

The Service features a Service Portal which provides visibility and self-service management of the Service elements.

Purpose of the Processing

Processing is performed to protect the Customer’s Protected Assets from distributed denial of service (DDoS) attacks; all pursuant to and for the limited purpose of performing Radware’s obligations set out in the Principal Agreement (as defined in the DPA).

Processing of Data in Transit

Cloud DDoS Data Flow – Always-on and Hybrid Always-on:
Traffic (legitimate and malicious) from users of the Protected Assets normally transits through a Radware Scrubbing Center that is in the same region as the Protected Assets. Attack traffic is scrubbed at the local Radware Scrubbing Center and possibly at another Radware Scrubbing Center closer to the attack source in case of a large DDoS attack, traffic load balancing or a Service failure (redundancy). Data in transit may include all categories of Personal Data.

Cloud DDoS Data Flow – On-demand and Hybrid On-demand:
Traffic (legitimate and malicious) from users of the Protected Assets normally transits to a data center owned by or operated on behalf of the Customer and hosting the Protected Assets. In case of a DDoS attack, the traffic is diverted to a Radware Scrubbing Center that is in the same region as the Protected Assets. Attack traffic is scrubbed at the local Radware Scrubbing Center and possibly at another Radware Scrubbing Center closer to the attack source in case of a large DDoS attack, traffic load balancing or a Service failure (redundancy). Data in transit may include all categories of Personal Data.

Processing of Data at Rest

The Service does not store any information that can directly identify a natural person.

The Service only stores information on malicious actor activity (including in some cases malicious source IP addresses), alongside aggregated non-identifiable statistics about legitimate users. Furthermore, the Service allows encryption of malicious source IP values prior storage.

Items of Data at Rest stored by the Service

Category

Data Description

Retention Period

Protected Assets Data

Security event metadata for the purpose of presenting status and statistics to the Customer through the Service portal, generating reports and managing the Service.

The metadata includes:

  • Malicious source IP addresses
  • Traffic statistics (BPS, PPS)
  • Attack statistics (vector, sources, destinations)
  • Attack type

Deleted using cryptographic erasure after configurable (default 730 days) period.

Account Information

Data related to the account protected by the Service:

  • Account name
  • Service plan
  • Contact information
  • Portal Users
  • Protected Assets information

 

Stored as long as the account is active.

Audit Log

Records different actions taking place in the Service:
User Activity:

  • Login
  • Logout
  • Failed login attempts
  • User creation, modification, and deletion

Configuration Changes:

  • Asset activation
  • Asset configuration changes

Account Configuration Changes:

  • Account provisioning and deletion
  • Account settings modifications

Stored for 6 months

The above data is stored in virtual private cloud (VPC) environments based in the United States (GCP). This data is only accessed by the Customer (and whomever the Customer gives permission to, e.g., a service provider) and by the Radware ERT team (for the purpose of providing the managed Service). The Customer may receive alerts of blocked attacks or view status via the online Service portal.

Data Subjects

Individuals about whom data is provided to Processor through or in connection with the Service by (or at the direction of) the Customer or by the Customer’s end-users, that may include any natural person who accesses the Customer’s Protected Assets as well as employees, agents or advisors of the Customer.

Duration of the Processing

The duration of the processing is determined by the Principal Agreement or until deletion of all Customer’s data in accordance with the DPA and the “Retention Period” set forth in the table above.

Processing Locations

Approved Sub- Processor/Affiliate (Company Name)

Company
address 

Approved
scope of work

Approved Service Locations

Approved Service Locations - Address

SecurityDAM

Raoul Wallenberg Street 24, Tel Aviv-Yafo, Israel

DDOS Scrubbing Center  

Frankfurt (FRA)

Hanauer Landstraße 298, 60314 Frankfurt, Germany

London (LON)

352 Buckingham Avenue, Slough, Berkshire, London, UK

Ashburn (ASH)

21715 Filigree Court, Ashburn, VA

Dallas (DFW)

infomart, 1950 N Stemmons Fwy #1034, Dallas, TX

San Jose (SJC)

11 Great Oaks Blvd, San Jose, CA

Tokyo (TKO)

Financial Center North Tower 1-9-5 Otemachi, Chiyoda-ku, Tokyo, Japan

Hong Kong (HKG)

399 Chai Wan Road, Hong Kong

Sydney (SYD)

639 Gardeners Road Unit B, Mascot 2020, Sydney, Australia

Seoul (KOR)

36, Jangmi-ro, Bundang-gu, Seongnam-si Gyeonggi-do KYUNG, South Korea

Johannesburg (JNB)

5 Brewery Street, Isando, Johannesburg, South Africa

Tel Aviv (TLV)

27 HaBarzel Street, Tel Aviv-Yafo

Sao Paulo (GRU)

Av. Marcos Penteado de Ulhôa Rodrigues, 249 - Res. Tres (Tambore), Santana de Parnaíba, Sao Paolo, Brazil

Chennai (MAA)

F-8 SIPCOT IT park, Siruseri, Navallur, Kancheepuram Distt, Chennai, 603103, India

Amsterdam (AMS)

Science Park 610, 1098 XH Amsterdam, Netherlands

Google Cloud - GCP

 

Operate Cloud Portal

US - East

VA, USA

 

Industry Standard Certificates

Radware’s Cloud DDoS Protection Service complies with the following standards for cybersecurity and privacy:

·         ISO 27001           Information Security Management Systems
·         ISO 27032           Security Techniques -- Guidelines for Cybersecurity
·         ISO 27017           Information Security for Cloud Services
·         ISO 27018           Information Security Protection of Personally identifiable information (PII) in public clouds
·         HIPAA                Health Insurance Portability and Accountability Act

Radware is compliant with ISO 28000 Specification for Security Management Systems for the Supply Chain.

SOC2 type II report covering Y 2020

Compliance with these standards is audited annually by third party auditors.

Customers may find Radware’s latest cybersecurity and privacy certifications and attestations in https://www.radware.com/newsroom/certificationsindustry/.   

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center