Product Privacy Policy

1. What this Privacy Policy covers

This Privacy Policy describes how Aqua Security Ltd. (collectively with its affiliates, “Aqua Security”, “we”, “our” or “us”) handles and protects the Personal Information it collects, receives and processes from its customer (“you”) which pertain to You or your users (“Customer Users”) during the use of the Aqua Platform SaaS Offering and Aqua Platform Self-Hosted installation and the related support services to any of the foregoing (Collectively the “Aqua Services”).

2. Definitions

Aqua Security User or User” means the individual(s) or organization(s) that have entered into a license agreement with Aqua Security entitling them to receive Services from Aqua Security or use any of the Aqua Services, including free trial users and OEM partners.

Personal Information”, “Personal Identifiable Information” or “PII” is information about you that is personally identifiable by name or can be linked to you through a personal identifier like your address, e-mail address, phone number, or location, and which is not otherwise publicly available. This definition is given here for this notice only, and some laws may use a different definition. If you are asserting your rights under law, the applicable legal definition governs your rights. 

Services” means any of the Aqua Security Software, any version thereof, and any related services, which may involve granting Aqua Security access to User’s information or records, such as support services, professional services and customer business relations. 

Software means any of Aqua Security’s proprietary software products, of any version, including any cloud-based or SaaS features incorporated in the software products.

3. Aqua Security as a Data Processor under GDPR

The Software allow You to create applications that are secure by design, enabling agile DevOps and hybrid cloud deployment with no compromise on security or compliance. You use the Software to create native applications to help secure and protect your organization on all levels of design and development. For the purposes of compliance with the European Union’s General Data Protection Regulation (GDPR), In cases where Aqua Security has access to Personal Information found in Your or a User’s data, You are the Data Controller of that Personal Information. Aqua Security is the Data Processor carrying out data processing activities and instructions on your behalf or a User’s behalf. 

4. Aqua Security as a Data Controller under GDPR

For the purposes of compliance with the GDPR Aqua Security is a Data Controller of data, including any Personal Information contained in such data, that we use for our business purposes, such as our business records. 

5. Disclosures of information under Aqua Security Customer control

Aqua Security provides its Services to You as part of your use and license of the Software. Aqua Security’s managed services and SaaS services use Aqua Security’s cloud to store, process, and distribute data belonging to You (or your customers, licensees, or users). As the controllers of Personal Information included in their data, Aqua Security’s Customers are responsible for maintaining the privacy of Personal Information included in their data.  

Aqua Security is not responsible for disclosures of information made by You through the Aqua Security software or Services on your system. When we have access to or process Personal Information which you provide us, or which you grant us permission to process, you undertake that you have obtained all required permissions and have taken all necessary actions required by law.

6. When does Aqua Security have access to your Personal Information?

When a You use Aqua Security Software or request Services from Aqua Security, Aqua Security may have access to a User’s data. If Your data includes User’s Personal Information, Aqua Security may have limited access or exposure to Personal Information. Examples of situations where Aqua Security may have access or exposure to Your data include:

(a) When You use cloud-based features of the Software, Aqua Security may have access to User’s data or other system access credentials, and software metadata associated with a user. 
(b) When You share a screen showing data on a support call or communication to help you use the Aqua Security Software, Personal Information may be revealed to Aqua Security. 
(c) When You share with us images of installation for support purposes which may include Personal Information.
(d) Hash sums of images and components which may include Personal Information.
(e) When You submit a file to our systems for purposes of using the Services User’s data may be included in such file.
(f) When You submit a file containing data to our support help desk to resolve a Software issue, User’s data may be included in such data. 
(g) Aqua Security has ongoing access to Aqua Security cloud environments on which You may run the Aqua Security software to host and process data. As you use the Aqua Security software on the Aqua Security cloud, the Software may store and otherwise process User’s ID and password on the Aqua Security cloud environment. 
(h) If you interact with us as a customer or on behalf of a customer, we may have your name, contact information, billing address, and any other information you provided us. 

Our customers use the Aqua Security Software in a wide range of businesses, and we do not preview, screen, or review such data. Therefore, we do not know in advance what categories of Personal Information You may collect and control about Users as part of your Data.  

7. How we use Personal Information

If we have access to Personal Information as described above, we may only use it for the following purposes:

(a)To provide and operate the Software and Services and all related features and functions.  
(b)We may use aggregated and anonymized data derived from Personal Information to enhance, improve and further develop the Software and Services (such as, creating new features or functions, enhancing the user experience, improving technical performance, etc.).
(c)We collect or obtain the following information: full name, email address, title, phone number and IP address.
(d)Managing the business relationship with You, such as providing service notices and billing. 
(e)We use Your contact and billing address to send offers and promotional information, subject to the consent.
(f)We will use your contact information to provide you with notices related to your use of the Software and Services.
(g)For the other purposes referenced in the “Disclosure of Personal Information to third parties” section below.

8. Service providers 

We rely on certain trusted third-party service providers to power certain Software features in certain version or installation architecture, services and functions that make up the Services. For example, we host Aqua Security environments on third-party cloud platforms, and power cloud-based features using third-party services cloud environments. We may also use outsourced personnel to perform technical and support functions that may involve access to personal data. 

Aqua Security does not disclose your Personal Information to any third parties (other than our services providers) except in the limited circumstances detailed below and for the purpose of operating the Services. Our service providers do not have permission to use your (and your User’s) Personal Information for any purpose other than to provide us the services we require to serve You and our customers.

Details of the service providers we use can be found below:

Amazon Web Services, MongoDB Atlas, Sales Force, Auth0, Freshdesk, Planhat, Datadog.

9. Disclosure of Personal Information to third parties

We do not disclose Personal Information to third parties (except our service providers, as stated above), under the following circumstances and for the following purposes:

(a)When we have your permission to provide you with Services.
(b)When required by law to respond to subpoenas, court orders, or legal process by public authorities, including disclosures required by national security or law enforcement agencies.
(c)When we need to establish or exercise our legal rights, or to defend against legal claims, or when we believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, data breaches, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law.
(d)If Aqua Security is acquired by or merged with another company, Aqua Security will come under the control of a new entity any rights and permission that Aqua Security has to access (e)Personal Information may be assigned to the new entity.

10. Retention of information

We may retain User data and information (including Personal Information) for any lawfully permitted period of time, and as necessary to comply with our legal and contractual obligations, enforce our agreements, and enable us to investigate events and resolve disputes.

11. Confidentiality, security, and data integrity

Aqua Security takes appropriate administrative, technical, physical and organizational security measures to protect your Personal Information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once it is received, taking into account the nature of such information and the risks involved in processing, and comply with applicable laws and regulations. While we have taken reasonable steps to secure the Personal Information provided to us, please be aware that despite our best efforts, no security measures are perfect or impenetrable, and no method of data transmission can be guaranteed against any interception or other type of misuse. Any information disclosed online is vulnerable to interception and misuse by unauthorized parties.

12. Rights of European Data Subjects under the General Data Protection Regulation (GDPR)

If you are in one of the EU/EEA countries, Aqua Security has certain obligations as a data processor towards User’s regarding their Personal Information, and certain obligations towards you as a data controller, under GDPR.  You, as data controller, will be responsible for protecting your rights under the GDPR for your Personal information included in data under Your control. 

13. Cross-border Personal Information transfers and the EU-U.S. Privacy Shield and Swiss – U.S. Privacy Shield

Data hosted on the Aqua Security cloud is hosted in the cloud environment we use, which may be either in the EU or outside the EU (for US based customers we use an AWS service located in the US and for other customers we use an AWS service located in the EU). Certain functions of the Services are processed solely through our US based cloud environment.  Our staff is located in Israel, the United States and India, and have access to all data on the Aqua Security cloud environments. Data we collect while providing our Services is hosted in the United States, EU and Israel. Some of Aqua’s customer managers are located in the same area as their assigned customers. They will access to limited Personal Data and only to those customers under their responsibility.  

I addition to general Standard Contractual Clauses we may have signed with You under any Data Processing Agreement which we may have signed, Aqua Security complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, EEA, the United Kingdom, and Switzerland to the United States, in reliance on the Privacy Shield. Aqua Security has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

If any of your users and/or you are in the European Union, EEA, the United Kingdom, or Switzerland, you and each of your users have a right to access their Personal Information that we hold about, and can correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield Principles, except where the burden or expense of providing access would be disproportionate to the risks to your or a user’s privacy in the case in question, or where the rights of other persons would be violated. 

You have a right to choose (opt-in) whether your Personal Information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you. In cases where we are Processor for you, a User’s choices are determined according to the User’s relationship between you and such User, and User should direct inquiries to You. You undertake to allow the Users such rights and we will direct the Users to you if they approach Us.

In cases where we control your information, and you gave us permission to share your information with a third party, you may exercise your choice to opt-out of the permission you gave us by contacting us at the contact information below (the services you requested from us may be affected by your choice).

In the context of an onward transfer of Personal Information to a third party (including our service providers), we have a responsibility for the processing of personal information we receive under the Privacy Shield and subsequently transfer to a third party acting as an agent on our behalf. We shall remain liable under the Privacy Shield Principles if our agent processes such personal information in a manner inconsistent with the Privacy Shield Principles, unless we can prove that we are not responsible for the event giving rise to the damage.

We will investigate and attempt to resolve requests, complaints and disputes regarding use and disclosure of your information in accordance with this Privacy Policy. We may require further information from you to identify you and address the matter at issue

14. Notice for California Residents

Please note that Aqua Security does not rent or sell any Personal Information.

In addition, California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits California residents to request and obtain from Aqua Security, once a year and free of charge, 1) information about categories of Personal Information (if any) we disclosed to third parties for direct marketing purposes, and, 2) the names and addresses of the third parties with which we shared Personal Information in the preceding calendar year.

California residents have the following rights regarding their personal information:

14.1. Right to Request Disclosure of Specific Information

Users have the right to request that we disclose certain information to users about our collection and use of user’s personal information during the past 12 months, upon verifying user’s identity (if applicable): 

(a) User’s personal information that we collected, used, disclosed, or sold. 
(b) The categories of personal information we collected about User.
(c) The categories of sources from which we collect personal information.
(d) The business or commercial purpose for collecting or selling personal information.
(e) The categories of third parties with whom we share personal information.
(f) The specific pieces of personal information we collected about User.

14.2. Right to Request Disclosure of Information Sold

We do not sell User’s information.

14.3. Right to Request Deletion 

User has the right to request that we delete User’s personal information that we collected from customer and retained, unless one of the following exceptions applies.

We may deny a deletion request if retaining the information is necessary for us or our service providers to:

(a) Complete the transaction for which we collected the personal information, provide a good or service that was requested, take actions reasonably anticipated within the context of our ongoing business relationship with our customers, or otherwise perform a contract between us and you.
(b) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
(c) Debug computer programs to identify and repair errors that impair existing intended functionality.
(d) Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
(e) Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 ).
(f) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you have previously provided informed consent.
(g) Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
(h) Comply with a legal obligation.
(i) Use that information internally in a lawful manner that is compatible with the context in which you provided it.

14.4. Right to Opt-Out of the Sale of Personal Information

We do not sell any personal information. Our policy is that we do not sell personal information.

15. Contacting Aqua Security about this Privacy Policy

Any inquiries, concerns, or requests regarding the use or disclosure of your Personal Information should be directed to us at:

16. Changes to this Privacy Policy

This Privacy Policy was last changed on the date set forth at the top of this Privacy Policy. Aqua Security may update this Privacy Policy at any time and any such changes will become effective prospectively from the date of publication. We encourage you to check this page frequently for any changes to our Privacy Policy.