Privacy Datasheet

Prisma Cloud
The purpose of this document is to provide customers of Palo Alto Networks with information needed
to assess the impact of this service on their overall privacy posture by detailing how Personal Data is
captured, processed, and stored by and within the service.

1. Product Summary
Prisma® Cloud is a Cloud-Native Application Protection Platform (CNAPP) that leverages both agent-
based and agentless approach to tap into the cloud providers’ APIs for read-only access to customers’
network traffic, user activity, configuration of systems and services, and correlates these different data
sets to help the cloud compliance and security analytics teams prioritize risks and quickly respond to
issues.

Prisma Cloud’s full-suite provides four (4) different categories of capabilities, composed of different
modules:

1. Cloud Security Posture Management (CSPM): Monitors posture, detects and responds to
threats, and maintains compliance across multi-cloud environments. CSPM includes the
following modules:
● Visibility, Compliance, and Governance module
○ Threat Detection functionality (included in the Visibility, Compliance, and
Governance module)
● Data Security module

2. Cloud Workload Protection (CWP): Provides vulnerability management, compliance, run-

time security, access control, and anomaly detection. CWP includes the following modules:
● Host Security module
● Container Security module
● Serverless Security module
● Web Application and API Security module

3. Cloud Application Security: Provides you with a way to identify vulnerabilities,

misconfigurations, and secrets in infrastructure as code (Terraform, CloudFormation templates,
Helm charts, etc.), open source packages, container images, and other dependencies. Cloud
Application Security obtains a distilled, prioritized set of controls and measures, tailored to your
ecosystem and required to optimize your CI/CD security posture. Cloud Application Security
includes the following modules:
● Infrastructure as Code (IaC) Security module
● Software Composition Analysis (SCA) module
● Secrets Security module

Prisma by Palo Alto Networks| Prisma Cloud Privacy | Datasheet | 1

 ● CI/CD Security module

4. Cloud Infrastructure Entitlement Management (CIEM): Provides visibility into effective

permissions, monitoring risky and unused privileges, and automatic response, which includes
the following module:
● IAM Security module

2. Personal Data Processed by Prisma Cloud

Prisma Cloud processes Personal Data as follows:
● Table 2.1 lists the Personal Data processed by the entire Prisma Cloud platform.
● Tables 2.2 to 2.12 lists the Personal Data processed specifically by each module.

If you request customer support for Prisma Cloud, more information on Personal Data processed is
available in the “Support Services, Customer Success and Focused Services Privacy Data Sheet”
available in our Trust Center.

2.1 Personal Data Processed by Prisma Cloud Platform

Table 1: Personal Data Processed by All Prisma Cloud Modules

Category of Type of Personal

Example(s) Purpose of Processing[
Personal Data Data

Full name or ● Account creation and user

Customer display name John W. Smith authentication
Provided ● Billing and account
Personal Data Email address user1@company.com management
Provided by ● Troubleshooting and solving
Username Johnsmith issues
customers for
the ● Improving product
Phone number 444-555-6666 capabilities
management of
the platform ● Product notification of new
Job Title Developer features and updates

2.2 Visibility, Compliance, and Governance Module

The Visibility, Compliance, and Governance module monitors your multi-cloud environment and SaaS
applications, alerting you of any misconfigurations or compliance issues and remediates those risks.

Table 2: Personal Data Processed by Visibility, Compliance and Governance Module

Category of Type of Personal

Example(s) Purpose of Processing[
Personal Data Data

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 2

 Full name or ● Detecting misconfigurations,
John W. Smith
Personal Data display name risks, compliance,
ingested and vulnerabilities and
processed from Username Johnsmith remediation of cloud
customers’ security issues
cloud Email Address user1@company.com ● Attribution of the cloud
environment accounts to specific
IP Address that could administrators
enable Palo Alto
34.107.151.202
Networks to identify
an individual

2.2.1 Threat Detection functionality (included in the Visibility, Compliance, and

Governance module)

The Threat Detection functionality supports different categories of policies. Personal Data is collected
from various sources, such as audit and network flow logs. Threat Detection processes Personal Data
collected from the Visibility, Compliance, and Governance module (described in Section 2.2) to deliver
Threat Detection capabilities.

Table 3: Personal Data Processed by Threat Detection Functionality

Category of
Type of Personal Data Example(s) Purpose of Processing
Personal Data

Email Address user1@company.com

Personal Data IP Address that could

ingested and enable Palo Alto
processed from 34.107.151.202 Detecting threat incident,
Networks to identify
customers’ an individual and remediation of cloud
cloud security issues
environment Location that could
enable Palo Alto Santa Clara. CA USA
Networks to identify an
individual

2.3 Data Security Module

The Data Security module provides exposure analysis, data classification, malware scanning, and
governance for cloud storage services. This module identifies and detects confidential and sensitive
data by scanning objects (a file and any metadata that describes that file) in your Amazon S3 bucket
and Azure Blob storage for which you have enabled access.

Personal Data will be processed from the Visibility, Compliance, and Governance module (described
in Section 2.2) to deliver Data Security capabilities. The Data Security module also leverages Palo Alto
Networks Data Loss Prevention and WildFire® services for analysis.

IMPORTANT: The type of Personal Data processed by the Data Security module will depend on the
Personal Data (if any) contained in your S3 bucket and Blob storage. For clarity, Palo Alto Networks

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 3

will not know the types of Personal Data collected at the moment of processing. By default, if snippets
of files are stored, all Personal Data is partially masked by the Data Security module. However, you may
configure the module to fully mask the Personal Data.

2.4 Host Security Module

Host Security offers protection for Linux and Windows® hosts from malicious processes in addition
to vulnerability management, compliance, and runtime protection. The Host Security Module
leverages Palo Alto Networks WildFire® services for runtime protection.

Table 4: Personal Data Processed by Host Security

Category of Type of Personal Example(s) Purpose of Processing

Personal Data Data

Personal Data Email address user1@company.com ● Detecting

ingested and misconfigurations, risks,
processed from IP address that compliance, vulnerabilities
customers’ cloud could enable Palo 34.107.151.202 and remediation of cloud
environment Alto Networks to security issues
identify an
individual

2.5 Container Security Module

Container Security helps secure Kubernetes® and other container platforms on your public clouds.

Table 5: Personal Data Processed by Container Security

Category of Type of Personal Example(s) Purpose of Processing

Personal Data Data

Personal Data Email Address user@company.com ● Detecting

ingested and misconfigurations, risks,
processed from compliance,
customers’ cloud IP addresses that 34.107.151.202 vulnerabilities and
environment could enable Palo remediation of cloud
Alto Networks to security issues
identify an individual

2.6 Serverless Security Module

Serverless Security helps protect serverless functions for AWS Lambda, Azure Functions and Google
Cloud Functions.

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 4

 Table 6: Personal Data Processed by Serverless Security

Category of Type of Personal Example(s) Purpose of Processing

Personal Data Data

Email Address user@company.com ● Detecting

Personal Data misconfigurations, risks,
ingested and IP addresses that compliance,
processed from could enable Palo Alto 34.107.151.202 vulnerabilities and
customers’ cloud Networks to identify remediation of cloud
environment an individual security issues

2.7 Web Application and API Security (WAAS) Module

The WAAS module provides visibility and protection of Web Applications and APIs deployed on cloud
native architecture.

IMPORTANT: The type of Personal Data processed by the WAAS module will depend on the Personal
Data (if any) contained in layer 7 (HTTP) traffic inspected to and from your web application and APIs.
For clarity, Palo Alto Networks will not know the types of Personal Data collected at the moment of
processing. You may use the log scrubbing feature to delete Personal Data.

2.8 Infrastructure as Code (IaC) Security Module

The IaC Security module provides detection and remediation for cloud security issues present in
infrastructure-as-code files with the use of policies, scan engine and integrations with different
continuous integration and continuous delivery (CI/CD) tools, integrated development environment
(IDEs), and version control systems (VCS). You must grant Prisma Cloud access to your code
repositories.

IMPORTANT: With the exception of the Personal Data listed in Table 7 below, the type of Personal
Data processed by IaC Security module will depend on the Personal Data (if any) contained in your
code. For clarity, Palo Alto Networks will not know the types of Personal Data collected at the moment
of processing.

Table 7: Personal Data Processed Data Processed by IaC Module

Category of Type of Personal

Example(s) Purpose of Processing
Personal Data Data

Personal Data ● Detecting misconfigurations,

ingested and risks, compliance, and
Username Johnsmith
processed from remediation of cloud security
customers’ cloud issues in code repository

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 5

 environment ● Identifying users who
contributed to code
vulnerability

● Detecting misconfigurations,
risks, compliance, and
remediation of cloud security
issues
Email Address user@company.com
● Setting up version control
integrations
● Determining the number of
users for billing purposes

2.9 Software Composition Analysis (SCA) Module

SCA module provides detection and remediation for vulnerabilities and license compliance issues in
open source packages used in repositories. Customers must grant Prisma Cloud access to its code
repositories.

IMPORTANT: With the exception of the Personal Data listed in Table 8 below, The type of Personal
Data processed by the SCA module will depend on the Personal Data (if any) contained in customers’
source code. For clarity, Palo Alto Networks will not know the types of Personal Data collected at the
moment of processing.

Table 8: Personal Data Processed Data Processed by SCA Module

Category of Type of Personal

Example(s) Purpose of Processing
Personal Data Data

● Detecting vulnerabilities and

Full name or remediation of open source
John W. Smith
display name packages in code repositories
● Identify code contributor

● Detecting vulnerabilities and

remediation of open source
packages
Personal Data Username Johnsmith ● Identify user who contributed
ingested and to code vulnerability
processed from ● Setting up version control
customers’ cloud integrations
environment
● Detecting vulnerabilities and
remediation
● Setting up version control
Email Address user@company.com
integrations
● Determine the number of
users for billing purposes

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 6

 2.10 Secrets Security Module

The Secrets Security module can detect sensitive information that is improperly secured inside your
source code repositories. This module’s scans can detect embedded passwords, login tokens, and
other types of secrets. You must grant Prisma Cloud access to your code repositories.

IMPORTANT: The type of Personal Data processed by the Secret Security module will depend on the
Personal Data (if any) contained in your source code. For clarity, Palo Alto Networks will not know the
types of Personal Data collected at the moment of processing.

2.11 CI/CD Security module

CI/CD Security module provides continuous end-to-end coverage and visibility of your engineering
environment from source to deployment, allowing security teams to monitor security, analyze the
attack surface, and implement tailored security measures to secure your entire development
environment without disrupting engineering processes. To allow for the use of this module,
Customers must grant Prisma Cloud access to its source code repositories.

IMPORTANT: With the exception of the Personal Data listed in Table 9 below, the type of Personal
Data processed by the CI/CD Security module will depend on the Personal Data (if any) contained in
customers’ source code. For clarity, Palo Alto Networks will not know the types of Personal Data
collected at the moment of processing.

Table 9: Personal Data Processed Data Processed by CI/CD Security Module

Category of Type of Personal

Example(s) Purpose of Processing
Personal Data Data

● Detecting CI/CD security risks

Full name or across code repositories, CI &
John W. Smith
display name CD systems
● Identify code contributor

● Detecting CI/CD security risks

across code repositories, CI &
CD systems
Personal Data Username Johnsmith
● Identify code contributor
ingested and ● Setting up version control, CI,
processed from CD integrations
customers’ cloud
environment ● Detecting CI/CD security risks
across code repositories, CI &
CD systems
Email Address user@company.com ● Setting up version control, CI,
CD integrations
● Determine the number of
users for billing purposes

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 7

 2.12 Identity Access Management (“IAM”) Security Module

The IAM Security module helps you address the security challenges of managing IAM in cloud
environments. The IAM Security module automatically calculates effective permissions across cloud
service providers, detects overly broad access permissions, and suggests corrections to reach least
privilege entitlements.

The IAM Security module processes Personal Data from the CSPM module activated by you to deliver
CIEM capabilities.

IMPORTANT: With the exception of the Personal Data listed in Table 10 below, the type of Personal
Data processed by the IAM Security module will depend on the types of Personal Data (if any)
contained in the identity permission set. For clarity, Palo Alto Networks will not know the types of
Personal Data collected at the moment of processing.

Table 10: Personal Data Processed Data Processed by IAM Security Module

Category of Type of Personal

Example(s) Purpose of Processing
Personal Data Data

Personal Data ● Providing visibility into

ingested and identity access
Full name or ● Identifying overly permissive
processed from John W. Smith
display name or risky access and offering
customers’ cloud
environment remediation capabilities

3. Access to Personal Data

Access by Customers
Your appointed system administrators and authorized users can access Personal Data collected and
processed by Prisma Cloud, as well as alerts generated by Prisma Cloud, through the Prisma Cloud
console or an API. You can also configure and manage role-based access through the Prisma Cloud
console to allow users other than system administrators to access Personal Data in Prisma Cloud.

Access by Palo Alto Networks

Access to Personal Data in Prisma Cloud is restricted to the 1) DevOps team, 2) Site Reliability
Engineers (SREs), 3) threat research analytics teams and 4) customer support teams (to the extent
this service is purchased and utilized). All access is recorded and audited. Access privileges are
managed by Engineering leadership.

4. Processing Locations
Data Centers and Third Party Service Providers

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 8

Palo Alto Networks engages third-party providers that act as sub-processors in order to provide
Prisma Cloud. These sub-processors are required to provide an equivalent level of protection of data
as Palo Alto Network provides.

Prisma Cloud runs primarily on Amazon Web Services (AWS) data centers, and leverages Google
Cloud Platform (GCP) and Azure data centers for certain particular module(s) as described below.

Table 11: Prisma Cloud Subprocessors

Module(s) Where Sub- Personal Data

Subprocessor Service Type Location
processor is Leveraged Processed

● Visibility
Australia
Compliance
Canada
and
France
Governance
Germany
● Threat
India
Prevention
All Types Listed in IaaS/PaaS Ireland
● Infrastructure
Section 2 Provider Japan
as Code
Singapore
● Software
United Kingdom
Composition
United States (excludes
Analysis
GovCloud for IaC, SCA and
● Secret
Secrets Security)
Amazon Web Scanning
Services
Germany
(AWS)1 All Types Listed in IaaS/PaaS
● Data Security Singapore
Section 2 Provider
United States

Australia
Canada
France
Germany
All Types Listed in IaaS/PaaS India
● IAM Security
Section 2 Provider Ireland
Singapore
United Kingdom
United States (includes
GovCloud)

Germany
Elasticsearch, All Types Listed in IaaS/PaaS
● CI/CD Security Singapore
Inc Section 2 Provider
United States

● Host Security Australia

Google Cloud ● Container Canada
All Types Listed in IaaS/PaaS
Platform Security France
Section 2 Provider
(GCP)2 ● Serverless Germany
Security India

1
The processing location where AWS processes Personal Data from will depend on the location of the tenant
chosen by you.
2
The processing location where GCP processes Personal Data from will depend on the location of the tenant
chosen by you.

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 9

 ● WAAS Japan
Singapore
United Kingdom
United States

Australia
Canada
France
Germany
MongoDB All Types Listed in IaaS/PaaS India
● CI/CD Security
Atlas Section 2 Provider Ireland
Japan
Singapore
United Kingdom
United States

Microsoft Germany
All Types Listed in IaaS/PaaS
Azure Cloud ● Data Security Singapore
Section 2 Provider
(Azure)*3 United States

● Infrastructure
as Code
Application
● Software Full name or
monitoring
Composition display name
Coralogix and United States
Analysis Email address
performance
● Secret Username
management
Scanning
● CI/CD Security

Application
analytics and
● All Prisma Full name customer
Pendo.io United States
Cloud Modules Email address notification in
Prisma Cloud
Platform
* Only if you are an existing Azure customer and choose to use the Data Security Module on data hosted in your Azure account.

Customer Support Locations

Customer support for Prisma Cloud will be provided from various locations around the globe. For
more information on these locations, please refer to the “Support Services, Customer Success and
Focused Services Privacy Data Sheet” available in our Trust Center.

5. Compliance with Privacy Regulations

Palo Alto Networks captures, processes, stores, and protects Personal Data in Prisma Cloud in
accordance with the terms in (i) Palo Alto Networks Privacy Policy, (ii) for our customers, the applicable
Data Protection Agreement, and (iii) this Privacy Datasheet. Our Trust Center, Palo Alto Networks one
stop-shop for everything privacy and security related, provides numerous resources, including
information on how our privacy practices comply with existing and applicable privacy legislations
around the globe. For more information, please visit the Privacy section in the Trust Center.

3
The processing location where Azure processes Personal Data will be based on the location of your tenant.

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 10

 Cross-Border Data Transfer
As part of the provision of the Prisma Cloud service and purchased customer support, Palo Alto
Networks may be required to transfer Personal Data to other countries outside of the country/region
where you are located. To the extent that we need to transfer such data, we will do so in compliance
with applicable requirements for transfer of Personal Data, which include the EU Standard
Contractual Clauses, as approved by the European Commission and/or other legally binding
instruments.

Data Subject Rights

Users whose Personal Data is processed by Prisma Cloud have the right to request access,
rectification, suspension of processing, or deletion of the Personal Data processed by the service. Users
can open a request via Palo Alto Networks Individual Rights Form.

Palo Alto Networks will confirm identification before responding to the request. Please note that if, for
whatever reason, we cannot comply with the request, we will provide an explanation. For all users
whose employer is a Palo Alto Networks customer, such users may be redirected to the relevant
customer/employer for a response.

6. Data Portability
Your systems administrators and your authorized users can download any data stored in the Prisma
Cloud console and/or API (which includes your Personal Data).

7. Retention and Deletion of Personal Data

Upon termination or expiration of the Prisma Cloud service, Palo Alto Networks will delete Personal
Data stored in the Prisma Cloud console and/or API (which is described in Section 2 above) within 120
days, except in the cases of the Infrastructure as Code module, Software Composition Analysis
module, Secret Scanning module and CI/CD Security module, where Personal Data will be deleted
within 365 days.

Upon your written request, Palo Alto Networks can delete such Personal Data within 60 days.

8. Security of Personal Data

Securing Personal Data

Palo Alto Networks supports a defense-in-depth security model to help protect your data at all
stages of its lifecycle, in transit, in memory, and at rest, as well as through key management.

● The Trust 360 Program details the corporate-wide security, compliance, and privacy controls
in place to protect our customers’ most sensitive data.
● Palo Alto Networks Information Security Measures document details the technical and
organizational measures that will be implemented by us to secure systems, processes and
data. This document forms part of Palo Alto Networks Data Protection Agreement.

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 11

 9. Resources
For more general information about Palo Alto Networks Privacy and Security Practices, please visit
our Trust Center.

About This Datasheet

Please note that the information provided with this Datasheet may be subject to change, provided
however that such change will not result in a material degradation of the security posture of the
platform. Information concerning warranties and compliance with applicable laws may be found in
Palo Alto Networks End User Agreement.

3000 Tannery Way © 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Santa Clara, CA 95054 Networks.
A list of our trademarks can be found at
Main: +1.408.753.4000
https://www.paloaltonetworks.com/company/trademarks.html.
Sales: +1.866.320.4788
All other marks mentioned herein may be trademarks of their respective companies.
Support: +1.866.898.9087

www.paloaltonetworks.com

Prisma by Palo Alto Networks| Prisma Cloud Privacy Datasheet | 12