Darktrace Privacy & Data Protection Policy
Darktrace Holdings Limited (“Darktrace”) is committed to protecting and respecting your privacy. Darktrace collects, uses and keeps information in compliance with the UK Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the California Consumer Privacy Act (“CCPA”) and all relevant regulations.
This Privacy Policy (the “Policy”) is issued on behalf of the Darktrace Group (meaning Darktrace Holdings Limited, its affiliates and subsidiaries) so when we mention “Darktrace”, “we”, “us” or “our” in this Policy, we are referring to the relevant company in the Darktrace Group responsible for processing your personal data.
This Policy aims to give you information on how Darktrace collects and processes your personal data. Please read the following Policy to understand how we collect and use your personal data, for example when you contact us, visit our website (Site), apply for a job, or use our products and services.
Information Darktrace may collect from you
Darktrace may collect and process the following data about you:
- Contact and Identity Data such as your name, email, address and phone number. Phone numbers are used for two factor authentication and support services.
- Technical Data including your Internet Protocol (IP) address, login data, operating system and web browser type, browser plug-in types and version, traffic data, location data and other communication data, and the resources that you access.
- Usage Data including how you use our website, products and services.
- Profile Data including usernames, passwords, and feedback data.
- Marketing and Communications Data including your preferences in receiving marketing from us and your communication preferences.
How Darktrace may collect your personal data
Darktrace may collect your personal data when you:
- Contact us and/or provide feedback.
- Enter and use our website: As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
- Provide contact details (e.g. giving business cards) at a marketing event.
- Request and receive marketing communications.
- Submit a job application: If you are making a job application or inquiry, you may provide us with a copy of your CV or other relevant information. We may use this information for the purpose of considering your application or inquiry. Except when you explicitly request otherwise, we may keep this information on file for future reference.
- Purchase our products and services: If you purchase or use our products or services, we may use your personal data for purposes which include but are not limited to:
- verifying your credentials,
- carrying out end user compliance checks for export control purposes,
- processing orders and generating billing information.
Additionally, Darktrace may collect data about you:
- Through our business relationships and contacts.
How Darktrace may use your personal data
Darktrace may use the personal data held about you in the following circumstances:
- To perform the contract we are about to enter into or have entered into with you, including notification of changes to our products and services.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation.
- To provide you with information, products or services that you request from us, or which Darktrace feel may interest you, where you have consented to be contacted for such purposes.
- To allow you to participate in interactive features of our products or service, when you choose to do so.
We have set out below, in a table format, a description of the primary ways we may use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Purpose/Activity | Lawful basis |
| To register you as a customer or account holder | Performance of a contract with you |
| To manage our relationship with you | (a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
| To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you | Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
| To use data analytics to improve our website, products/services, marketing, customer relationships and experiences | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy |
| To make suggestions and recommendations to you about goods or services that may be of interest to you | Necessary for our legitimate interests (to develop our products/services and grow our business) |
Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that Darktrace does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Use under the CCPA
We do not sell any data captured as part of your use of Darktrace’s products or services. Our public website uses Google Analytics, which may be considered exchanging data for valuable consideration under CCPA.
You can find out more about the data Google Analytics collects in their privacy policy.
If you wish to opt out of Google Analytics, you can use the opt-out browser add-on from Google.
Marketing
Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
If you are an existing customer, Darktrace will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those that were the subject of a previous sale to you.
You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you OR by contacting us via email at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase.
We will not sell or rent your data to third parties or share your data with third parties for marketing purposes. We may use third party software to send you information for marketing purposes, but such third parties will not have access to or be able to read your personal information.
If you receive an email which claims to come from us but does not use our domain, or if you are suspicious that an email may not be approved by us, then please send a copy of the email to [email protected] so we can investigate.
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.
Where your personal data is stored
Your personal data is securely stored by Darktrace on the Darktrace servers located in Cambridge, United Kingdom. Darktrace has set up systems and processes to prevent unauthorized access or disclosure of your personal data.
Transferring personal data
As a global company, we have international sites and users all over the world. When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA, who work for us or for one of our suppliers. Darktrace places substantial importance on protecting the confidentiality of personal information and seeks the cooperation of all its suppliers in furthering this goal. Darktrace will only transfer personal information to a supplier where the supplier has provided assurances that they will provide at least the same level of privacy protection as is required by this Policy. Where Darktrace has knowledge that a supplier is using or sharing personal information in a way that is contrary to this policy, Darktrace will take reasonable steps to prevent or stop such processing.
Security
Darktrace endeavours to hold all personal data securely in accordance with our internal security procedures and applicable law. We update and test our security on an ongoing basis. Darktrace will do its best to protect your personal data, but Darktrace cannot guarantee the security of your data transmitted to our Site through the internet; any such transmission is at your own risk. Once Darktrace have received your information, Darktrace will maintain appropriate administrative, physical, technical and organizational measures to protect your personal data accessed or processed by Darktrace against unauthorized or unlawful processing or accidental loss, destruction, damage or disclosure.
Disclosure of your information
We may share or disclosure your personal data with the parties set out below:
- Within the Darktrace Group for the fulfilment of the activities described in the table above.
- To third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
- To third parties, if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of Darktrace, or others.
Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data can be requested via our Data Privacy Officer at the contact details provided below.
Your legal rights
GDPR gives you the right to access information held about you. Your right of access can be exercised in accordance with the GDPR.
You have the right to request by contacting [email protected].
- information about how your personal data is processed;
- a copy of your personal data;
- an immediate correction to your personal data.
You can also:
- raise an objection about how your personal data is processed;
- request that your personal data is erased if there is no longer a justification for it;
- ask that the processing of your personal data is restricted in certain circumstances;
- opt out of the use of your personal data for any purposes or a specific purpose, such as the Darktrace Customer Portal.
If you are a resident of California, you have certain rights under the CCPA:
- Right to request disclosure about personal data from a business.
- Right to access personal information held by a business.
- Right to request the deletion of personal data.
- Right to avoid discrimination for exercising their rights.
- Right to opt-out of website requirements.
You can make these requests by emailing [email protected].
Changes to our Privacy & Data Protection Policy
Darktrace reserves the right to amend this Privacy and Data Protection Policy at any time, for any reason, without notice to you, other than the posting of the amended Privacy and Data Protection Policy at this Site. You should check our Site to see the current Privacy and Data Protection Policy that is in effect and any changes that may have been made to it.
This policy was last amended on 20 February 2020.
Data Privacy Officer
Darktrace is headquartered in Cambridge, United Kingdom. Darktrace has appointed an internal Data Protection Officer for you to contact if you have any questions or concerns about Darktrace’s Privacy and Data Protection Policy. The contact information for the Darktrace Data Protection Officer is as follows:
Jon Coy
Darktrace Holdings Limited
Maurice Wilkes Building
St John’s Innovation Park
Cowley Road
Cambridge
United Kingdom
CB4 0DS
[email protected]
Darktrace Cookie Policy
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our Site.
What are cookies?
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
Types of cookies
- Session cookies: these cookies remain in your browser during your browser session only, i.e. until you leave the website.
- Persistent cookies: these cookies remain in your browser for a set period of time after the browser session (unless deleted by you).
Categories of cookies
- Strictly necessary cookies. These are cookies that are required for the operation of our website, enabling core functionality such as security, network management and accessibility.
- Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve our website, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.
Cookies we use
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
Cookie source & ID | Type | Purpose & duration |
| Darktrace CookieControl | Functional | This cookie is used to remember a user’s choice about cookies on Darktrace.com. Where users have previously indicated a preference, that user’s preference will be stored in this cookie. |
| Darktrace PHPSESSID | Functional | Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is a random generated number to be used for maintaining a logged-in status for a user between pages. This expires when the browsing session ends. |
| Google Analytics _ga _gat _gcl_au _gid | Analytical or Performance | These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in a way that does not directly identify anyone, including the number of visitors to the website and blog, where visitors have come to the website from and the pages they visited. Expiration: Read Google’s overview of privacy and safeguarding data. To opt out of being tracked by Google Analytics across all websites, visit tools.google.com/dlpage/gaoptout. |
| Cloudflare _cfduid | Strictly Necessary | This cookie helps Cloudflare detect malicious visitors to the website and minimises blocking legitimate users. It collects and anonymises End User IP addresses using a one-way hash of certain values so they cannot be personally identified. The _cfduid cookie does not: allow for cross-site tracking, follow users from site to site by merging various _cfduid identifiers into a profile, or correspond to any user ID in a visitor’s web application. Expires after 30 days. |
Third party cookies
Please note that Darktrace uses third party cookies, which are set by a third party domain. These named third party cookies typically occur when the website incorporates elements from other sites, such as images, social media plugins or advertising.
Cookie source & ID | Type | Purpose & duration |
| DoubleClick IDE | Targeting | Third party cookie set by DoubleClick to ensure that browsers are not served the same advert multiple times. They do not capture any personal information. Expires after two years. If a user opts out of ads personalisation using Google’s Ad Settings, they will no longer receive personalized advertising from Google. To opt out, visit: https://support.google.com/ads/answer/2662856?hl=en&ref_topic=7048998. |
| Vimeo player vuid | Analytical | We embed videos from our official Vimeo channel. When you press play, Vimeo will drop third party cookies to enable the video to play and to collect analytics data such as how long a viewer has watched the video. These cookies do not track individuals. Expires after two years. You can opt out of non-essential cookies from Vimeo at https://vimeo.com/cookie_policy and we recommend you read the cookie policy for more information. |
| YouTube Visitor_Info_1_live APISID CONSENT HSID LOGIN_INFO PREF SAPISID SID SSID VISITOR_INFO1_LIVE YSC GPS remote_sid | Performance | Third party cookies to enable embedded YouTube videos on the website We embed videos from our official YouTube channel using YouTube’s privacy-enhanced mode. This mode may set cookies on your computer once you click on the YouTube video player, but YouTube will not store personally-identifiable cookie information for playbacks of embedded videos using the privacy-enhanced mode. To find out more please visit YouTube’s embedding videos information page. The cookies’ expiration dates vary: some expire after the session ends, others after twenty years. More information about YouTube’s use of cookies, and how to opt out, can be found at: |
| LinkedIn _bizo | Targeting | The LinkedIn Insight Tag is a piece of lightweight JavaScript code that we have added to our websites to enable in-depth campaign reporting and to help us unlock valuable insights about our website visitors. We use the LinkedIn Insight Tag to track conversions, retarget website visitors, and unlock additional insights about members interacting with our LinkedIn adverts. The LinkedIn Insight Tag enables the collection of metadata such as IP address information, timestamp, and events such as page views. All data is encrypted. Expires after 6 months. You can opt out of cookies from LinkedIn on your LinkedIn settings page and we recommend you read their Cookie Policy for more information. |
| Facebook Pixel fbevents.js | Targeting | Third party cookie placed by Facebook. This enables Darktrace to measure, optimize and build audiences for advertising campaigns served on Facebook. It enables Darktrace to see how users move between devices when accessing the Darktrace website and Facebook, to ensure that Darktrace’s Facebook advertising is seen by our users most likely to be interested in such advertising, by analysing which content a user has viewed and interacted with on the Darktrace website and to ensure that browsers are not served the same advert multiple times. To opt-out please see https://www.facebook.com/ads/preferences. |
| Twitter Conversion Tracker uwt.js | Targeting | Third party cookie placed by Twitter. This enables Darktrace to learn how users have interacted with Darktrace advertising served to them on Twitter. It enables Darktrace to identify users who have used their mobile device to view Darktrace advertising on Twitter and later came to the Darktrace website on a desktop computer and to ensure that browsers are not served the same advert multiple times. To opt-out please see http://optout.aboutads.info/#/. |
| Salesloft sliguid slireg slirequested | Targeting | Third party cookie placed by Salesloft, for use in live website tracking to help identify and qualify leads. The cookies’ expiration dates vary: some after one week, some after five years. |
| 6sense 6suuid | Targeting | Third party cookie placed by 6sense, that analyzes anonymous website interactions and provides sales and marketing teams with actionable insight for the company, including advertising retargeting. The data is managed and processed in the United Kingdom. View 6sense’s privacy policy at https://6sense.com/privacy-policy/. |
| Demandbase IUUID TUUID | Targeting | Third party cookies placed by Demandbase, used for performance and optimization of data and reporting, as well as for analytics and advertising services provided by Demandbase. The cookies expire after two years. |
We encourage you to consult the privacy policies of these third party vendors on their websites for information regarding their use of cookies.
Controlling cookies
You may see a “cookie banner” on our websites and dashboards, which is provided in order for us to obtain consent to the use of cookies. If you consent to the use of cookies by clicking “Accept Cookies” or determine to continue browsing without clicking either “Accept Cookies” or “No Thanks”, the first party non-essential cookies detailed herein will be set.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies.
If you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website.
To find out more on how to manage and delete cookies, visit www.aboutcookies.org and www.youronlinechoices.com.
Changes to our Cookie Policy
Darktrace reserves the right to amend this Cookie Policy at any time, for any reason, without notice to you, other than the posting of the amended Cookie Policy here.
You should check our website to see the current Cookie Policy that is in effect and any changes that may have been made to it.
This policy was last amended on 5 August 2020.
Darktrace Modern Slavery Act Statement
| 1 | Statement |
| 1.1 | This statement is made pursuant to Section 54 of the Modern Slavery Act 2015 and sets out the steps Darktrace plc, on behalf of itself and its wholly-owned subsidiary Darktrace Holdings Limited (together with the subsidiaries of Darktrace Holdings Limited, the “Darktrace Group”) has taken during the fiscal year ended 30th June 2021 (“FY 2020-21”) and will continue to take to ensure that modern slavery or human trafficking is prevented. |
| 1.2 | The Darktrace Group applies a zero-tolerance approach to any form of modern slavery. We are committed to acting with transparency in all business dealings, preventing modern slavery taking place within our business or supply chains. |
| 2 | Our Business & Risks |
Darktrace plc is a public listed company, trading on the London Stock Exchange main market for listed securities under the ticker DARK. Darktrace plc is registered under the laws of England and Wales. Its wholly-owned subsidiary Darktrace Holdings Limited is a private limited company registered in England and Wales. Taken as a whole, the Darktrace Group is a global cyber security company, and during FY 2020-21, maintained approximately 44 offices worldwide. Given the nature of the Darktrace Group’s business, we believe there is a very low risk that modern slavery and human trafficking would be present in our supply chains or affect our business. | |
| Our Products & Services | |
Our main business is the research, development, and sales of cyber security software. We provide our proprietary software to thousands of customers in the United Kingdom and around the world. Our customers span enterprises of all sectors and sizes. We sell our software to customers directly as well as through a robust channel of resale partners. While not part of our supply chain, we nevertheless expect members of our channel to adhere to our ethical standards, as discussed more below. We primarily deliver our software to customers through two avenues: by hosting instances of our software in the cloud, or by utilizing hardware appliances, on which our software comes pre-installed. For hosting services, we utilise industry-standard providers, namely Microsoft Azure and Amazon Web Services. Our hardware is sourced from reputable suppliers in the United Kingdom and Ireland, with whom we have longstanding relationships; the hardware is manufactured in the United Kingdom or the Czech Republic. Additional details concerning our supplier relationships are provided in section 4, under Due Diligence, Assessment of Modern Slavery Risk & Supplier Commitments, below. The development of our software is conducted entirely in-house by our employees. Sales activities are similarly conducted by our employees, who are based out of our offices worldwide. | |
| Our Workforce | |
The vast majority of our workforce are full-time employees who are office-based and employed either by Darktrace Holdings Limited or one of its wholly-owned subsidiaries in the relevant territory. However, given the ongoing COVID-19 pandemic, which continued throughout the entire duration of FY 2020-21, members our workforce have either performed their duties entirely from home or been on hybrid models where they spent a few days per week in an office. Our guidance has varied by territory and been in compliance with local COVID-19 lockdown restrictions. Our human resources team managed the hiring of staff as well as taking responsibility for their well-being and the Darktrace Group’s compliance with applicable labour laws wherever they were working. | |
| 3 | Our Policies; Training |
The Darktrace Group maintains a number of internal policies and procedures throughout the business, reflecting our commitments to our ethical standards and acting with integrity and transparency in our business relationships. These policies are made available on our internal Intranet site to all employees, and to customers upon their request. The Darktrace Group periodically reviews and updates our policies to reflect evolving industry norms and best practices.
All employees are required to review and acknowledge these policies and certain topics are the subject of mandatory compliance trainings such as Preventing Workplace Harassment. During the coming fiscal year the Darktrace Group plans to develop and require our staff to complete additional trainings on the above policies. As discussed below, the Darktrace Group has also implemented various controls including a country grading scheme to better assess risks in various territories around the world. Our staff are advised and trained to take particular care with organisations that provide services from higher risk territories. Staff are also advised to notify the Darktrace Group Legal and HR teams immediately if they have any concerns that modern slavery is taking place within the business or supply chain, so that appropriate action can be taken. | |
| 4 | Our Suppliers |
| 4.1 | Our process for contracting with suppliers includes checks to remain vigilant to any risk of modern slavery and human trafficking. These may include (but are not limited to):
|
| 5 | Compliance with Section 54 of the Modern Slavery Act 2015 |
No reports from employees, the public, or law enforcement agencies have been identified to indicate that modern slavery practices are taking place within our business or supply chains. We are continually committed to keeping this policy current and relevant. This statement will be monitored and reviewed annually. | |
| 6 | Approval |
This statement was approved by the Board of Darktrace plc on 24th November 2021. |
Signed
Gordon Hurst
Director
26 November 2021
Darktrace Public Tax Strategy
Introduction
Founded and headquartered in Cambridge, UK, Darktrace was started in 2013 by mathematicians and cyber defense experts from the University of Cambridge. The company was the first to develop autonomous AI technology for cyber security. Since inception, Darktrace plc and its subsidiaries (together ‘the Group’) have grown rapidly and today the Group, headquartered in Cambridge, UK, employs over 1,600 employees worldwide. The Group’s tax strategy for period ending June 30, 2022 has been prepared in accordance with paragraph 19(2) of Schedule 19 to Finance Act 2016. This strategy applies to all UK and worldwide taxes, which include, but are not limited to:
- All corporate income taxes
- Indirect taxes (e.g. VAT)
- Employment taxes (e.g. PAYE, National Insurance)
- Other applicable tax matters
The Group’s tax strategy aims to ensure that all tax affairs are conducted in a manner which is transparent and in compliance with local tax requirements.
This strategy is reviewed annually and applies from the date of publication until superseded.
Governance
The Group Tax Department is responsible for the delivery of tax strategy approved by the Board of Directors (‘the Board’). Reporting to the Group Chief Financial Officer (‘CFO’) and overseeing all tax activities across the Group entities, the department is based in Cambridge and is an integral part of the central Group finance function. The Group Tax Department is responsible for all tax matters, providing advice and support to Group level functions, supporting the Group in respect of significant transactions, as well as managing tax compliance obligations. The Group Tax Department is also responsible for the development, maintenance and review of tax procedures, controls, and policies.
The Group’s CFO participates in all substantive decisions involving tax matters and is regularly informed about relevant tax developments impacting the Group, raising tax issues to the Board as appropriate.
Attitude to Tax Risk and Tax Planning
As an international organisation, the Group understands that it is exposed to tax risks arising from uncertainties in tax legislation as well as an increasingly complex international tax environment. While it is aware that these risks may not be eliminated completely, the Group endeavours to minimise the risk by ensuring compliance processes are implemented and reviewed, and that external advisors are engaged as and when appropriate.
The Group does not engage in high risk or aggressive tax planning, or artificial transactions whose aim is to gain tax advantage. Any planning around tax is a result of genuine commercial activities and the Group seeks to structure itself in a manner which is compliant with all applicable tax regulations, but which is also efficient. For example, the Group takes advantage of available statutory reliefs, such as R&D tax relief in the UK.
The Group will continue to structure itself in line with business requirements, while ensuring Darktrace has robust controls and processes to allow the Group to manage tax risks effectively, seeking adequate external tax advice as and when required.
Relationship with HMRC and Other Tax Authorities
The Group supports open and transparent relationships with fiscal authorities, including HMRC and all other relevant global tax authorities. This is achieved through prompt exchange of requested information, proactive engagement with the authorities and through open dialogue to address any relevant tax matters.
Any accidental errors which may arise in tax submissions to HMRC or other tax authorities are disclosed as soon as possible once corrections have been identified.
Versioning
This policy was last amended on November 8, 2021. We update and review this policy annually. Any updates will be noted in the version notes below.
Darktrace Vulnerability Disclosure Policy
Initial Scope
Darktrace’s Vulnerability Disclosure Program covers the following products:
- Darktrace Appliances
- Remote access only, ensure you have the permission from the appliance’s owner before testing.
- Exploits that require physical access to the appliance will not be accepted. The appliances are designed to be kept in secure data centres.
- Darktrace Sensors (V, C and OS)
While Darktrace develops a number of other products, we ask that all security researchers submit vulnerability reports only for the stated product list. Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our product security team.
Legal Posture
Darktrace Holdings Ltd will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting Disclosure Program. We openly accept reports for the currently listed products. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Darktrace or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against anything out of scope.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the location of Darktrace Holdings Ltd or its affiliates (United Kingdom). For example, violating laws that would only result in a claim by Darktrace Ltd based in the United Kingdom may be acceptable as Darktrace Ltd is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before the expiry of the mutually agreed-upon timeframe.
How to Submit a Vulnerability Report
To submit a vulnerability report to Darktrace Holdings Ltd’s Security Team, please make an initial contact by email: [email protected]. We can use standard S/MIME or other secure methods later when gathering the full details.
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English will have a higher chance of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from us:
- A timely response to your email (within 2 business days).
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- Credit after the vulnerability has been validated and fixed.
If we are unable to resolve communication issues or other problems, Darktrace Holdings Ltd may bring in a neutral third party (such as NCSC) to assist in determining how best to handle the vulnerability.
Versioning
This policy, Version 2.0, was created on 28 April, 2021. We update or review this policy annually. Any updates will be noted in the version notes below.
- Original version created on 1 March, 2021. Darktrace Limited changed to Darktrace Holdings Ltd.