Demisto Inc.

Last updated on: Mar 28, 2019

Note: As of March 28, 2019, Demisto has merged with a subsidiary of Palo Alto Networks. Any reference to Demisto in this Privacy Policy shall refer to Palo Alto Networks, Inc. and its affiliates. 

Demisto Inc. and its affiliates (“Demisto”, “we”, “our” or the “Company”) respect the privacy of its Users and is committed to protect the personal information that its Users share with it. We believe that you have a right to know our practices regarding the information we may collect and use when you use our website and our Service.

Demisto provides a solution for Security Orchestration Automation and Response which may contain communication and content (e.g. websites, user names and documents shared) (“Content“) with the aim of assisting in the security operations process (“Products” or “Services“). The policy also governs your use of the company’s website available at: (the “Site“).

A User may be either an entity which executed an agreement with Demisto or with Demisto’s resellers or distributors who provide Demisto’s services (“Customer “) or Customer’s users of the services or visitors of the website (“End User(s)“) (collectively “Users” or “you“).

Demisto is committed to protecting the privacy of its Users. We do not share, sell, rent trade or loan personal data to third parties, other than as set out in this policy and our Terms and Conditions.

This Policy (the “Privacy Policy“) explains the types of information we may collect from Users or that Users may provide when visiting the website or use the Services. This Policy also describes Demisto’s practices for collecting, using, maintaining and processing information.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. By using our Services, you acknowledge you have read, agreed and understood this privacy policy.

For the purposes of European Economic Area data protection law, (the “EU Data Protection Law“), the data controller of information provided through the Products or Services is the Customer and for information provided through the use of the Site is Demisto Inc. (see communication details below).

  1. Which information may we collect?

Categories of information and data we may collect from our Users.

  1. Data we collect about you from your use of the Site or Services

Demisto doesn’t collect information from its Services provided on an “on-premise” model. The use of the term “Services” under this policy in connection with collection or processing of data or information refers to services provided through a SaaS model and on Demisto’s managed servers.

The first type of Data is non-identifiable and anonymous information (“Non-personal Information”). We are not aware of the identity of the User from which we have collected Non- Personal Information. Non-Personal Information is any unconcealed information which is available to us while Users are using the Site and Services.

Non-personal Information which is being gathered through you use of the Site consists of technical information and behavioral information which may include, the User’s Internet protocol (IP) address used to connect your computer to the Internet, your uniform resource locators (URL), operating system, type of browser, browser plug-in types and versions, screen resolution, Flash version, time zone setting, the User’s ‘click-stream’ on the website, the period of time the User visited the website, methods used to browse away from a page, and any phone number used to call our customer service number.

Non-personal Information which is being gathered through your use of the Services (if controller chose to have the data stored on our managed servers) consists of technical information and behavioral information which may include, type of browser, browser plug-in types and versions, screen resolution and the User’s ‘click-stream’ on the website.

  1. Data you give us

The second type of Data is individually identifiable information (“Personal Information “).

This information may identify you and may be of a private and/or sensitive nature (if you chose to upload such data). This is information about you that you give us by filling in forms on our Site or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you register on our Site, license our Service, submit a query, and when you report a problem with our Site.

This may include your IP address (gathered through the Site) and unique identifiers, username, email address, full name and your phone number, all if you choose to provide us actively as part of the Site and Services.

  1. Data we collect about you from Third Parties

This is an information we receive about you but which you have not given us directly and will include information we collect about you from your use of other websites or services that we may provide or other end user’s use of the Services.

You do not have any legal obligation to provide any information to Demisto however, we require certain information in order to provide the Services. If you choose not to provide us with certain information we may not be able to provide you with the Services.

Demisto may not be aware of the nature of the information collected through the Services. Such information may include Personal Information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings or any other data considered as sensitive under applicable law (“Sensitive Information “) .Please contact your applicable Controller for more information about the data it chose to collect.

You are responsible for maintaining the security of any and all log-in information used by you in connection with our Products and Services (e.g. user name and password) and ensuring that they are not passed on to or used by others. You are responsible for all actions that take place under your account(s) to the extent possible under applicable law (without derogating from our obligations under any applicable law and contractual obligations with our Customers.

  1. How do we collect information on Users of Demisto™?

There are two main methods we use:

  • We collect Non-Personal Information through your use of our Site and/or Service (for Demisto’s services utilizing our managed servers- i.e. not an on-premise service). In other words, when you are using the Site and/or Service we are aware of it and may gather, collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below.
  • We collect Personal Information which you provide us voluntarily. We collect Personal Information required to operate the Service (for Demisto’s services utilizing our managed servers- i.e. not an on-premise service) when you or the Customer’s administrator registers and opens an account. We also may collect Personal Information entered voluntarily by other Users about you if Controller chose to collect such data. If Controller chooses to, it may combine through the system information a User provided with information other User’s provided about an individual.
  1. Why do we collect such Data?

Information you give us through the Services:

  • We will use this information in our legitimate interests, where we have considered these are not overridden by your rights:
    • carry out our obligations arising from any contracts entered into between our Customer and us and to provide you with the information, products and Services that you request from us;
    • administer your account with us;
    • notify you about changes, offers and additions to our Service;
    • contact you for the purpose of providing you with technical assistance and other related information about the Service;
    • reply to your queries, troubleshooting problems, detect and protect against error, fraud or other criminal activity;
    • ensure in our legitimate interests that content from our Service is presented in the most effective manner for you and for your computer.

Information we collect about you from your use of our Site

  • We will use this information in our legitimate interests, where we have considered these are not overridden by your rights:
    • to administer our Site under our terms and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
    • to keep our Site safe and secure;
    • for measuring or understanding the effectiveness of content we serve to you and others, and to deliver relevant content to you;
    • to improve our Site to ensure that content is presented in the most effective manner for you and for your computer;
    • to allow you to participate in interactive features of our Site, when you choose to do so;
    • to make suggestions and recommendations to you and other Users of our Site about Services that may interest you or them.
  1. Sharing Data gathered with third parties

Except as provided in this Policy, we do not sell, trade, lease, rent, or otherwise transfer your personally identifiable information to outside parties. We may give your Data to:

Members of our Group

Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, who support our processing of personal data under this policy.

Third Parties

Our selected third parties may include:

  • business partners, suppliers, affiliates, agents and/or sub-contractors for the performance of any contract we enter into with you. They may assist us in providing the Services we offer and the Site, fulfilling requests for information, receiving and sending communications, updating marketing lists (from information gathered through our Site only), analysing data, providing IT and other support services or in other tasks, from time to time. These third parties will only use your information to the extent necessary to perform their functions;
  • analytics and search engine providers that assist us in the improvement and optimisation of our Site and subject to the cookie section of this policy;
  • data processors who process your personal data on our behalf in connection with the Services and in accordance with our instructions and applicable data protection law. A full list can be seen below:
NameDescriptionPrivacy Policy
AmazonInfrastructure and backups for Controller which chose to use such storage services or the Saas model of Services​​
WalkMeAdoption platform as part of the Service interface
  • We will disclose your personal information to third parties:
    • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets subject to the terms of this privacy policy.
    • If Demisto or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
    • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements with you; or to protect the rights, property, or safety of Demisto, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.
    • to enforce this Privacy Policy and/or contracts executed with Demisto, including investigation of potential violations thereof and to detect, prevent, or otherwise address fraud, security or technical issues in connection with the Service or Site;
    • to protect the rights, property, or personal safety of Demisto, its Users, or the general public if Demisto has a good faith belief that the law requires us to do so, with or without notice (we will endeavor to provide you with prior notice but we are not obligated to do so)
Service providers for the Site may be located in a country that does not have the same data protection laws as your jurisdiction. When Demisto transfers data to a service provider, we seek when practical to transfer data only upon executing an appropriate agreement and/or in case of data containing information about EU citizens, after the certification of the service provider under the E.U-U.S Privacy Shield and/or with service providers that are located in a country recognized by the E.U. Council as providing adequate protection.
  1. Where do we store your data?
For Users of the Site: The Data we collect from you is hosted on servers located in the US. Demisto’s headquarters are based in US with a subsidiary in Israel. Data we collect from you may be transferred to, and stored at, a destination outside of your jurisdiction that may not be subject to equivalent Data protection laws. For Users of the Services: Demisto doesn’t collect information from its Services provided on an “on-premise” model. For Services under the SaaS model and using Demisto’s managed servers, the information we collect about you is hosted on the Amazon Cloud in a place chosen by the Customer (the data Controller). Amazon servers provide advanced security features and is compliant with ISO 27001 standard. We will not change the place we store data other than as agreed by the Customer. Live Backup (DR) services and backups may be stored in a different region on the same continent.
  1. Data Retention
Any Customer may request information regarding the storage and retention of data (“Audit”) by contacting us. Demisto shall make reasonable efforts to respond to the Audit in a reasonable time and subject to applicable law and to the protection of Demisto’s trade secrets. Customer’s personnel shall be required to executed some non-disclosure agreements. Unless agreed otherwise with the Customer, this policy shall govern the retention operation of Demisto. Demisto will retain data it processes on behalf of its Customers only for as long as required to provide the Service to its Customers and as necessary to comply with its legal obligations, resolve disputes and enforce its agreements. The data in Demisot’s managed servers is backed up for system continuity purposes and each backup file may be stored for 12 months (unless agreed otherwise with Customer or required for Demisto’s legitimate reasons for forensics and security reasons, without materially adversely effecting End User’s rights). Each User must keep the appropriate backup of its data. Unless backup services are provided by Demisto, it shall not be responsible for any deletion of data or for any breach to database or for any erroneous data unless otherwise agreed with its Customer. After a (i) request from the Controller to delete any data or (ii) a deletion of data from the Demisto’s interface; (iii) termination of an account or/and agreement with Customer, an automated process will begin that permanently deletes the data in accordance with the timelines set forth in the tables below. Once begun, this process cannot be reversed and data will be permanently deleted.
Type of Data Timeline for Deletion (after deletion process begins) for Cancellation, Termination or Migration
User names30 days
Documents30 days
Backups12 months
Logs60 days
Archived Documents60 days
Access Logs and certain forensic data pertaining thereto24 months (unless otherwise agreed with a Customer)
Similarly, Demisto collects and retains metadata and statistical information concerning the use of the Service and Site which are not subject to the deletion procedures in this policy and may be retained by Demisto for no more than required to conduct its business. Some data may be retained also on our third-party service providers’ servers in accordance with their retention policies. Please note that deleting certain incident data may affect the ability to produce proof of forensic data and we strongly recommend to consider before deleting such data. Customer may retain Personal Information and other information about an End User which it owns and the End User may have no access to. If you have any questions about the right of the Customer to retain and process your Personal Information you should raise this directly with the Customer. Please note that in some cases some data will not be deleted and shall be kept in an anonymized manner. Some metadata and statistical information concerning the use of the Site are not subject to the deletion procedures in this policy and may be retained by Demisto. We will use that information to help develop and improve our Site. Some data may also be retained on our third-party service providers’ servers until deleted in accordance with their privacy policy and their retention policy.
  1. Cookies & local storage
When you access or use the Site, Company may use industry-wide technologies such as “cookies” or similar technologies (web beacons etc.), which stores certain information on your computer (“Local Storage”) and which will allow us to enable automatic activation of certain features, and make your Site experience much more convenient and effortless. The cookies used by the Service are created per session and do not include any information about you, other than your session key (usually removed as your session ends but sometimes can be kept in your device for no more than 6 months) and the ability to login again quickly. Most browsers will allow you to erase cookies from your computer’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored. However, if you block or erase cookies your online experience with the Site may be limited. If you only disable third party cookies, you will not be prevented from making purchases on our sites. If you disable all cookies, you will be unable to use our Services. We use Cookies and other technologies on the basis that using them is in our legitimate interests (where we have considered that these are not overridden by your rights). Demisto uses secured Cookies. That means a cookie with a secured flag which can only be transmitted over an encrypted connection. This makes the cookie less likely to be exposed to cookie theft via eavesdropping. We use the following types of Cookies:
  • Strictly necessary cookies. These are cookies that are required for the operation of our Site and under our terms with you. They include, for example, cookies that enable you to log into secure areas of our Site .
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our Site when they are using it. This helps us for our legitimate interests of improving the way our website works, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies. These are used to recognise you when you return to our Site. This enables us, subject to your choices and preferences, to personalise our content, greet you by name and remember your preferences (for example, your choice of language or region).
  • Targeting cookies. These cookies record your visit to our Site, the pages you have visited and the links you have followed. We will use this information subject to your choices and preferences to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
If you want to disable cookies on our site, you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Except for essential cookies, some cookies used on our site may expire after the session ends and some may be retained for a longer period of time as can be seen in the cookie section in your browser. You can find more information about certain individual cookies we use and the purposes for which we use them here:
ToolsType of CookiePrivacy PolicyPurpose
Facebook Custom AudienceAdvertising, to target the audience on Facebook through ads.
Google AdWords ConversionsAdvertising, to target the audience on Google Search and displayed through ads.
HubSpotAdvertising as a marketing automation suite and to track a customer’s journey on our website..
LinkedIn AdsAdvertising to target the audience on LinkedIn through ads.
Google AnalyticsSite Analytics to track user analytics and behavior on the PushCrew website.
PushCrewCustomer Interaction for customer engagement through push notification on the web.
Twitter AdsAdvertising to target the audience on Twitter through ads.
WistiaVideo Player to track the videos watched on our website for analytics.
  1. Security and storage of information

We take a great care in implementing, enforcing and maintaining the security of the Service, Site and our Users’ Personal Information. Demisto implements, enforces and maintains security policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of personal data and monitor compliance of such policies on an ongoing basis.

All Personal Information is stored with logical separation from information of other customers. However, we do not guarantee that unauthorized access will never occur.

Demisto limits access to personal data to those of its personnel who: (i) require access in order for Demisto to fulfil its obligations under this Privacy Policy and agreements executed with Demisto and (ii) have been appropriately and periodically trained on the requirements applicable to the processing, care and handling of the Personal Information (iii) are under confidentiality obligations as required under applicable law. Demisto takes steps to ensure that its staff who have access to personal data are honest, reliable, competent and periodically properly trained.

We use a combination of processes, technology and physical security controls to help protect Personal Information and Personal Data from unauthorized access, use, or disclosure. When Personal Information or Personal Data is transferred over the Internet, we encrypt it using Transfer Layer Security (TLS) encryption technology or similar technology. Each server is protected by a firewall, exposing it only to the minimum ports necessary. However, no security controls are 100% effective, and we cannot completely ensure or warrant the security of your Personal Information and Personal Data.

Demisto shall act in accordance with its policies to promptly notify Customer in the event that any personal data processed by Demisto on behalf of Customer is lost, stolen, or where there has been any unauthorized access to it subject to applicable law and instructions from any agency or authority. Furthermore, Demisto undertakes to co-operate with Customer in investigating and remedying any such security breach. In any security breach involves Personal Information, Demisto shall promptly take remedial measures, including without limitation, reasonable measures to restore the security of the Personal Information and limit unauthorized or illegal dissemination of the Personal Information or any part thereof.

Demisto maintains documentation regarding compliance with the requirements of the law, including without limitation documentation of any known breaches and holds reasonable insurance policies in connection with data security.

  1. Job applications

We may collect information provided to us by job candidates (“Applicants“) when they apply to a position in our super great company. Demisto welcomes all qualified Applicants to apply to any of the open positions by sending us their contact details and CV (“Applicants Information”). Applicants Information will be maintained, processed and stored in Israel, US and in the applied position’s location(s), and as necessary, in secured cloud storage provided by our Third Party Services.

We are committed to keep Applicants Information private and use it solely for our internal recruitment purposes (including for identifying Applicants, evaluating their applications, making hiring and employment decisions, background checks on Applicants and contacting Applicants by phone or in writing).

Please note that Demisto may retain Applicants Information submitted to it even after the applied position has been filled or closed for no more than 12 months thereafter so we can re-consider Applicants for other positions and opportunities and in case the Applicant is hired, for additional employment and business purposes related to his/her work.

If you previously submitted your Applicants Information to Demisto, and now wish to have it deleted, please contact us via the company website. We will be happy to assist in any manner.

  1. General and Individual’s End User’s Rights

Demisto processes data fairly, lawfully, in a transparent manner and in accordance with individuals’ rights (as applicable). The use of information collected through our Services shall be limited to the purpose of providing the service for which our Client has engaged Demisto or, if collected through the Site or other marketing means, to Demisto’s legitimate interests, where we have considered these are not overridden by your rights.

Demisto may process data of an End User on behalf of the Controller when the Controller obtains consent from an End User or when there is another basis for doing so under applicable law. Customers who cause Demisto to process Personal Information of an End User are obligated to hold all appropriate consents (if applicable) and may only utilize the Services pursuant to applicable law. If you are an End User of the Services, please contact the Controller for additional details. Demisto supports End Users’ rights to retrieve any information retained on its servers which relates to such End User. Demisto acknowledges that you may have the right to access your Personal Information. We have processes in place to accommodate an End User’s rights to delete data, amend erroneous data, access data and receive Personal Data or Sensitive Data in a machine readable commonly used format, all subject to reasonable technical restrains and abilities.


We do not knowingly collect or solicit information or data from children under the age of 13 or knowingly allow children under the age of 13 to register for the Demisto Service. If you are under 13, do not register or attempt to register for any of the Demisto Service or send any information about yourself to us. If we learn that we have collected or have been sent Personal Information or Personal Data from a child under the age of 13, we reserve the right to delete that Personal Information or Personal Data as soon as reasonably practicable. If you believe that we might have collected or been sent information from a child under the age of 13, please contact us via the company website as soon as possible.


The terms of this Privacy Policy will govern the use of the Site and Service and any information collected in connection therewith, however, Demisto may amend or update this Privacy Policy from time to time. The most current version of this Privacy Policy will always be posted at We will endeavor to provide notice of material changes to this policy on the homepage of the Site and/or via an e-mail. Such material changes will take effect seven (7) days after such notice was provided on our Site or sent by email. Otherwise, all other changes to this Privacy Policy are effective as of the stated “Last Revised” date and your continued use of the Site and/or Services will constitute your written acceptance of, and agreement to be bound by, the changes to the Privacy Policy.


If you have any questions (or comments) concerning this Privacy Policy, you are welcome to send us an email or otherwise contact us at the following address and we will make an effort to reply within a reasonable timeframe.

E.U. citizens have the right to lodge a complaint with a supervisory authority (Data Protection Authority in your jurisdiction) in case of a breach of any E.U. data protection and privacy regulations. If the supervisory authority fails to deal with a complaint or inform you within the time frame set under applicable law, you have the right to an effective judicial remedy.

Please do not hesitate to contact us via the contact us section in the website

DPO for Demisto Inc.
address: 10061 Bubb Road, Ste 300, Cupertino, CA 95014


Link to Demisto’s previous privacy-policy