1. Why Us
  2. Trust Center
  3. Privacy

Trust Center


Data Processing & Global Privacy Regulations


Protecting your privacy

Our business is built on integrity, and SailPoint is committed to protecting the personal information of its customers, business partners, employees, and stakeholders. SailPoint utilizes privacy by design to build privacy into our products, services, policies, and procedures to ensure compliance with evolving regulations and customer expectations.

At SailPoint, we are committed to respecting your privacy. We recognize that when you choose to provide us with information about yourself, you trust us to act in a responsible manner and to protect and safely manage any personal information that you share with us. This Privacy Statement explains who we are, how we collect, share and use personal information we collect about you and how you can exercise your privacy rights. If you apply to work as an employee or contractor, please see our HR Privacy Policy for specific information on how we use your personal information.

SailPoint makes an affirmative commitment to adhere to EU-U.S. and Swiss-U.S. Privacy Shield Principles and maintains Privacy Shield certification. The Privacy Shield Principles define a set of requirements that govern the use and handling of personal data transferred from the European Economic Area (EEA) as well as access and dispute resolution mechanisms that participating companies must provide to EEA citizens. While SailPoint maintains Privacy Shield certification, we utilize alternative mechanisms when transferring personal data from the EEA, the UK, or Switzerland to the U.S., such as the EU Standard Contractual Clauses (SCCs). In the course of providing products and services, SailPoint may process personal data provided to SailPoint by our customers. SailPoint offers a Data Processing Addendum (DPA) to incorporate relevant provisions of the General Data Protection Regulation (GDPR) and the UK Data Protection Act of 2018 (UKDPA) into customer agreements.

As required by the GDPR, UKDPA, and other privacy regulations, SailPoint provides users with information regarding affiliates and third-party vendors we engage as sub-processors to assist in providing SailPoint solutions and services.

Further details on SailPoint’s privacy and data protection practices are set forth in our Privacy StatementTerms of UseCookie Notice, and other notices.


All your privacy questions answered

Find answers to common data privacy questions below.

SailPoint provides identity governance software solutions. SailPoint is a data processor for personal data received from or on behalf of our customers in connection with our Software-as-a-Service services (“SaaS Services”), support and maintenance services, and professional services. We offer Data Processing Addendums (“DPAs”), including SCCs, with our customers for the processing of personal data outside the EEA, UK, and Switzerland. Our DPA terms are available at: https://www.sailpoint.com/legal/customer-agreements/.

The types of data processed through our services include: identification and contact data (e.g., name, email address, title, contact details), employment details (e.g., job title, role, manager), and/or IT information (e.g., entitlements, IP addresses, usage data, cookies data, and geolocation) for the customer’s employees, contractors, and/or (where licensed under the Agreement) the customer’s business partners and/or end-users authorised by the customer. This type of data is typically not of interest to government or law enforcement agencies.

SailPoint discourages and/or prohibits customers from loading sensitive personal data into our products, including special categories of personal data as referenced in Art. 9 GDPR, such as health data, political opinions, religious or philosophical beliefs, trade union membership, race or ethnic origin, sexual orientation, genetic data, biometric data, criminal activity data, or financial account number or tax ID number.

Our products are typically licensed for use in managing the customer’s employees and contractors, in which case only employee and contractor data is processed. Again, this type of data is typically not of interest to government or law enforcement agencies.

Our customers control the types of personal data they provide to us. Our customers determine from whom the data is collected and whether this is done on an automated or voluntary basis. SailPoint will not collect personal data on the customer’s behalf.

Our customer is also solely responsible for determining the legal basis for its data processing. The customer’s legal basis for processing may be legitimate business interests and/or legal requirements. We would not expect customers to process employee data on the basis of consent, but the customer is responsible for that determination.

Consistent with the GDPR’s “data minimization” principle, we limit the collection and transfer of data to that which is necessary in relation to the purposes for which it is processed.

For SailPoint’s SaaS Services, the customer determines the location where the SaaS Services are hosted. SailPoint leverages Amazon Web Services (AWS) or Microsoft Azure for hosting its SaaS solutions. The solutions can be run from any one of several AWS/Azure Regions, based on customer proximity and preference. Although the data in the solutions will physically reside in the chosen location, the customer’s SaaS Services environment will be managed, maintained, and accessed by SailPoint from its relevant locations.

A list of SailPoint’s affiliates as well as third parties who may have access to personal data in connection with the SailPoint’s provision of the services, as well as each of their respective locations, is available at https://www.sailpoint.com/legal/sub-processors/.

SailPoint offers DPAs with its customers to protect transfers of data from the EEA, UK, and/or Switzerland to the U.S. Our DPA incorporates the protections afforded by the EU SCCs. Our DPA is included in our standard terms for EMEA customers and is an option for all other customers where appropriate. Our standard contract terms are available at https://www.sailpoint.com/legal/customer-agreements/.

SailPoint has also conducted a Data Transfer Impact Assessment (DTIA) as required by the SCCs.

SailPoint’s affiliates have also entered into an Intra-group Data Transfer Agreement (IGDTA) with one another, which binds the affiliates to the SCCs in connection with their processing of personal data.

Moreover, where personal data originates from the EEA and is transferred to the United States, SailPoint agrees to comply with the EU-U.S. Privacy Shield Framework and makes an affirmative commitment to adhere to EU-U.S. Privacy Shield Principles. Where personal data originates from Switzerland and is transferred to the United States, SailPoint agrees to comply with all the provisions of the U.S.-Swiss Privacy Shield Framework and makes an affirmative commitment to adhere to the U.S.-Swiss Privacy Shield Principles. SailPoint will continue to comply with these frameworks until a successor framework is available.

SailPoint will not engage a sub-processor unless we enter into a written agreement with the sub-processor imposing data protection terms that require the sub-processor to protect the customer’s personal data to the same standard as SailPoint.

We also require our sub-processors to ensure that they have appropriate technical and organizational measures to protect against and report a personal data breach, appropriate to the harm that might result from such personal data breach, having regard to the state of technological development and the cost of implementing any measures. Such measures may include where appropriate: pseudonymising or encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after a physical or technical incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it.

SailPoint will only retain customer data in the SaaS Services that it processes on behalf of a customer for the duration of the SaaS Services subscription term. Data in the SaaS Services can be downloaded by the customer at any time. Within 30 days of termination or expiration of the SaaS Services, where required, SailPoint will delete all customer data from the SaaS Services unless prohibited by law. Customer data archived on back-up systems will be securely isolated and protected from any further processing.

Yes, SailPoint has appointed a Data Protection Officer who can be reached at [email protected].