Expel notices

Howdy! Welcome to Expel’s Privacy Center. At Expel, we believe security can’t exist without privacy. We believe transparency is at the heart of what we do and in the security services we provide you. We’d like to make sure you understand your privacy rights and the who, what, when, how, and why we manage and use your personal information.

Security and privacy stuff should be painless, and that’s why we’ve created these privacy artifacts below to ensure you have the information you need. Please take the time to review these painless, yet important, privacy artifacts below.

Cookie Policy

Workbench Privacy Policy

Subprocessors

Expel Online Privacy Policy

Last Updated: November 12, 2025

Expel provides a web-based security platform that businesses use to monitor their network security and react to security issues. We deliver industry leading MDR services built on transparency and trust.

Expel takes privacy seriously and understands that you care about how your personal information is collected and used. This website privacy policy (“Privacy Policy“) explains how Expel (collectively “Expel,” “we“, “us”, or “our“) processes personal information that we collect though our websites (including www.expel.com), through social media, in connection with our events, sales, marketing and other offline activities, when you submit a job application to Expel and through other activities described in this Privacy Policy (collectively, for the purposes of this Privacy Policy, our “Services“). It also tells you how you can exercise your rights and choices with respect to your personal information, and how you can contact us about our privacy practices.

Expel provides Expel Workbench™ (“Workbench”) and certain Managed Detection and Response services via our Security Operations Center. In doing so, we process personal information on behalf of our business customers. For more information about how we process personal information in connection with such services, please refer to our Expel Workbench™ and Services Privacy Policy.

Information We Collect
How We Use Your Information
How We Share Your Information
How We Secure Your Information
How Long We Keep Your Information
International Data Transfers
Your Privacy Rights
Additional Information for California Residents
Children’s Privacy
Updates to this Privacy Policy
Contact Us

1. Information We Collect

The personal information we collect depends on the context of your interactions with Expel and the choices you make, the Services and features you use, your location, and applicable laws, but can include the following:

Information you provide to us

When you use our Services, we may ask you to provide certain personal information. For example, when you navigate our websites, including blogs, online forums and social media platforms, register for an event or webinar, post comments on our blogs, fill out one of our forms, or otherwise communicate with us in any way.

The personal information you may provide may include:

Contact Information, such as your first and last name, email address, mailing address, phone number, country of residence, and state of residence.
Professional Information, such as your employer’s name, address, department or job title, industry and sector, and LinkedIn profile.
Support Information, when you report a problem with the websites, such as information about the problem you are experiencing.
Account log-in credentials, including your username and password.
Communications data, such as feedback on our Services and other communications with us and any queries you raise. If you ever communicate directly with us, we will maintain a record of those.
Marketing data, such as your survey responses, promotions you enter, marketing and communication preferences and your subscription details.
Office Visitor Information. If you visit Expel offices, we’ll collect your name, email address, phone number, and time and date of arrival for physical security purposes.
Events and webinar registration information, such as company name, work email address, job title, registration source, and attendance rate.
Job Applicant Information if you apply for a job at Expel via our website (such as your resume, contact information, desired pay, education, work history, whether you are over the age of 18 and visa status). You also may choose to provide your gender, ethnicity, veteran status, disability status, and links to your website, blog, portfolio, or LinkedIn profile.
Image and Audio Information such as images or audio recordings that may identify you. For example, if you attend an event hosted or sponsored by Expel, we may capture your image and/or voice in any video, photograph, or audio recording taken at the event. We may also record or monitor our telephone or other communications with you, to the extent permitted by applicable law.

Providing your data is optional, but it may be necessary for certain Services, such as to access content (like demos or whitepapers). In such cases, if you do not provide your information, we may not be able to provide you with the requested Services.

Information we collect automatically

We automatically collect certain device and usage information when you use or interact with our websites, emails we send you, or as part of your use of our Services. Collecting this information helps us improve website performance, obtain analytics for internal reporting purposes, and deliver more personalized content and services.

The information we collect automatically includes:

Analytics and usage Information such as your IP address, information about how you interact with our websites (for example, referring web page, pages visited, features used), emails, advertising, content, or other features (for example, when you open a marketing email or click on an embedded link, or if you watch videos on our site.

Online and device information such as your IP address (or proxy server), device ID, browser type and settings, device event information (such as system activity, error reports, operating system, language preferences, device name, and request and referral URLs).

Location information to identify your approximate location (city or regional) based on IP address.

We may collect this information through common internet technologies, such as cookies and tracking technologies (including web beacons), certain information about your equipment, browsing actions, and use patterns. For further information about the types of cookies (and other technologies) we use, why, and how you can control cookies, please see our Cookie Policy.

Information from third parties

We also collect your personal information from other sources, including third parties from whom we have purchased your personal information. For example, we collect personal information from joint marketing partners, recruitment agencies, credit check agencies, lead generation providers (like LinkedIn Sales Navigator, ZoomInfo), event sponsors, public databases, data providers and from job-related social media websites (for example, LinkedIn or Indeed).

This information may include:

Mailing addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), IP addresses, social media profiles, LinkedIn URLs, and custom profiles.
Resumes and background check information.

We also place third party links on our website, including social media features, such as the Facebook “Like” button, and other sharing widgets (“Social Media Features”), and Expel and third-party companies (e.g., social media companies) may receive certain information about you. Your interactions with third party links and Social Media Features are governed by the privacy and user policies of those companies, and we are not responsible for how those companies collect, use, or disclose your information. We encourage you to review their privacy policies.

2. How We Use Your Information:

We collect and process personal information for a variety of purposes. If you are located in the EEA or UK, we need a legal basis to process your information. Our legal basis will depend on the information concerned and the context in which it is processed. We may process your information in order to enter into or perform a contract with you, when Expel or a third party has a legitimate interest in processing your information, when it is necessary to comply with our legal obligations (e.g. to comply with applicable laws or a court order), or with your consent.

Expel may use your personal information to do the following:

Providing the Services. We use personal information to operate and provide our Services and to tailor our Services to your needs and preferences in reliance on our legitimate interests in operating and improving our internal operations, systems and Services, and to provide you with the content, products or services you access and request (e.g., to download content from our website).

Improving and developing the Services. We use data to analyze trends to identify future opportunities for the development, promotion, and improvement of our Services, in reliance on our legitimate interests in developing and improving our Services, or where required, with your consent. For example, we use data, often in a de-identified form, to develop new features, capabilities, or products, improve the user experience, assess capability requirements, and identify customer opportunities.

Providing support. We use personal information to troubleshoot and diagnose problems with our websites and other Services, including to help us provide, improve, and secure the quality of our Services, and to investigate security incidents in reliance on our legitimate interests.

Displaying advertising and data analysis. We use personal information collected through our interactions with you to conduct data analytics, marketing research, advertise to you, provide personalized information about us on and off our websites, and to provide personalized content based on your activities and interests to extent necessary for our legitimate interest in advertising our products and services, or where necessary to the extent you have provided your consent. For these purposes, we may link or combine information about you with other personal information we get from third parties, to help understand your needs and provide you with better and more personalized service or content. You can learn more about targeted ads and your ability to opt out of receiving interest-based ads at https://optout.aboutads.info and https://www.networkadvertising.org/choices.

Sending marketing communications. We use personal information to send promotional communications, including product recommendations and information on new product features about Expel according to your marketing preferences. We also develop and publish marketing materials, for internal and external purposes. We perform this processing as necessary for our legitimate interest in conducting direct marketing, or to the extent you have provided your prior consent. Please see Your Privacy Rights below, to learn how you can control the processing of your personal information by Expel for marketing purposes.

Handling user requests. If you fill out a web form or request support, we use your personal information to perform our contract with you or if we do not have a contract directly with you, in reliance on our legitimate interests in fulfilling your requests and communicating with you.

Registering office visitors. We may process your personal information for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorized access.

Complying with legal obligations. We process your personal information when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws, to the extent this requires the processing or disclosure of personal information to protect our rights, or is necessary for our legitimate interest in protecting against misuse or abuse of our services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.
Processing job applications. We process your personal information if you apply for a job with Expel, to evaluate your application and make hiring decisions, communicate with you and inform you of current and future career opportunities (unless you tell us that you do not want us to keep your details for such purposes), manage and improve our recruiting and hiring processes, or to conduct reference and background checks where required or permitted by applicable local law. We perform this processing to the extent that it is necessary to comply with our legal obligations, for our legitimate interest in assessing the suitability of our candidates and managing our recruiting process, or, where required by applicable law, with your consent.
For our business and commercial purposes. We may use your personal information for other legitimate business purposes in reliance on our legitimate interests, such as to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity, to manage transactional, billing, account management, tax, and administrative matters, to administer and protect Expel and our Services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).

3. How We Share Your Information

We may share your personal information with the following categories of recipients:

Our group companies who support data processing services necessary to provide you with our Services or who otherwise process personal information for purposes described in this Privacy Policy.
Third-party business partners, service providers, and authorized third-party agents that provide services to us (for example, providing customer support and marketing communications, providing cloud infrastructure services, and assisting in collecting customer feedback).
Any buyer (and their agents and advisers) in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Any competent law enforcement body, regulator or government agency, court or other third party as necessary to comply with legal process, to protect the rights, property, or safety of Expel, its business partners, you, or others, or as otherwise required by applicable law.
Any other person if we otherwise notify you and you consent to such sharing.

We may also share aggregated or deidentified data with third parties to help us perform analysis and make improvements to our services and business.

If you choose to post comments on any Expel community site or blog, be aware that other users of the blog or community site will see your name, website, and the content of your comments, and may interact with you in response to your comments.

4. How We Secure Your Information

We use appropriate technical and organizational measures to protect your personal information against unauthorized, accidental, or unlawful access, destruction, loss, alteration, disclosure or use. These measures have been implemented taking into account the state of the art of the technology, the cost of implementation, the risks presented by the processing, and the nature of the personal information, with particular care for sensitive data. Only authorized personnel have access to the personal information, and they are obligated to maintain its integrity and confidentiality. Please keep in mind that no transmission of information via the internet is ever 100% secure, and we cannot ensure or warrant the security of any information you transmit to us. We are not responsible for circumvention of any privacy settings or security measures contained on the website.

5. How Long We Keep Your Information

We retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax, or accounting requirements). Where we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.

6. International Data Transfers

Expel is headquartered in the United States with offices, employees, and service providers operating globally. We may transfer your personal information to the United States and other countries where the data protection laws are different from those of your country (and which, in some cases, may not be as protective). Regardless of where your information is processed, we will treat all personal information in accordance with applicable law and this Privacy Policy. Where we transfer personal information to countries or territories outside of the European Economic Area (EEA), Switzerland, and the United Kingdom, which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission or Swiss authorities, or the “adequacy regulations” from the Security of State in the UK. Where the transfer is not subject to an adequacy decision, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy and applicable laws. The safeguards we use to transfer personal information are the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland).

EU-U.S. Data Privacy Framework, U.K. Extension and Swiss-U.S. Data Privacy Framework

Expel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (collectively, “Data Privacy Framework“) as set forth by the U.S. Department of Commerce. Expel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Expel has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the “DPF Principles“), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

If you are located in the EU, UK or Switzerland, you have the right to request access to the personal information that we hold about you and request that we correct, amend or delete your personal information if it is inaccurate or processed in violation of the DPF Principles. We will give you an opportunity to opt out where personal information we control about you is to be disclosed to an independent third party or used for a purpose that is materially different from those set out in this Privacy Policy. If you would like to exercise any of your rights, please contact us via the details provided below.

Expel commits to resolve DPF Principles-related complaints about our collection or use of your personal information. If you have any questions, complaints and/or other concerns regarding our handling of personal information in reliance on the DPF Principles, please first contact us at: privacy@expel.io or via the Expel Privacy Webform. We will investigate and attempt to resolve any DPF Principles-related complaints within 45 days.

In compliance with the Data Privacy Framework, Expel commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs),the UK Information Commissioner’s Office (ICO),the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal information received in reliance on the Data Privacy Framework.

For complaints regarding the Data Privacy Framework not resolved by any of the other mechanisms, under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration.

You may also lodge a complaint with your local data protection authority, with the Data Protection Authority in Ireland, namely the Data Protection Commission, at dpo@dataprotection.ie, the UK Information Commissioner’s Office (ICO), at https://ico.org.uk/, or Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/edoeb/en/home.html.

The U.S. Federal Trade Commission (FTC) has jurisdiction over Expel’s compliance with the DPF Principles. Expel is subject to the investigatory and enforcement powers of the FTC.

In the context of an onward transfer, Expel is responsible for the processing of personal information it receives under the DPF Principles, and subsequently transfers to a third party acting as an agent on our behalf. Expel shall remain liable under the DPF Principles if our agent processes your personal information in a manner inconsistent with the DPF Principles, unless Expel is not responsible for the event giving rise to the damage.

Please note that under certain circumstances, we may be required to disclose your personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

7. Your Privacy Rights

Expel respects you and your data protection rights. Depending on where you live and subject to applicable laws, you may have the following privacy rights over your personal information:

You may access, correct, update, or request deletion of your personal information.
You can object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information (i.e., your data to be transferred in a readable and standardized format).
If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. Withdrawing your consent may also mean we are unable to provide you with certain features or functionality of our websites or services to the extent consent is required for the processing of your personal information.
You can opt-out of telemarketing or marketing emails from us at any time. You can exercise this right by clicking on the “unsubscribe” link in the marketing emails we send to you or by contacting us directly via the Expel Privacy Webform.

To exercise any of these privacy rights, please contact us using the details in the “Contact Us” section below or via the Expel Privacy Webform specifying which right you are seeking to exercise. We will respond to all requests in accordance with applicable law. Please note that we may require additional information from you to allow us to confirm your identity and process your request.

You have the right to lodge a complaint with a data protection authority about Expel’s collection and use of your personal information. For more information, please contact your local data protection authority.

8. Additional Information for California Residents

This section applies only to residents of California, USA. The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), requires us to provide California residents with some additional information regarding how we collect, use, and disclose your personal information, and the rights available to California residents under the CCPA. The terms used in this section have the same meaning as in the CCPA.

For information about the types of personal information Expel collects, please refer to section 1. “Information We Collect” of this Privacy Policy. The business and commercial purposes for which we collect personal information are described in section 2. “How We Use Your Information“. The categories of third parties to whom we share personal information for a business purpose are described in section 3. “How We Share Your Information“.

California Privacy Rights

If you are a California resident, you may have the following rights under the CCPA, subject to certain limitations and exceptions under applicable law:

Know and Access: You have the right to request to know and access the following information covering the 12 months preceding your request:

- the categories of personal information we have collected about you;
- the categories of sources from which your personal information was collected;
- the business or commercial purposes for collecting your personal information;
- the categories of third parties to whom we have disclosed your personal information; and
- the specific pieces of personal information we have collected about you.

You have the right to receive your personal information in a portable and commonly used format.

Correct: You have the right to request that we correct any of your personal information that we have collected from you that is inaccurate.
Delete: You have the right to request that we delete certain personal information we have collected from you.
Opt out of “Selling” or “Sharing” your personal information: You have the right to request that a business not “sell” or “share” your personal information with a third party, as those terms are defined under the CCPA. We do not sell personal information as the term “sell” is traditionally understood (i.e. for money), nor do we trade or rent personal information. However, like most websites, our website uses cookies and other similar technologies (as described above in the section “Information we collect automatically“, and in our Cookies Policy), for the purpose of displaying more relevant or targeted advertisements to you if you instruct us to do so. To the extent that such practice constitutes a “sale” or “share” of your personal information under the CCPA, you may opt-out of such “sale” or “share” by adjusting your cookie settings via our cookie banner, or by following the instructions in our Cookies Policy under its section 4. How can you control cookies?
Limit the Use and Disclosure of Your Sensitive Personal Information: We do not use or disclose “sensitive personal information,” as defined by the CCPA. As such, we do not offer an ability to limit the use or disclosure of sensitive personal information.
Non-Discrimination: You have the right to not be discriminated against (e.g., through denying goods or services, or providing a different level or quality of goods or services) for exercising any of your CCPA rights.

Please note that the rights described above are not absolute, and where an exception under applicable law applies, we may be entitled to refuse requests in whole or in part. In California, an authorized agent may submit a rights request on your behalf. We may require an authorized agent to verify their authority to submit a request on your behalf.

To exercise any of the above rights, please contact Expel using the details provided in our ‘Contact Us’ section below or via the Expel Privacy Webform. When contacting us, please provide us with detailed information about the personal information you’re requesting and the timeframe and manner in which you believe we came to collect your personal information. Expel will respond to verified privacy rights requests received from California residents (or their authorized agents) within forty-five (45) days of its receipt. If we require more time, we will inform you in writing of the reason and extension period (up to a total of 90 days).

9. Children’s Privacy

Expel does not knowingly collect personal information relating to children under the age of eighteen (18). If you are under the age of 18, please do not submit any personal information through the Services. If you become aware that a child has provided us with their personal information, please contact us so that Expel can take the necessary steps to remove the personal information.

10. Updates to this Privacy Policy

We may need to update this Privacy Policy from time to time. We will notify you of any material changes to our Privacy Policy by, for example, placing a notice on our website/and or by sending you an email (if you have registered your email details with us) when we are required to do so by applicable law. You’ll be able to see when this Privacy Policy was last updated by checking the “Last Updated” date above. You should consult this Privacy Policy regularly for any changes.

11. Contact Us

Your personal information is controlled by Expel, Inc. If you have any questions or requests about this Privacy Policy, our Services, or how we manage your personal information, please contact us through our Expel Privacy Webform or by contacting:

Expel, Inc.
Attn: Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170
+1 (844) 397-3524

Email: privacy@expel.com

Expel has appointed a Data Protection Officer (DPO), who informs and advises Expel of its obligations pursuant to the EU GDPR and other applicable privacy and data protection laws and regulations. The Expel DPO can be reached at privacy@expel.com.

Last Updated: November 12, 2025

This Cookie Policy explains how Expel uses cookies and similar technologies in the course of our business, including through our website (https://expel.com/) or when providing the Expel Workbench (“Workbench”) and our Managed Detection and Response Services (“Services). It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases, we may use cookies and other tracking technologies described in this Cookie Policy to collect personal information, or to collect information that becomes personal information if we combine it with other information. For more information about how we process your personal information, please view our Website Privacy Policy and Workbench and Services Privacy Policy.

1. What are cookies?

“Cookies” are small data files that uniquely identify your browser or device when you visit a website. When you return to that website (or visit websites that use the same cookies) these websites recognize the cookies and your browsing device. These cookies serve different purposes, for example, they help us run our website more efficiently, generate website analytics, or provide personalized content and advertising.

Cookies can remain on your device for different periods. We may use “session” cookies (which expire once you log out and close your web browser) and “persistent” cookies (which stay on your computer or device until you or your browser deletes them or until they expire).

There are different types of cookies. Cookies set by Expel are called “first party cookies”, and cookies set by other parties are called “third party cookies”. Third party cookies enable third party features or functionality to be provided on our website (e.g., advertising or social media sharing). The parties that set these third-party cookies can recognize your device both when it visits the website in question and also when it visits other websites that have partnered with them.

2. What types of cookies and similar technologies does Expel use?

The tables below set out the types of first- and third-party cookies served through our website and services, including via Workbench, and the purposes they perform. Please be aware that the cookies we may use depend on the website you are visiting or the service you are using and the device, browser or operating system you are using.

Cookies deployed on our site

Type	Description and purpose	Where used
Strictly Necessary Cookies	These cookies are strictly necessary to provide you with the services available through our website. All the strictly necessary cookies are deemed persistent, except for the session cookies set by Cloudflare and WordPress	Cloudflare Marketo OneTrust WordPress
Functional Cookies	These cookies enable our website to provide enhanced functionality and personalization. This includes remembering the choices you make (such as your username, language, or the region you are in), or being able to watch a video. Without these cookies certain functionality may become unavailable on our website.	Github Google Analytics Marketo WordPress
Targeting and Advertising Cookies	These cookies allow us to provide you with relevant content and to understand its effectiveness. We will use this information to build a profile of your interests and show you more relevant advertisements. 6Sense Insights, Inc., provides predictive analytics and account engagement services. It is primarily used for tracking and targeting in marketing automation and advertising. Acuity Platform cookies are used to hold the advertising ID of users on their mobile device and used for tracking user actions. Audience Manager cookies help perform basic functions such as visitor identification, ID synchronization, segmentation, modeling, and reporting. Bing cookies collect anonymous information about how visitors use our site to determine what ads to show on the site that may be relevant to the site visitor perusing the site. Bizible is a marketing attribution software that tracks the performance of marketing efforts and connects them to revenue, primarily used for B2B environments. Doubleclick cookies collects how many times you have seen an ad and, for example, whether you need to see the UK or US version of the ad. Google uses a cookie called ‘NID’ in their browser. When you visit a Google service, the browser sends this cookie with your request. It contains a unique ID where Google remembers your preferences and other information. The LinkedIn cookie typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active Linkedin profile. Marketo acts as a third party cookie provider. The company provides a range of targeted online marketing services. Oktopost cookies are used to record interaction with the okt.to links and web-forms. Reddit cookies may be used for a variety of purposes, including site functionality, personalization, and analytics. Twitter acts as a social networking service for both advertising and tracking our traffic (both for sponsored content [ads] and our organic posts). YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites. Youtube cookies act as a unique identifier to track viewing of videos. ZoomInfo, a business-to-business database software that provides information on sales and marketing for professional recruiters and salespeople.	6sense Acuity Platform Audience Manager (Adobe) Bing (Microsoft) Bizible Doubleclick (Google) Google LinkedIn Marketo Oktopost Reddit Twitter YouTube ZoomInfo
Performance Cookies	These cookies collect information about how visitors and users use our website, including which pages visitors go to most often, if any error messages appear on our website, and which links are most and least clicked on. It also helps us understand how effective our marketing campaigns are or assist in further customizing our website. These cookies collect aggregated information (i.e. information cannot be used to identify a specific visitor or user of our website). Pantheon cookies allow for monitoring the performance of web and mobile applications, including storing cache information. These are deemed to be session cookies. Github cookies are used for a temporary application and framework state between pages (e.g. what step the site user is on in a multiple step form). Google Analytics cookies are used to register a random client identifier that is used to generate statistical data on how the visitor uses the site. Marketo cookies allow the tracking of visitor behavior on our sites, and it links a site visitor to the recipient of an email marketing campaign in order to measure campaign effectiveness. Tracking through Marketo cookies is performed anonymously until a user identifies himself by submitting information via a contact form, etc. Wistia cookies collects anonymized data about users’ engagement with videos on the site. All the information these cookies collect are aggregated and only used to improve how our sites work via website analytics.	Pantheon Github Google Analytics Marketo Wistia

Cookies deployed through the use of Workbench

Type	Description and purpose	Where used
Functional Cookies	Workbench uses cookies to track sessions, e.g. token generated on login and used for authentication when making requests. These cookies are used to enhance the Workbench platform and optimize usability and utility, e.g. to provide consistent user sessions, and provide security. The information collected by these cookies may be anonymized. They also cannot track your browsing activity on other websites.	Workbench Nginx
Performance Cookies	These cookies are used for analytics purposes only (e.g., record Workbench user activity and to report on what pages and features users utilize more or less frequently, etc.).	Gainsight Google Analytics Datadog RUM Mixpanel
Targeting and Advertising Cookies	Bizible is a marketing attribution software that tracks the performance of marketing efforts and connects them to revenue, primarily used for B2B environments.	Bizible

3. Do we use other tracking technologies?

Aside from the cookies listed above, we and our service providers may also use other similar technologies, like “pixel tags” (also known as clear GIFs or web beacons). These are tiny graphic images with unique identifiers that can recognize when a visitor or a user visits our website or opens an email sent by us. They can also analyze web traffic patterns and compile statistics about website usage as well as help us understand whether you came to our website from an online advertisement or post displayed on a third-party website. Whereas cookies are stored on a user’s computer hard drive, pixel tags are embedded invisibly within web pages. In many instances, these technologies are reliant on cookies to function properly, and so declining cookies will often impair their functioning.

4. How can you control cookies?

You have the right to decide whether to accept or reject cookies that are not essential. You can exercise your cookie preferences through our cookie consent tool, which you can access here.

You can also set or amend your web browser controls to accept or refuse cookies. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted. As the means by which you can refuse cookies through your web browser controls vary from browser-to-browser, you should visit your browser’s help menu for more information. The links below provide information on managing cookies within certain browsers:

Some browser settings may allow you to automatically transmit a Do Not Track signal to websites and other online services you visit. We do not currently recognize browser initiated Do Not Track signals. To find out more about Do Not Track, please visit http://www.allaboutdnt.com.

For more information about cookies, visit www.allaboutcookies.org. If you choose to reject cookies, please be aware that some of the features of our websites or services may not function correctly.For example, we may not be able to recognize your computer or mobile device and you may need to log in each time.

Google Analytics

For more information about what you can do to understand how Google safeguards your data, click here. More information on specifics regarding how Google Analytics cookies operate on websites, click here. You can prevent the use of Google Analytics relating to your use of our sites by downloading and installing a browser plugin available here.

Google’s ability to use and share information collected by Google Analytics pertaining to your visits to our website are restricted by the Google Analytics Terms of Use and the Google Privacy Policy.

Internet based advertising

Most advertising networks offer you a way to opt out of interest-based advertising. Please note this does not opt you out of being served advertising and you may continue to receive generic advertisements.

If you would like more information, please visit the Network Advertising Initiative or the Digital Advertising Alliance.

European users can find out relevant information by visiting the European Interactive Digital Advertising Alliance. Please select the country you are based in, and then click “Choices” (or similarly-titled link).

5. How often will we update this Cookie Policy?

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. Please therefore re-visit this Cookie Policy regularly to stay informed about our use of cookies and related technologies.

The date at the top of this Cookie Policy indicates when it was last updated.

6. Where can you get further information?

If you have any questions about our use of cookies or other technologies, please email us at privacy@expel.com or write to us at:

Expel, Inc.
Attn: Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170

Expel Workbench™ and Services Privacy Policy

Last Updated: November 12, 2025

This Expel Workbench™ and Services Privacy Policy (“Privacy Policy”) applies to information that we process in connection with the Expel Workbench™ (“Workbench”) and our Managed Detection and Response services (“Services”) we offer to our business customers (“customers(s)” or “your Organization”).

For details about the personal information we collect via our website (https://www.expel.com), product feedback or surveys, in connection with our events, sales and marketing activities, and when you apply for a job role with Expel, please visit our Expel Website Privacy Policy.

Scope
What personal information we collect, why, and how we use it
How we share your personal information
We go to great lengths to keep personal information safe
Your data privacy rights and choices
Additional Information for California residents
How long we keep personal information
International data transfers
Changes to this privacy policy
Contact Us

1. Scope

Workbench and our Services are intended for use by business customers. If you are a user of Workbench or our Services, this means that in most cases we are collecting and processing your personal information on behalf of your Organization. It’s primarily your Organization, as the controller, that controls what personal information about you that we collect and how we use it.

This Privacy Policy applies to the limited personal information we collect and use for our own purposes as a controller, for example, in connection with user authentication into Workbench and user experience (UX) research.

If you have privacy related questions or concerns about your Organization’s privacy practices or the choices your Organization has made to share your personal information with us, you should refer to your Organization’s privacy policies, and reach out to the individual(s) who manage the Expel vendor relationship/Workbench administrator at your Organization.

If you have any questions about this Privacy Policy, please reach out to our security and privacy team provided under the “Contact Us” section of this policy.

2. Our Privacy Principles

As explained above, when we use personal information to provide Workbench and our Services to our customers, we are acting on their behalf as their service provider and processor. Workbench collects information from our customer’s security products and applications, and that information is used to facilitate the delivery of our Services to our customers, including managing and monitoring the infrastructure and providing support.

However, we also collect and process personal information about our customers’ personnel and end users on our own behalf (as a “controller”) for the purposes described in this section.

2.1 Information we collect

The personal information we collect depends on how you use Workbench and the Services, your location and applicable laws, but can include the following:

Information you provide directly

Contact data such as your name, email address and phone number.
Account data such as your login information (username and password) and authentication information.
Troubleshooting data such as information contained in support requests and which may include the Services you use and other details that help us provide support, such as contact or account data.
Professional data such as your employer name, address, department or job title, and office location.

Information we collect automatically

We may automatically collect certain device and usage information when you use Workbench or our Services. The information we automatically collect includes:

Device and location data such as IP address, browser information, device and network information, and geolocation information.

Usage data ‘such as information about how you use Workbench and our Services including the features you use, your activity and user journey, and any errors encountered.

We may collect this information via cookies and tracking technologies embedded within Workbench and our Services. For more information on how we use cookies and similar tracking technologies and your choices, please see our Cookie Policy.

2.2 How we use your information and legal grounds

We will only use your personal information for a particular purpose where we have a “legal basis” where required by law, as described below.

Processing Activity	Types of Personal Information	Purpose of Processing and Lawful Basis
Account creation and administration on the Expel Workbench	Contact data Account data Professional data	We process this information to allow customers to create accounts and use Workbench in reliance on our legitimate interests in administering and managing your user account, including for transactional billing, account management, tax and other administrative matters.
Sending administrative communications	Contact data Professional data Account data	We process this information to send service-related emails including notifying you about changes to our terms, provide service updates and security feeds, security alerts, and support, onboarding, and administrative messages in reliance on our legitimate interests in administering our services.
Securing Workbench and the Services	Contact data Account data Device data	We use this information for the purposes of maintaining the safety and security of Workbench and our Services, including verifying accounts and activity, investigating suspicious activity and enforcing our terms and policies, in reliance on our legitimate interests in promoting the safety and security of Workbench and our Services and in protecting our rights and the rights of others.
Providing customer support	Contact data Account data Professional data Device data Troubleshooting data	We use this information to troubleshoot and diagnose problems with Workbench and our Services including to help us provide, improve and secure the quality of Workbench and our Services and to investigate security incidents in reliance on our legitimate interests.
UX research and product development and improvement	Device data Usage data	We process this information to derive insights on what features Workbench users may prefer / use more and dislike / use less, to continually enhance the platform and security services in reliance on our legitimate interests to identify usage trends and improve the Services.

3. How we share your personal information

We share your personal information with the following categories of recipients:

- Our affiliates within the Expel group, only to the extent necessary to fulfil the purpose outlined in this Privacy Policy;
- Our third party vendors who we engage to enable us to support Workbench and our Services and product development and improvement activities;
- Our business customers in connection with the provision of Workbench and our Services;
- Any competent law enforcement body, regulator, government agency, court or other third party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person; or
- Any other person with your consent to the disclosure.

4. We go to great lengths to keep personal information safe

We care about the security of personal information, which is why we use appropriate administrative, organizational, technical, and physical measures designed to protect the personal information that we collect and process. For example, Expel employs at various points in our infrastructure logical and physical access controls, encryption, firewalls, intrusion detection and network monitoring, and secure development practices.

Only authorized personnel have access to your personal information, and each Expel employee with access to personal information is obligated to maintain its integrity and confidentiality.

While we follow generally accepted standards to protect personal info, no method of storage or transmission is 100% secure. If you have reason to believe that your interaction with us is no longer secure, you should immediately contact us.

5. Your data privacy rights and choices

Expel respects you and your data protection rights. Depending on where you live and subject to applicable laws, you may have the following privacy rights over your personal information:

You may access, correct, update or request deletion of your personal information.
You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information (i.e., your data to be transferred in a readable and standardized format).
If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. Withdrawing your consent may also mean we are unable to provide you with certain features or functionality of Workbench or our Services to the extent consent is required for the processing of your personal information.

If you would like to exercise any of your privacy rights, please submit a privacy request via the Expel Privacy Webform.

Requests submitted via our Expel Privacy Webform, which pertain to personal information we process as a processor on behalf of our customers, will be deferred to the relevant customer.

6. Additional Information for California residents

Expel operates as a Business to Business (“B2B”) security operations company. The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), applies in a B2B context and therefore requires us to provide California residents with some additional information regarding how we collect, use, and disclose your personal information in a B2B context, and the rights available to California residents under the CCPA. The terms used in this section have the same meaning as in the CCPA.

For information about the types of personal information Expel collects, and the purposes for which we collect this information, please refer to section 2, “What personal information we collect, why, and how we use it“. The categories of third parties to whom we disclose or share this information for a business purpose are described in section 3, “How we share your personal information”.

California Privacy Rights

If you are a California resident, you may have the following rights under the CCPA, subject to certain limitations and exceptions under applicable law:

Know and Access: You have the right to request to know and access the following information covering the 12 months preceding your request:
- the categories of personal information we have collected about you;
- the categories of sources from which your personal information was collected;
- the business or commercial purposes for collecting your personal information;
- the categories of third parties to whom we have disclosed your personal information; and
- the specific pieces of personal information we have collected about you.

You have the right to receive your personal information in a portable and commonly used format.

Correct: You have the right to request that we correct any of your personal information that we have collected from you that is inaccurate.
Delete: You have the right to request that we delete certain personal information we have collected from you.
Opt out of “Selling” or “Sharing” your personal information: You have the right to request that a business not “sell” or “share” your personal information with a third party, as those terms are defined under the CCPA. We do not sell personal information as the term “sell” is traditionally understood (i.e. for money), nor do we trade or rent personal information. However, like most websites, our website uses cookies and other similar technologies (as described above in the section “Information we collect automatically”, and in our Cookies Policy), for the purpose of displaying more relevant or targeted advertisements to you if you instruct us to do so. To the extent that such practice constitutes a “sale” or “share” of your personal information under the CCPA, you may opt-out of such “sale” or “share” by adjusting your cookie settings via our cookie banner, or by following the instructions in our Cookies Policy under its section 4, “How can you control cookies?”.
Limit the Use and Disclosure of Your Sensitive Personal Information: We do not use or disclose “sensitive personal information,” as defined by the CCPA. As such, we do not offer an ability to limit the use or disclosure of sensitive personal information.
Non-Discrimination: You have the right to not be discriminated against (e.g., through denying goods or services, or providing a different level or quality of goods or services) for exercising any of your CCPA rights.

7. How long we keep personal information

Where we are processing your personal information on behalf of our customers in order to provide Workbench and our Services, we will retain and delete your personal information in accordance with the relevant customer contract or instructions.

Where we are processing your personal information for our own purposes, we retain the personal information where we have an ongoing legitimate business need to do so.

When personal information is no longer needed, we follow industry leading standards with the secure deletion, destruction, and anonymization of personal information, depending on what method is systematically and procedurally possible, most secure, and what our related retention practices are.

8. International data transfers

Expel is headquartered in the United States, with employees globally. Our third party vendors and partners also operate globally. This means that personal information may be transferred, stored, and processed by us or our third party vendors outside of the country in which you are based. These countries may have data protection laws and regulations that are different to those of your country (and, in some cases, may not be as protective).

Expel only permits cross border (“international”) transfers of personal information where such transfers are supported by an appropriate legal agreement or transfer mechanism that ensures sufficient safeguards and protection for the personal information.

Where we transfer personal information to countries or territories outside of the European Economic Area (“EEA”), Switzerland, and the United Kingdom, which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission or Swiss authorities, or the “adequacy regulations” from the Security of State in the UK. Where the transfer is not subject to an adequacy decision, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy and applicable laws. The safeguards we use to transfer personal information are the European Commission’s Standard Contractual Clauses (and similar measures in the UK and Switzerland).

EU-U.S. Data Privacy Framework, U.K. Extension and Swiss-U.S. Data Privacy Framework

The U.S. Federal Trade Commission (FTC) has jurisdiction over Expel’s compliance with the DPF Principles. Expel is subject to the investigatory and enforcement powers of the FTC.

In the context of an onward transfer, Expel is responsible for the processing of personal information it receives under DPF Principles, and subsequently transfers to a third party acting as an agent on our behalf. Expel shall remain liable under the DPF Principles if our agent processes your personal information in a manner inconsistent with the DPF Principles, unless Expel is not responsible for the event giving rise to the damage.

9. Changes to this privacy policy

We may update this Privacy Policy from time to time. We’ll notify you of any substantive changes to our Privacy Policy by, for example, placing a notice on our site/and or by sending you an email (if you have registered your email details with us) when we are required to do so by applicable law. You’ll be able to see when this Privacy Policy was last updated by checking the “Last Updated” date above. You should consult this Privacy Policy regularly for any changes.

10. Contact Us

Expel, Inc.
Attn: Security and Privacy Team
12950 Worldgate Dr.
Ste 200
Herndon, VA 20170
+1 (844) 397-3524

Email: privacy@expel.com

Expel Subprocessors

Updated: November 18, 2025

In the spirit of transparency and in compliance with applicable data protection laws, we would like to provide you with a current list of our subprocessors for the managed detection and security services we provide. To support the delivery of the services (e.g. infrastructure, customer support, communication services), Expel may provide limited access to personal information to the following subprocessors.

We take a risk based approach within our third party security and privacy assessment practices to ensure these subprocessors have sufficient mechanisms and safeguards in place to protect your personal data.

If you have any questions regarding this list please email us at privacy@expel.com.

Subprocessor	Activity	Hosting Location
Amazon Web Services	Cloud Infrastructure, Data Analytics	United States
Anthropic	AI Business Intelligence and Analytics	United States
Clearbit	Data Enrichment Services	United States
Courier	Customer Notification Management	United States
Cube Dev	Metrics Centralizing Platform	United States
DataDog	System processing monitoring and metrics	United States
Elastic	Application search capability and visualization	United States
Fastly	Signal Sciences Web Application Firewall for Workbench	United States
Foqal	Customer Notification Management	United States
Functional Software, Inc. (Sentry)	Application monitoring and error tracking	United States
Google	Cloud Infrastructure, Data Hosting, Office Productivity, Business Intelligence and Analytics, and Data Analytics	United States
Hex.Tech	Jupyter Notebooks Management and Analytics	United States
Mailgun	Email solution	United States
Metron Security, LLC	Contracting Services for development of integrations with third-party security technologies	India
Pagerduty	Notification services for legacy customers	United States
Slack	Messaging platform to deliver Expel Services	United States
SoftServe Enterprises Limited	Contracting Services for development of integrations with third-party security technologies	Poland, Bulgaria, Romania
Solarwinds	Log Aggregation	United States
SumoLogic	Cloud data analytics (security, operations, business intelligence)	United States
VMRay	Email analysis application	United States
Zendesk	Ticketing and support	United States