This page sets out Sophos’ approach to Transfers of Personal Data, including where this occurs across international borders.
Our approach to data transfers
Sophos recognizes that data transfers are an essential part of our products and services and our goal is to ensure these continue to be as secure as possible. In the use of some of our products as well as in our technical support and corporate operations, it may be necessary to transfer some personal data from our customers, partners, and end users to Sophos. It may also be necessary to transfer some personal data from Sophos to third parties. Wherever a transfer of data is necessary, we employ a range of measures to ensure that such transfers are secure and safe to maintain the integrity, accuracy, and confidentiality of that data. In some of these transfers, Sophos acts as a Data Controller, while in others we act as a Data Processor.
Personal data transfers at Sophos are governed wherever possible by a Data Processing Agreement (DPA).
Our Data Processing Agreement (DPA)
This agreement is modelled on industry standards and is kept up to date with the latest changes in legislation across the globe. It sets out the obligations for both Sophos and the other party and describes the protections in place for that data. Where international data transfers occur, relevant additional provisions such as the EU Standard Contractual Clauses (EU SCCs) are included and entered into by both parties. (See International Transfers).
We offer 2 types of DPA. One is incorporated by reference into the Main Agreement as an addendum to that agreement and a separate signable version is also available.
International Transfers
Sophos is a UK-headquartered company but operates across the globe. As a result, some international transfers of data may be required as part of our products, services, and corporate operations. This may even occur when the product data is hosted in the same country as the customer.
Sophos' approach is that the Sophos contracting entity is the initial recipient of personal data from the customer, vendor, or other body (third party). Typically, this will mean that the Sophos UK entity (Sophos Limited) will be the initial recipient of data from the third party. For European third parties, they will export personal data to Sophos Limited, with the UK covered by an EU adequacy decision.
From the UK, Sophos Limited may process personal data to other Sophos entities including the USA (Sophos Inc). For example, if Sophos Limited processed personal data in its US entity, this will make Sophos Limited the exporter and Sophos Inc the importer with respect to this international transfer. Because the importer is not in a country with an adequacy decision, the EU and UK SCCs are incorporated as standard into our DPA. Sophos has also conducted a Transfer Impact Assessment (TIA) to assess the risks associated with transferring data to the USA and other ‘non-adequate’ territories.
Our TIA can be accessed here.
Representation of Sophos International Transfers
*may occur in some situations