Sophos Group Privacy Policy

This document was last updated on 19 November 2013.

General

This is the privacy policy of Sophos Limited and its subsidiaries.

We are committed to safeguarding the privacy of your personal data. Please read the following privacy policy to understand how we collect and use your personal data, for example when you contact us, visit one of our websites (each a “Site”), apply for a job, or use our products and services.

Whenever you give us personal data, you are consenting to its collection and use in accordance with this privacy policy.

What personal data do we collect?

We may collect personal data such as your name, company position, address, telephone number, mobile number, fax number, email address, credit card details, age, IP address, and account usernames.

How do you use my personal data?

If you provide personal data to us, we will collect that information and use it for the purposes for which you have provided it and in accordance with this privacy policy.

Browsing our Site

Every time you connect to the Site, we store a log of your visit that shows the unique number your machine uses when it is connected to the Internet - its IP address. This tells us what your machine has looked at, whether the page request was successful or not and which browser your machine used to view the pages. This data is used for statistical purposes as well as to help customize the user experience as you browse the Site and subsequently interact with Sophos and our partners. This helps us to understand which areas of the Site are of particular interest, which pages are not being requested, and how many people are visiting the Site in total. It also helps us and our partners to determine which products and services may be of specific interest to you. We may attempt to contact you through these details if necessary, including, without limitation, when you are using the wrong paths to access the Site or are breaching restrictions on the use of the Site. We may also use this information to block IP addresses where there is a breach of the Terms and Conditions for use of the Site.

Cookies

A cookie is a piece of text that gets entered into the memory of your browser by a website, allowing the website to store information on your machine and later retrieve it. Some of our pages use cookies so that we can distinguish you from other users and better serve you when you return to the Site. Cookies also enable us to track and target the interests of our users to enhance the onsite experience. For information about the cookies that we use, please refer to the Cookie Information page on the relevant Site.

Job applicants

If you are making a job application or inquiry, you may provide us with a copy of your CV or other relevant information. We may use this information for the purpose of considering your application or inquiry. Except when you explicitly request otherwise, we may keep this information on file for future reference.

Partner portal

Our resellers and distributors may visit our partner portal Site. We may use the customer and prospect information provided on that Site in order to provide the products and services.

Providing products and services

If you purchase or use our products or services, we may use your personal data for purposes which include but are not limited to:

  • verifying your credentials,
  • carrying out end user compliance checks for export control purposes,
  • issuing virus information alerts and other alert messages,
  • providing training sessions for which you have registered,
  • providing maintenance and technical support,
  • providing information about product upgrades, updates and renewals,
  • generating logs, statistics and reports on service usage, service performance and malware infection,
  • developing and enhancing products, services, and our infrastructure,
  • processing orders and generating billing information.

Certain products and services may include features that collect additional personal data for other purposes, as described below. For detailed information, please also refer to the applicable product or service description.

Sophos Mobile Security
When an application is downloaded on a device or the user initiates a check of all installed applications on an Android device, Sophos Mobile Security sends queries to our cloud infrastructure in order to validate the reputation of the applications. Each query contains a fingerprint generated from the Android application (the APK file) under investigation.

A unique device identifier is also generated locally on each mobile device during installation of Sophos Mobile Security. We do not associate this identifier with any personal data. Periodically the product sends statistical feedback packets to us, including the unique device identifier and service performance information.

Mail Archiving Service
The Mail Archiving Service stores a copy of emails sent and received by you, in accordance with the retention policies established by your administrator. In the event that your emails include sensitive personal data, you expressly provide your consent for us to store such data. Your administrator may conduct searches and retrieve emails from the archive. The archive is encrypted and logically separated from the archives of our other customers. Your administrator can request that the archive is stored in either the USA or the European Economic Area (“EEA).

Your administrator may ask us to download and return the contents of the email archive at any time, subject to payment of the applicable fees specified in our then current price list. The contents of the email archive will be permanently deleted within approximately six weeks of expiry/termination of the service or the return of the data (if applicable).

Sophos Mobile Control
When Sophos Mobile Control is installed or updated, you may receive Apple push notifications, Google cloud to device messaging for Android, SMS text messages, and other remote communications.

Sophos Mobile Control will store a list of users and mobile devices, and will record any applications downloaded or modifications made to such devices. Your administrator can also configure Sophos Mobile Control to track the geographic location of mobile devices and to lock or wipe a mobile device that has been lost or stolen.

Sophos Cloud Portal

If you select “Enable Partner Access” in the Settings tab of your Sophos Cloud portal, your designated third party partner or service provider will be able to access and administer your Sophos Cloud services on your behalf. If you do not enable such access, your designated third party partner or service provider will only see high-level reporting information such as Sophos Cloud services purchased and current usage information. You may revoke such access at any time by changing the permissions in the Settings tab.

Market research

If you participate in surveys, we may use your personal data to carry out market research. This research is conducted for our internal business and training purposes and will improve our understanding of our users’ demographics, interests and behaviour. This research is compiled and analysed on an aggregated basis and therefore does not individually identify any user.

Marketing and promotions

We (or our resellers or other selected third parties acting on our behalf) may contact you from time to time in order to provide you with information about products and services that may be of interest to you. All marketing emails that we send to you will follow the email guidelines described below. You have the right to ask us not to process your personal data for marketing purposes, but if you do so, we may need to share your contact information with third parties for the limited purpose of ensuring that you do not receive marketing communications from them on our behalf.

Email communications

We adhere to the following guidelines in relation to our email communications:

  • emails will clearly identify us as the sender,
  • emails will include our physical postal address,
  • emails sent to you for marketing purposes will include an option to unsubscribe from future email messages,
  • you may unsubscribe from all mailing lists, with the exception of any emails regarding legal notices, invoicing, product updates, upgrades or license renewals,
  • any third parties who send emails on our behalf will be required to comply with legislative requirements on unsolicited emails and the use of personal data.

We send emails from a number of different domains in both plain text and HTML email formats. Emails are usually sent using sender email addresses at:
@sophos.com
@email.sophos.com
@sophos.de
@sophos.fr
@sophos.co.jp
@sophos.it
@sophos.au
@sophos.com.au
@astaro.com
@astaro.de
@utimaco.com
@dialogs.de

Emails offering software downloads or free product trials will usually link to web pages on www.sophos.com or www.web.sophos.com. If you receive an email which claims to come from us but does not use these domains, or if you are suspicious that an email may not be approved by us, then please send a copy of the email to customerservice@sophos.com so we can investigate.

We have published best practice guidelines to help internet users learn how to avoid phishing emails at http://www.sophos.com/security/best-practice/phishing.html.

With whom might we share your personal data?

As a global company, we have international sites and users all over the world. When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the EEA.

We may also pass your personal data to suppliers, service providers, subcontractors, agents, distributors, resellers and other partners, some of whom may be located outside the EEA, in order to provide you with the information, products and services that you requested or otherwise for the purposes described in this privacy policy.

In the event that we receive requests from government departments, agencies or other official bodies, we will only disclose your information if and to the extent that we believe we are legally required to do so (for example upon receipt of a court order, warrant, subpoena or equivalent).

Except as set out above, we will not disclose your personal data save where we need to do so in order to enforce our rights.

Whenever we share personal data, we take all reasonable steps to ensure that it is treated securely and in accordance with this privacy policy.

Links

This privacy policy applies to personal data collected by us. If an email or Site contains links to a third party site, please be aware that we are not responsible for the content or privacy practices of such site. We encourage our users to be aware when they leave our Site, and to read the privacy policy of other sites that collect personal data.

Security

We endeavour to hold all personal data securely in accordance with our internal security procedures and applicable law.

Unfortunately, no data transmission over the Internet or any other network can be guaranteed as 100% secure. As a result, while we strive to protect your personal data, we cannot ensure and do not warrant the security of any information you transmit to us, and this information is transmitted at your own risk.

If you have been given log-in details to provide you with access to certain parts of our Site (for example our partner portal), you are responsible for keeping those details confidential.

Contact

This is the website of Sophos Limited a company registered in England and Wales under company number 2096520 whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, United Kingdom and whose VAT registration number is 991 2418 08.

If you want to request any information about your personal data or believe that we are holding incorrect personal data on you, please contact customerservice@sophos.com. It is possible to obtain a copy of the information that we hold on you. A nominal charge of £10 is made to cover administrative costs involved.

Notification of changes

This privacy policy was last updated on 19 November 2013. We reserve the right to amend or vary this policy at any time and the revised policy will apply from the date posted on the Site. You accept that by doing this, we have provided you with sufficient notice of the amendment or variation.