The purpose of this datasheet is to provide Sophos customers with information on how your privacy choices can be tailored with our offerings. In this document, we provide information about the Sophos Firewall data handling practices, including personal information collection, use and storage.
SFOS (Sophos Firewall Operating System) is a purpose-built operating system that is the software foundation of Sophos XG firewall. Sophos Firewall’s Xstream architecture protects your network from the latest threats while accelerating your important SaaS, SD-WAN, and cloud application traffic. Sophos Firewall offers extensive feature sets that enable organization of all sizes to deploy the security gateway setup that best suits their environment.
Sophos Firewall interfaces with other Sophos firewall components/ products including:
- Labs SXL (cloud lookup) services
- Sophos Intercept X endpoint
- Sophos Cloud Firewall Manager (CFM)
- Sophos Firewall Reporting (CFR)
- Sophos Firewall Manager (SFM)
- Sophos iView 2
- Sophos Labs Analysis Platform (Sandstorm)
Information Processed by Sophos Firewall
Sophos processes the following types of information in Sophos Firewall:
- IP Addresses
- Firewall Hostname
- System Events and Log
- Customer ID
- Machine ID
- Filename/ content
Purpose of Information Processed by the Sophos Firewall
Information processed by Sophos Firewall including firewall configuration is available to the customer in Sophos Central. Firewall rules are set by the customer administrator and can be based on the source IP address.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos Service Agreement.
Data processed by Sophos Firewall is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected. For periphery products such as CFM/ CFR, the data retention policy is set by the specific products and/ or licenses purchased by the customer.
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Sophos Central has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where Sophos Firewall data resides, visit the AWS Security Documentation Center.
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protection of personal data it processes on the platform. Unless otherwise stated, Sophos will access data only to enable it to provide the services you have signed up for, to enhance features and services that bring benefits to the customer and for R&D innovation of future capabilities.
Customers with Sophos Firewall can access their configuration in Sophos Central. Multi-factor authentication (MFA) must be enabled for all administrators of a Sophos Central account.
Customers may also assign pre-defined administrative roles to administrators that can restrict access to sensitive log data as well as restrict them from making changes to settings and configurations.
Customer may enable access to its firewall to enable Sophos to troubleshoot specific cases. Sophos may collect data for:
- diagnostics: Remote Diagnostics telemetry is used to collect information that helps measure product quality, and support impact.
- business Intel and analytics: To understand how the product is used and to improve the product.
IPS and application classification details may be sent to SophosLabs to improve the IPS detection. This is an optional feature and can be turned off from the product. Information sent to SophosLabs or Sophos AI teams may be used for analysis, threat detection, for continuous evolution of products and new threat detections. An exception is file submission of suspicious files that may contain personal information. If these files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If these files are not convicted and are cleaned, they are permanently deleted within 30 days.
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.