The purpose of this datasheet is to provide Sophos customers with information on how your privacy choices can be tailored with our offerings. In this document, we provide information about the Sophos UTM data handling practices, including personal information collection, use and storage.
Sophos UTM provides the ultimate network security package with everything the customer needs in a single modular appliance. It simplifies your IT security without the complexity of multiple point solutions. The intuitive interface will help you quickly create policies to control security risks. And clear, detailed reports will give you the insight you need to improve your network performance and protection.
Sophos UTM interfaces with other Sophos components/ products including:
- Sophos UTM Manager (SUM)
- Sophos Adaptive Learning – Telemetry services
- SophosLabs Intelix (Sandstorm)
- Sophos Support servicesAccess Proxy for UTM (Remote support tool)
- RED provisioning server
- Up2date server
- Error reporting service (AWS deployments only)
Information Processed by Sophos UTM
Sophos processes the following types of information in Sophos UTM:
- Data about authenticated users, including
- Group membership
- Email address
- Data about traffic on protected networks
- Domains, hostnames and URLs of web traffic
- Source and destination IP Addresses
- Source and destination email addresses
- Email content (for quarantine purposes)
- System Events and Logs
- Customer ID
- Machine ID
- Access ID
- System ID
- RED device serial number
- WAN IP
Purpose of Information Processed by the Sophos UTM
Information processed by the UTM is primarily stored on the UTM itself.
Exceptions to this include:
- Sandstorm, where files that require analysis are sent to SophosLabs Intelix.
- URL categorization, where selected URLs or parts of URLs are sent to SophosLabs SXL services for categorization
- Telemetry from individual devices - this is an optional feature and can be turned off in the product configuration. This includes:
- Anonymous telemetry data about the configuration of the UTM. This is used to help us prioritize our development and support efforts.
- Application accuracy data about IPS and application classification which may be sent to SophosLabs to improve IPS detection.
- Reports regarding system errors that occur, that allow us to identify potential product issues before they become more serious
- Where you configure the device to use external logging or monitoring services such as syslog of IPFIX
Data submitted to SophosLabs services is handled in accordance with the SophosLabs Information Security policy (https://www.sophos.com/en-us/legal/sophoslabs-information-security-policy).
Data shared with some Sophos services may be handled by sub-processors. See the relevant documents for those services. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Retention policies for data stored on the UTM can be configured by the customer.
Logs for updating services and individual telemetry reports sent by UTMs are retained as long as we have a legitimate business need to keep them (e.g. to allow investigation of service problems) and are securely destroyed when no longer required. Anonymized summaries may be kept for longer periods
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protection of personal data it processes on its platform. Unless otherwise stated, Sophos will access data only to enable it to provide the services you have signed up for, to enhance features and services that bring benefits to the customer and for R&D innovation of future capabilities.
Customers can manage access to their UTM through the UTM’s WebAdmin console or the command-line interface. Sophos recommends use of multi-factor authentication for all Administrator accounts.
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.