.png?width=1024&quality=80&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000)
Transfers of Personal Data
This page sets out Sophos’ approach to Transfers of Personal Data, including where this occurs across international borders.
Our approach to data transfers
Sophos recognizes that data transfers are an essential part of our products and services and our goal is to ensure these continue to be as secure as possible. In the use of some of our products as well as in our technical support and corporate operations, it may be necessary to transfer some personal data from our customers, partners, and end users to Sophos. It may also be necessary to transfer some personal data from Sophos to third parties. Wherever a transfer of data is necessary, we employ a range of measures to ensure that such transfers are secure and safe to maintain the integrity, accuracy, and confidentiality of that data. In some of these transfers, Sophos acts as a Data Controller, while in others we act as a Data Processor.
Personal data transfers at Sophos are governed wherever possible by a Data Processing Agreement (DPA).
Our Data Processing Agreement (DPA)
This agreement is modelled on industry standards and is kept up to date with the latest changes in legislation across the globe. It sets out the obligations for both Sophos and the other party and describes the protections in place for that data. Where international data transfers occur, relevant additional provisions, such as the EU Standard Contractual Clauses (EU SCCs) are included and entered into by both parties. View the DPA.
International Transfers
Sophos is a UK-headquartered company but operates across the globe. As a result, some international transfers of data may be required as part of our products, services, and corporate operations. This may even occur when the product data is hosted in the same country as the customer.
Sophos' approach is that the Sophos contracting entity is the initial recipient of personal data from the customer. Typically, this will mean that the Sophos UK entity will be the initial recipient of data from the customer.
Where customers are located in the United States of America, Canada or Latin America, the Sophos contracting entity and initial recipient of personal data is Sophos Technology Limited.
Where customers are located anywhere else in the world, the Sophos contracting entity and initial recipient of personal data is Sophos Limited.
European customers will therefore export personal data to Sophos Limited, with the UK covered by an EU adequacy decision.
From the UK, Sophos Limited may transfer personal data to other Sophos affiliates including the USA (Sophos Inc). For example, if Sophos Limited transferred personal data to its US affiliate, this will make Sophos Limited the exporter and Sophos Inc the importer with respect to this international transfer. This transfer is covered by the Intra-group Data Transfer Agreement.
Sophos Limited is also the entity responsible for carrying out the processing operations for Sophos Technology Limited.
Sophos has also conducted a Transfer Impact Assessment (TIA) to assess the risks associated with transferring data to the USA and other ‘non-adequate’ territories. Our TIA can be accessed here.
Simplified representation of Sophos International Transfers
When contracting with Sophos Limited

*See our Sub-processor’ list here
When contracting with Sophos Technology Limited

*See our Sub-processor’ list here