The purpose of this datasheet is to provide Sophos customers with information on how your privacy choices can be tailored with our offerings. In this document, we provide information about the Sophos AV data handling practices, including personal information collection, use and storage.
Sophos Anti-Virus comprises a suite of components providing anti-virus protection as well as malicious traffic detection and memory-resident threat detection.
Information Processed by Sophos AV
Sophos may process the following types of customer information in Sophos AV:
- Endpoint ID
- Customer ID
- Computer ID
- Computer Name
- User ID
- Domain names
- File Names
- File Paths
- Hardware serial number
- IP Address
- MAC address
Purpose of Information Processed by the Sophos AV
Information processed by Sophos AV is available to the customer in Sophos Central. Data remains stored on the customer environment and only data shared with Sophos is available to Sophos.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos Service Agreement.
Sophos may also use the information the information processed to:
- monitor the effectiveness of the product
- plan future roadmap strategy and retirements
- develop and enhance Sophos products
- to generate statistics and reports
Data processed by Sophos AV is hosted in AWS data centers in the region(s) available to the customer for the selected products/ components. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
- Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected. Telemetry data are purged after 30 days.
Other data retention policy is set by the specific products and/ or components purchased by the customer.
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Sophos Central has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where Sophos AV data resides, visit the AWS Security Documentation Center.
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protection of personal data it processes on its platform. Unless otherwise stated, Sophos will access data only to enable it to provide the services you have signed up for, to enhance features and services that bring benefits to the customer and for R&D innovation of future capabilities.
Customers with Sophos AV can access their configuration in Sophos Central. Multi-factor authentication (MFA) must be enabled for all administrators of a Sophos Central account.
Customers may also assign pre-defined administrative roles to administrators that can restrict access to sensitive log data as well as restrict them from making changes to settings and configurations.
Sophos may access customer account on Sophos Central for purposes of providing technical support. Specific services may also require access to customer account as detailed in the applicable EULA.
Sophos Labs or Sophos AI teams may access the data for analysis, threat detection and for continuous evolution of products and new threat detections. An exception is file submission of suspicious files that may contain personal information. If these files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If these files are not convicted and are cleaned, they are permanently deleted within 30 days.
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.