Our commitment to data protection
The EU General Data Protection Regulation (GDPR) became effective on 25 May 2018. GDPR contains significant requirements concerning the protection of personal data that impact Sophos and many of our customers. Sophos is committed to complying with GDPR, as we are with all applicable laws and regulations. As a provider of IT security solutions, protecting data and maintaining the trust of those who have provided that data, is especially important to us.
Sophos started preparing to comply with GDPR across its worldwide organisation well in advance of 25 May 2018. As part of those efforts, we conducted a readiness assessment of our business and proactively worked to update our policies, documentation, practices, and processes as required. This included measures such as:
- updating our Privacy Policy
- providing training to our workforce on GDPR
- implementing procedures to process requests from data subjects
- undertaking data protection impact assessments
- continuing to invest in and improve our security practices
- ensuring that third parties with whom we share personal data to help provide our services demonstrate an ongoing commitment to GDPR compliance, including by performing security diligence and having appropriate contractual terms in place
Sophos also recognises that maintaining compliance with GDPR is a continual effort, and thus our GDPR compliance efforts are part of our ongoing work at Sophos.
Commitment to GDPR compliance is driven by a Steering Committee of senior management and functional leaders across the global organisation, including a Data Protection Officer. This is supplemented by an Operational Working Group - members of which work on a daily basis on tasks related to GDPR - with support from various external consultants and advisors.
More Information
I NEED A DATA PROCESSING AGREEMENT WITH SOPHOS. DO YOU HAVE ONE?
Yes. If you wish to download and sign our Data Processing Agreement, you can do so using our online signable version.
Please note that Sophos will not sign a DPA with a partner (i.e. distributor or reseller) who is not using any Sophos products. Order data from end customers that is provided by partners to Sophos is received by Sophos in its capacity as a data controller.
Sophos also requires you to use our standard form DPA rather than a version of the DPA that you supply.
WHAT PERSONAL DATA DO YOU PROCESS AND WHERE DO YOU PROCESS IT?
Please review our Privacy Policy at https://www.sophos.com/en-us/legal/sophos-group-privacy-policy.aspx for detailed information about Sophos' privacy practices, including describing what data we collect, how we use it, and with whom we share it.
The personal data that we process depends on the specific Sophos products and services that you use, and how you use them.
We encourage you to read our Privacy Policy, but as a summary we're providing for convenience, we generally collect, as data controller, information that allows us to manage our relationship with you, such as account and licensing management information, customer care information, and billing data.
For our on-premise solutions, any personal data processed by those solutions generally remains with the customer and is not shared with Sophos, except at the discretion of the customer. For example, customers may voluntarily decide to share data with Sophos (as data processor) in connection with a technical support inquiry or receiving other related services from Sophos.
For our cloud-based solutions, we process data (generally as data processor) about the assets you manage through those solutions (e.g. endpoint or network device configuration information), diagnostic and activity logs generated by your use of our cloud-based solutions and any assets you manage through those solutions, information about potential threats detected by our products, and any other information shared with us from such assets.
Many Sophos products can be configured to send data (e.g. files, URLs, emails) about potential security threats to Sophos for further scanning, analysis, and research. In such cases, the nature of the data processed by Sophos depends on what the customer decides to send to us.
Many Sophos products (both on-premise and cloud-based), also send telemetry data to Sophos. Telemetry is usually non-identifying statistical and diagnostic data about product configuration, usage, and performance that allows Sophos to understand how our products are used so we can improve them and fix any problems. To the very limited extent that telemetry includes personal data, Sophos acts as data controller.
Our primary data centres are provided by Amazon Web Services and are located in the European Union and the United States. Customers using our cloud-based solutions may be able to choose which data centre facility their data should be stored in. This choice, if available, is made at the time of account setup, and may not be changed afterwards. In addition to these data centres, Sophos processes data from its headquarters in the United Kingdom, and may share data with various of its affiliates around the world for reasons including customer support, account management, and provision of other services. Sophos affiliates are located in various countries listed at https://www.sophos.com/en-us/company/contact.
WHO ARE YOUR SUB-PROCESSORS, WHAT DO YOU USE THEM FOR, AND WHERE ARE THEY LOCATED?
The sub-processors we use that are relevant to you depend on the specific Sophos products and services that you use.
View our Sub-processor List.