The purpose of this datasheet is to provide Sophos customers with information on how our offerings affect their privacy considerations. In this document, we provide information about Sophos XDR data handling practices, including personal information collection, use and storage.
Sophos XDR is a new offering where critical information from endpoint, server, firewall, email and other Sophos XDR enabled products is stored, accessible and can be queried by customers to streamline threat detection and response workflows. XDR introduces the Sophos Data Lake, where the device and log information is stored. Device and log information is retrieved from the different products at frequent intervals allowing the Sophos Data Lake to be queried to identify suspect events in historical data.
INFORMATION PROCESSED BY SOPHOS XDR
Sophos XDR processes the following types of information:
- IP Addresses
- MAC Addresses
- Processes (where command lines are captured which could contain usernames, passwords, API keys and credentials)
- Browser Addons
- File Hashes
- File Paths
- System Events and Log
- Email addresses
- Email subject data
Customers have the flexibility to define endpoint and server devices which should be excluded from sending data to the Sophos Data Lake.
PURPOSE OF INFORMATION PROCESSED BY SOPHOS XDR
For XDR customers, data stored in the Sophos Data Lake is strictly for a customer’s own use.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos Service Agreement.
Data processed by the Sophos XDR is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
For XDR customers data in the Sophos Data Lake will be stored for a maximum of 30 days. Only customers with access to data in the Sophos Data Lake may perform queries and investigations independently. All customer data will age out of the system upon termination of the service. After this period, the data will be permanently deleted and unrecoverable.
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
The Sophos Data Lake has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where customer data resides, visit the AWS Security Documentation Center.
OUR COMMITMENT TO PRIVACY
Sophos is committed to complying with data protection rules and protection of personal data processed. Sophos will access data only to enable it to provide the services you have signed up for.
Customers with access to Sophos XDR can query that data using the Live Discover functionality in Sophos Central or via APIs.
Sophos Engineering monitors access and telemetry for planning future roadmap strategy and retirements, product development and enhancement, troubleshooting, generating statistics and reports.
Customer data is anonymized and may be accessed by Sophos Labs or Sophos AI teams for threat research purposes to improve our ability to detect new threats. An exception is file submission of suspicious files that may contain personal information. If these files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If these files are not convicted and are cleaned, they are permanently deleted within 30 days.
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Sophos XDR Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.