The purpose of this datasheet is to provide Sophos customers with information on how your privacy choices can be tailored with our offerings. In this document, we provide information about the Sophos Central data handling practices, including personal information collection, use and storage.
Sophos Central is the unified console for managing Sophos products. Sophos Central lets you administer protection across network and endpoint to cloud security.
INFORMATION PROCESSED BY SOPHOS CENTRAL
Customers have access to Sophos Central which stores customer data processed by Sophos products including:
- IP Addresses
- MAC Addresses
- Processes (where command lines are captured which could contain usernames, passwords, API keys and credentials)
- Browser Addons
- File Hashes
- File Paths
- System Events and Log
- Email addresses
- Email subject data
- System Events and Log
- Customer ID
- Machine ID
- Filename/ content (if manually submitted or automatic file submission is enabled)
PURPOSE OF INFORMATION PROCESSED BY THE SOPHOS CENTRAL
Data stored in the Sophos Central is processed for the benefit of the customer and analysed for purposes of Sophos threat detection and response, reporting, customer-side analysis, and future innovation.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos Service Agreement.
Data processed by Sophos Central is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected. Sophos Central applies a 90 day retention period for time series data such as events, alerts and audit logs. Other data retention policy is set by the specific products and/ or licenses purchased by the customer.
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Sophos Central has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where Sophos Central data resides, visit the AWS Security Documentation Center.
Further information on how Sophos Central protects your data is available at https://docs.sophos.com/central/Framework/security-framework/central/Framework/concepts/SophosCentralPlatform.html
OUR COMMITMENT TO PRIVACY
Sophos is committed to complying with data protection rules and protection of personal data processed on the platform. Unless otherwise stated, Sophos will access data to enable it to provide the services you have signed up for, to enhance features and services that bring benefits to the customer and for R&D innovation of future capabilities.
Customers with Sophos Central can access their account and product information in Sophos Central. Multi-factor authentication (MFA) must be enabled for all administrators of a Sophos Central account.
Customers may also assign pre-defined administrative roles to administrators that can restrict access to sensitive log data as well as restrict them from making changes to settings and configurations.
Customers can use Live Protection to check the latest threat information from SophosLabs online and automatically submit malware samples to SophosLabs.
Sophos may access customer account on Sophos Central for purposes of providing technical support. Specific services may also require access to customer account as detailed in the applicable EULA.
Sophos Labs or Sophos AI teams may access the data for analysis, threat detection and for continuous evolution of products and new threat detections. Suspicious files that are submitted to Sophos may contain personal information. If these files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If these files are not convicted and are cleaned, they are permanently deleted within 30 days.
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.