Product Privacy Information

Sophos Home and Sophos Home Premium (consumer products)

Sophos Home and Sophos Home Premium are consumer products that provide antivirus, web filtering, and an advanced next-generation endpoint protection platform offering signatureless exploit prevention, predictive machine learning for malware detection, and advanced protection to help stop malicious threats including zero-day, credential theft, and ransomware.

All purchases of Sophos Home Premium subscriptions are via an independent reseller, Cleverbridge. Cleverbridge is responsible for any data that it collects from you during the purchase process, and you should refer to the Cleverbridge privacy policy for further information about its privacy practices.

In order to use the Sophos Home and Sophos Home Premium products, you will need to install our software onto the devices that you wish to protect. This will require ongoing storage space and processing capacity for product operation. For example, we will need to scan files and web page requests in order to ascertain if they are malicious or not.

As cyber threats are constantly evolving, it is necessary for us to send automatic updates to our software installed on your devices from time to time, in order to maintain the effectiveness of the product. We may also send automatic updates in order to add, remove, or change product features.

Our products will also store a log of the actions they have taken on your device. This log is not accessible to us, but we may request that you download and send this to us where needed for troubleshooting purposes, as described in the ‘Support’ section below.

We store information in our product administration portals in order to provide you with visibility of product performance, including products installed, subscription term, update status, alerts received, threats detected, applications blocked, and websites blocked. These portals are currently hosted in the USA using third party subcontractors, Amazon Web Services and Google Cloud. We will post any future changes or additions to the subcontractors or location of hosting to this page.

Telemetry – our software sends information to us on installation, uninstallation, and at regular intervals in between that enables us to monitor and improve the product performance. This may include personal data such as IP address, username, domain name, URL, device ID, file path, file name, and customer ID.
Look-ups - our software automatically sends data including the URL, file name, file path, size of executable, customer ID, machine ID, and file hash for assessment against our database in order to make better-informed decisions about whether such file is clean or malicious when faced with unknown files (for example files that have not been seen by the software before).
File samples (optional) - if you have enabled the in-product sample sharing feature, then the software may send a copy of your suspicious or malicious file to our engineers automatically for further analysis.
Reporting incorrect categorization (optional) - you may alert us via the dashboard to applications that you believe have been incorrectly identified as malicious or exhibiting malicious behavior. This will send a report to us for analysis including the file path, file name, type of detection, customer ID, thumbprint, and application name.

We may store and use data submitted to our engineers for the purposes of trend analysis, statistics, reporting, ongoing spam and threat detection, troubleshooting, quality control, new product development, and the enhancement of existing products.

Sophos Home includes access to our technical support helpdesk via a link within the product administration portal.  We record details of support requests and our responses in our support management system. Sophos Home support is currently provided by the third party subcontractors Zendesk (USA), SendSafely (USA) and BlueOcean (Canada), and accordingly they may process any data that you share with us for support purposes. We will post any future changes or additions to the subcontractors used for this purpose to this page.

As part of the support process, we may suggest that you download product logs from your device and submit them to us for review. This procedure is optional and only occurs with your consent. If you participate, we will only use the data accessed or shared for the purposes of resolving your reported issue. If you send product logs to us, we recommend that you encrypt them in transit.

Last updated 6 February 2018

Sophos Sandstorm

Sophos Sandstorm is an optional addition to a customer’s existing security solution. If a file received by the customer is executable, or has executable content, and is not downloaded from a safe website, the file is treated as suspicious. The security solution sends the suspicious file hash to Sandstorm to determine if it has been previously analyzed. If the hash has not been seen before, a copy of the suspicious file is sent to Sandstorm. Sandstorm detonates the file and its behaviour is monitored within the Sandstorm environment. Once fully analyzed, Sandstorm passes the threat intelligence to the security solution and the file is delivered to the user’s device or blocked, depending on whether Sandstorm determines that the file is clean or malicious.

If the file is clean, the file is deleted by Sophos. If the file is malicious, the file is retained by Sophos for the legitimate business purpose of malware detection and the development and enhancement of malware detection products.

The Sophos Sandstorm product uses latency-based routing to map the customer data to the appropriate regional data centers for analysis. The customer must configure his device so that a suitable DNS server can be used. Devices configured to use a European DNS server send data to the data center located in the Europe. Devices configured to use a US or APAC DNS server send data to the data center located in the United States of America or APAC.

Where Sophos (i) receives and detonates files in order to determine whether they are clean or malicious, and (ii) has incidental access to the customer’s personal data via the provision of technical support, installation, configuration, training and other consultancy services (if any), Sophos acts as a data processor on behalf of the Customer as data controller.

Where Sophos (i) collects data about the performance of Sandstorm, (ii) retains malicious files for ongoing malware detection and protection, and (iii) collects account management, customer care and billing data to manage its relationship with the Customer, Sophos acts as a data controller.

Last updated 20 June 2018

Sophos Intercept X for Mobile
(formerly Sophos Mobile Security)

When an application is downloaded on a device or the user initiates a check of all installed applications on an Android device, Sophos Intercept X for Mobile sends queries to our cloud infrastructure in order to validate the reputation of the applications. Each query contains a fingerprint generated from the Android application (the APK file) under investigation.

A unique device identifier is also generated locally on each mobile device during installation of Sophos Intercept X for Mobile. We do not associate this identifier with any personal data. Periodically the product sends statistical feedback packets to us, including the unique device identifier and service performance information.

Sophos Intercept X for Mobile does not collect credit card or other payment information from users.

Sophos Mobile

When Sophos Mobile is installed or updated, you may receive Apple push notifications, Google cloud to device messaging for Android, SMS text messages, and other remote communications.

Sophos Mobile will store a list of users and mobile devices, and will record any applications downloaded or modifications made to such devices. Your administrator can also configure Sophos Mobile to track the geographic location of mobile devices and to lock or wipe a mobile device that has been lost or stolen.

Sophos Firewall Products

The Sophos Firewall and Firewall Manager Products may provide us with the below information, which will be used for the purpose of improving product stability, prioritizing feature refinements and enhancing protection.

1. Configuration and Usage Data, including without limitation (i) device model, firmware and license information, such as model, hardware version, vendor, firmware version, and country; (ii) aggregated product usage information, such as product features in use (on/off, count), amount of configured objects, policies, managed devices, groups, templates (iii) CPU, memory, and disk usage information; (iv) product errors; and

2. Application Usage and Threat Data, including without limitation (i) IPS alerts; (ii) virus detected and the URL where the virus was found; (iii) spam; (iv) ATP threats; and (v) applications used and unclassified applications.
   Information about unclassified applications is used to improve and enlarge network visibility and the application control library.

3. Monitoring Threshold Data, includes (i) monitoring threshold values per model; and (ii) alert threshold criteria and values per model.

Monitoring Threshold data is used to improve the default threshold settings and alert criteria included within the product across models.

Configuration and Usage Data does not include user-specific information or personal data and cannot be disabled. Application Usage and Threat Data, and Monitoring Threshold Data collection is enabled by default, but you may disable collection of such data within the product at any time.

Sophos Cloud Optix

Sophos Cloud Optix is a software-as-a-service offering that provides security analytics, best practice and compliance assessment, and DevSecOps capabilities, to help organisations to protect their infrastructure deployments on public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

Signing in with Third Party Services

You may sign up for a Cloud Optix account using a Google account. If you sign up or sign in to your Cloud Optix account using a Google account, Google may send us information such as the name, email address, and profile picture associated with your Google account. This information is controlled through Google‘s services and your Google account settings, and is subject to change by Google.

You can also remove Cloud Optix‘s access to such information from your Google account through your Google account security settings. Please note that this will also disable your ability to sign into Cloud Optix with your Google account.

Last updated 7 March 2019

Sophos Cloud Products

We may directly and remotely communicate with your protected devices for the purposes of, without limitation (i) applying policy and configuration changes to such devices; and (ii) extracting usage information, service performance information, and infection logs. Such communications may include but not be limited to SMS text messages and other push notifications.

You acknowledge and agree that it may be necessary for us to collect and process certain information relating to individuals in order to provide the Cloud products, and that such information may include proprietary, confidential and/or personal data, including without limitation (i) names, email addresses, telephone numbers and other contact details; (ii) account usernames; (iii) IP addresses; (iv) usage information; (v) lists of all software, files, paths and applications installed on the device, (vi) details of changes or attempted changes to executable files, pathnames and scripts, (vii) logs of websites visited; (viii) infection logs; and (ix) files suspected of being infected with malware.

Certain Cloud products may also (at your sole option) enable you to configure the product to (i) track and log the geographic location of devices; (ii) block access to devices; (iii) delete the content of devices; (iv) store text and email messages that were sent and/or received by devices. Such information may also be stored on the device itself and accordingly we recommend that you encrypt your devices.

You warrant that you have obtained all necessary permissions and provided the necessary notifications to share the above information with us for the purposes described. You also acknowledge and agree that it may be necessary under applicable law to inform and/or obtain consent from individuals before you intercept, access, monitor, log, store, transfer, export, block access to, and/or delete their communications. You are solely responsible for compliance with such laws.

Sophos Central

Certain Sophos Central products enable you to choose the location in which your Sophos Central administration portal will be hosted. This selection takes place at the point of installation and cannot be varied at a later date. This selection only applies to the administration portal. Some data returned by the product may also be exported to Sophos‘ global engineering locations for analysis, research, development, and product monitoring purposes.

If you select “Enable Partner Access” in the Settings tab of Sophos Central, your designated third party partner or service provider will be able to access and administer your Sophos services on your behalf. If you do not enable such access, your designated third party partner or service provider will only see high-level reporting information such as Sophos services purchased and current usage information. You may revoke such access at any time by changing the permissions in the Settings tab.

Sophos Anti-Virus for Mac

The Sophos Anti-Virus for Mac Products may provide us with configuration and usage data, including without limitation (i) device model, firmware and license information, such as model and hardware version (ii) CPU, memory, and disk usage information; and (iv) product errors, which will be used for the purpose of improving product stability, prioritizing feature refinements and enhancing protection.