The purpose of this datasheet is to provide Sophos customers with information on how our offerings affect their privacy considerations. In this document, we provide information about Sophos Email & Phish Threat data handling practices, including personal information collection, use and storage.
Product Summary
This privacy data sheet applies to Email & Phish Threat products. Sophos Email protects your company’s information and people against malicious email threats, including phishing, business email compromise, and ransomware attacks. Sophos Phish Threat educates and tests your end users through automated attack simulations, quality security awareness training, and actionable reporting metrics.
Information Processed by the Sophos Email & Phish Threat
Sophos Email & Phish Threat processes email metadata that includes the following types of information:
- Usernames
- IP Addresses
- Email headers
- Applications
- Browser Addons
- File Hashes
- File Paths
- Fully Qualified Domain names
- Hostnames
- Ports
- System Events and Log
- URLs
- Click record on rewritten URLs
- Email addresses
- Email subject data
- Complete Email messages in some cases (deleted after 30 days)
Purpose of Information Processed by the Sophos Email & Phish Threat
Sophos Email & Phish Threat processes personal information to stop malware from reaching your inbox, and Sophos Email uses the email metadata for the below purposes (the list is not exhaustive):
- To confirm if it is a valid recipient.
- To check if the recipient has blocked or allowed a sender.
- To configure email policies specific to recipients.
- To quarantine potentially malicious emails based on customer admin’s configuration.
- To give the admins the ability to release the email to the intended recipients.
- Perform specific tasks such as VIP Impersonation detection.
- To populate specific reports including message history, at risk users, license usage.
- To populate quarantine list.
- To support discovery via XDR.
- Send simulated phish emails and training links to the end users.
- Record ‘caught rate’ on simulated phishing campaigns.
Sophos may analyze and process data for the benefit of the customer resulting in threat detection and response, and future innovation.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos End User Terms of Use.
Sub-processors
Data processed by Sophos Email & Phish Threat is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Sophos may engage other sub-processors as set forth in the Sub-processor list.
Retention
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
Sophos Email data is stored for up to 365 days, unless such data is needed in order for Sophos to provide the services to the customer.
Sophos Phish Threat data may be retained indefinitely by the customer to use such products and services, including without limitation to assess performance of campaigns and users over time. The customer may delete Phish Threat data and such deletion will be reflected in Sophos product accordingly.
Security
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Sophos data centres have achieved SOC2 Type II certification to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where customer data resides, visit the AWS Security Documentation Center.
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protection of personal data processed by the Sophos Email & Phish Threat. Sophos will access data to enhance features and services that bring benefits to the customer, and for R&D innovation of future capabilities.
For Sophos Email, Sophos’ use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Access
Customer Access
Customers with access to Sophos Email & Phish Threat can query that data using the Live Discover functionality in Sophos Central or via APIs. Customers with access to Sophos Email and Phish Threat can also access reports and screens in Phish Threat that detail campaigns and users.
Sophos Access
Sophos Engineering monitors telemetry for planning future roadmap strategy and requirements, product development and enhancement, troubleshooting, and generating statistics and reports.
Sophos Labs or Sophos AI teams may access data for analysis, threat detection, research purposes and continuous improvement and evolution of our products and threat detections. Suspicious files that may contain personal information are treated as follows: a) If these files are convicted as malicious, it is treated as malware and will be blocked globally going forward, b)If these files are not convicted and are cleared as non-malicious, they are permanently deleted within sixty (60) days.
The manual escalations and automatic telemetry are stored in SophosLabs HUB located in UK. Data on manual escalations is retained for six months whilst data collected on telemetry is retained for up to one year. In some rare scenarios when test cases around an email is created, we retain the attached files (which may sometimes include the e-mails) indefinitely.
Disclaimer
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Sophos Email & Phish Threat Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.
Last updated June 2023