The purpose of this datasheet is to provide Sophos customers with information on how our offerings affect their privacy considerations. In this document, we provide information about the Sophos Cloud Optix data handling practices, including personal information collection, use and storage.
Product Summary
Sophos Cloud Optix is an AI-powered security and compliance platform for public cloud environments. Sophos Cloud Optix does the following:
You can also remove Cloud Optix‘s access to such information from your Google account through your Google account security settings. Please note that this will also disable your ability to sign into Cloud Optix with your Google account.
- Provides a real-time inventory of your cloud infrastructure, including servers, storage and network elements.
- Helps you monitor security and meet compliance standards in one simple-to-use interface.
Information Processed by Sophos Cloud Optix
To use Sophos Cloud Optix, you need to connect to one or more cloud environments, for example an Amazon Web Services (AWS) account, a Microsoft Azure subscription, or a Google Cloud Platform project. When you connect a cloud environment, you explicitly authorize Sophos to access information via APIs and collect log data.
The types of data processed by Sophos in Cloud Optix include, for example:
- Infrastructure metadata includes inventory information about your cloud resources, such as instances/VMs, storage buckets and security groups, and their associated security states.
- Activity logs, such as AWS CloudTrail logs, may include information about an IAM entity that accessed or made changes to the infrastructure.
- Network flow logs include information about which IP address is communicating with another IP address, and the port and protocol used. Cloud Optix uses geo-IP lookup to determine the location of IP addresses.
Purpose of Information Processed by the Sophos Cloud Optix
Sophos Cloud Optix analyzes the collected data using security monitoring rules and AI models, to identify potential mis-configurations of cloud infrastructure that may adversely affect your security posture, and to identify anomalous activity in your cloud environments.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos Service Agreement.
Sub-processors
Data processed by the Sophos Cloud Optix is hosted in AWS data centers in the U.S. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Retention
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
Security
Sophos secures customer information by authenticating access via username and password coupled with multi-factor authentication.
The Sophos Cloud Optix has achieved SOC2 Type II certification to demonstrate its strong security practices, policies and internal controls environment.
Data is transferred from your cloud environment to Sophos Cloud Optix using the cloud platform’s APIs (e.g. AWS SDK) and by collecting network flow logs and usage logs. TLS encryption is used for data transfer and all information collected by the service is stored using industry-standard AES 256 encryption.
For information about the security protections used in the data centers where customer data resides, visit the AWS Security Documentation Center.
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protection of personal data processed by Sophos Cloud Optix. Sophos will access data to enhance features and services that bring benefits to the customer and for R&D innovation of future capabilities.
Access
Customer Access
You can retrieve data from Sophos Cloud Optix using the APIs or UI of the product storing the data.
You can remove a cloud environment from Sophos Cloud Optix using the product console at any time. All associated infrastructure metadata and log information is deleted automatically.
Sophos Access
Sophos Engineering monitors Sophos Cloud Optix access and telemetry for planning future roadmap strategy and requirements, product development and enhancement, troubleshooting, and generating statistics and reports.
Sophos Labs or Sophos AI teams may access the data for analysis, threat detection and for continuous evolution of products and new threat detections.
Sophos Cloud Optix and GDPR
To the extent that the General Data Protection Regulation (GDPR) or, portion of it, applies to youruse of the Sophos Cloud Optix service, Sophos represents that it complies with GDPR in the Sophos Services Agreement, which governs the use of Sophos Cloud Optix.
Section 10.2 of the Sophos Services Agreement states: "Each party agrees to comply with all laws applicable to the actions and obligations contemplated by this Agreement", which includes GDPR.
Disclaimer
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Sophos Cloud Optix Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.