The purpose of this datasheet is to provide Sophos customers with information they need to understand how our offering affects their privacy considerations. In this document, we provide information about Managed Risk data handling practices, including personal information collection, use and storage.
PRODUCT SUMMARY
Sophos Managed Risk is a vulnerability and external attack surface management offering powered by industry-leading Tenable technology and delivered as a managed service by Sophos. This service helps identify exposures specific to the customer’s environment and gives remediation guidance to help prevent attacks.
INFORMATION PROCESSED BY SOPHOS MANAGED RISK
Sophos processes the following types of information as part of the Managed Risk service:
- IP Addresses
- Domain names
- Hostnames
- URLs
WHERE IS SOPHOS MANAGED RISK DATA PROCESSED
Managed Risk data is processed in the region in which the customer account is provisioned. This region is selected at the time of on-boarding to Sophos Central.
PURPOSE OF INFORMATION PROCESSED BY SOPHOS MANAGED RISK
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos End User Terms of Use.
SUB-PROCESSORS
Data processed by the Managed Risk is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
RETENTION
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
Managed Risk reporting and case data will be retained for 2 years. Upon termination of the Managed Risk service, access to the customer’s Managed Risk interface in Sophos Central is disabled after a 30-day grace period.
SECURITY
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
The Sophos Managed Services platform has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where customer data resides, visit the AWS Security Documentation Center.
OUR COMMITMENT TO PRIVACY
Sophos is committed to complying with data protection rules and protection of personal data processed by Sophos Managed Risk. Sophos will access data only to enable it to provide the services you have signed up for.
ACCESS
Customer Access
Managed Risk customers have access to the Sophos Central customer portal to administer, configure and manage their estate and access information from licensed and configured Sophos solutions and third-party integrations.
Sophos Access
Access to information processed is restricted to Sophos engineers, and the Managed Risk Operations team. When a support ticket is raised, the Sophos support team will access your account for purposes of troubleshooting and resolving issues.
Sophos Engineering monitors access and telemetry for planning future roadmap strategy and retirements, product development and enhancement, troubleshooting, generating statistics and reports.
DISCLAIMER
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Sophos Managed Risk Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.
Last updated September 2024