The purpose of this datasheet is to provide Sophos customers with information on how our offerings affect their privacy considerations. In this document, we provide information about Sophos XDR data handling practices, including personal information collection, use and storage.
PRODUCT SUMMARY
Sophos XDR is an newoffering where critical information from endpoint, server, firewall, email and other Sophos XDR enabled products is stored, accessible and can be queried by customers to streamline threat detection and response workflows. XDR introduces the Sophos Data Lake, where the device and log information is stored. Device and log information is retrieved from the different products at frequent intervals allowing the Sophos Data Lake to be queried to identify suspect events in historical data.
For additional detail on MDR, please see the MDR Privacy Data Sheet.
INFORMATION PROCESSED BY SOPHOS XDR
Sophos XDR processes the following types of information:
- Usernames
- IP Addresses
- MAC Addresses
- Processes (where command lines are captured which could contain usernames, passwords, API keys and credentials)
- Applications, Portable Executable (PE) files
- Browser Add-ons and data from Microsoft Edge and Google Chrome (e.g., favorites, bookmarks, cookies and browsing history, search terms)
- User folders (e.g., public, music, documents, downloads, videos, pictures, desktop)
- Browser Addons
- File Hashes
- File Paths
- Hostnames
- Ports
- System Events and Log
- URLs
- Crash dumps, memory dumps
- Export of Windows Registry (all software installed on machine and its configuration)
- Third party application logs (e.g., OneDrive, DropBox, AV software, password managers)
- Email addresses
- Email subject data
Customers have the flexibility to define endpoint and server devices to be excluded from sending data to the Sophos Data Lake.
PURPOSE OF INFORMATION PROCESSED BY SOPHOS XDR
For XDR customers, data stored in the Sophos Data Lake is strictly for a customer’s own use.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos End User Terms of Use.
Generative AI will be used to streamline XDR workflows and improve service quality, primarily for data investigation, summarization, and classification.
SUB-PROCESSORS
Data processed by the Sophos XDR is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
RETENTION
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
Data in the Sophos Data Lake will be stored for 90 days for Intercept X Advanced with XDR Endpoint, Intercept X Advanced with XDR Server, and MDR customers.
Customers who optionally choose to purchase the Central Data Storage – 1 yr Pack will have Sophos telemetry, and third-party telemetry data retained in the Data Lake for 365 days. Customers who have also purchased Central Firewall Reporting may be able to access up to 1 year of data in the Sophos Data Lake within Firewall Reporting, dependent upon their Central Firewall Reporting license.
Only customers with access to Data in the Sophos Data Lake may perform queries and investigations independently. All customer data will age out of the system upon termination of the service. After this period, the data will be permanently deleted and unrecoverable.
SECURITY
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
The Sophos XDR, including the Data Lake, has achieved SOC2 Type II certification to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where customer data resides, visit the AWS Security Documentation Center.
OUR COMMITMENT TO PRIVACY
Sophos is committed to complying with data protection rules and protection of personal data processed. Sophos will access data only to enable it to provide the services you have signed up for.
ACCESS
Customer Access
Customers with access to Sophos XDR can query that data using the Live Discover functionality in Sophos Central or via APIs.
Sophos Access
Sophos Engineering monitors access and telemetry for planning future roadmap strategy and retirements, product development and enhancement, troubleshooting, generating statistics and reports.
Customer data is anonymized and may be accessed by Sophos Labs or Sophos AI teams for threat research purposes to improve our ability to detect new threats. It is possible a file submission of suspicious files may incidentally contain personal information. If suspicious files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If suspicious files containing personal information are not convicted and are cleared as non-malicious, they are permanently deleted within 30 days.
Additional detail is available in the Additional details are available in the Sophos Labs Intelix Privacy Data Sheet.
DISCLAIMER
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Sophos XDR Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.
Last updated March 2024