SophosLabs receives information from customers for the purpose of enhancing the detection service that we provide. We understand the importance of privacy to our customers and we ensure sensitive data from our customers is handled properly.
For example, SophosLabs Intelix is designed to delete files marked as clean while retaining samples of malicious files to enhance our understanding of the global threat landscape and provide better protection to all our customers. SophosLabs Intelix is based on a Hub and Spoke architecture. Our customer facing services (spoke) are self-contained in the region they are based. Malicious samples can be moved from a spoke to our SophosLabs central hub located in UK for further analysis. This prevents sensitive customer data being shared across many regions.
The purpose of this datasheet is to provide Sophos customers with information on how your privacy choices can be tailored with our offerings. In this document, we provide information about SophosLabs Intelix data handling practices, including personal information collection, use and storage.
SophosLabs Intelix Summary
SophosLabs Intelix interfaces with other Sophos products and it is accessible via API to our OEM partners and customers subscribing to the service on AWS Marketplace. The API allows customers to send samples of suspected malicious code, false positive samples and URLs to a single point at Sophos for malware detection and analysis. SophosLabs receives these samples from customers in order to enhance the detection service that Sophos provides.
Information Processed by SophosLabs Intelix
SophosLabs Intelix needs a Threat Object (for example, a file or URL) to be analyzed. The Threat Object is sometimes complimented by contextual data related to the Threat Object which contribute to the analysis (for example, Customer ID, Machine ID, file path, filename). Whilst the analysis is executed in the selected region, egress traffic, originating from the dynamic analysis of the sample, might be routed to another region.
Purpose of Information Processed by SophosLabs Intelix
Depending on the API used, SophosLabs Intelix provides actionable and relevant Threat Intelligence to customers either by analyzing the Threat Object (Static or Dynamic Analysis API) or by providing the latest available Threat Intelligence (Cloud Lookup API).
Information processed by SophosLabs Intelix is available to customers in the form of HTML/JSON reports that can be queried either by JobID uniquely assigned at request or via SHA256 of the Threat Object. SophosLabs uses the information to provide threat intelligence to customers and to enhance its malware detection service.
Files which have been processed and subsequently categorized as malicious by SophosLabs Intelix are automatically routed to the SophosLabs Hub for further Threat Research analysis.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos End User Terms of Use.
Sub-processors
Data processing by SophosLabs Intelix is performed in AWS data centers in the region selected by the customer. Aside from the foregoing sentence, due to its self contained nature, SophosLabs Intelix does not use third party sub-processors. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Retention
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
- Malicious samples analyzed by Sophos will be retained indefinitely in order to offer continued protection to customers.
- For Static and Dynamic Analysis, SophosLabs Intelix Threat Objects are retained in the respective analysis environment (spoke) for up to 30 days, whereupon clean files are deleted and malicious files are sent to the Hub.
- For Cloud Lookup, we retain the queried item in the respective lookup environment (spoke) for typically less than five minutes.
- Threat Object metadata follows the retention period of the associated Threat Object. In some cases, SophosLabs may retain some of such metadata for up to 6 months for research purposes, regardless of whether the associated Threat Object was detected as malicious or clean.
Our Commitment to Privacy
Sophos and SophosLabs are committed to treating your personal data with the care and sensitivity it deserves as well as complying with appropriate data protection rules. Except as stated, Sophos will access data to enable it to provide the services you have signed up for.
Access
SophosLabs or Sophos AI teams may access data for threat research purposes and to improve our ability to detect new threats. It is possible a file submission of suspicious files may incidentally contain personal information. If suspicious files are convicted as malicious, then they are treated as malware and will be blocked globally going forward. If suspicious files containing personal information are not convicted and are cleared as non-malicious, they are permanently deleted within 30 days.
Disclaimer
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.
Last Updated August 2023