The purpose of this datasheet is to provide Sophos customers with information on how your privacy choices can be tailored with our offerings. In this document, we provide information about the Sophos Central Device Encryption data handling practices, including personal information collection, use and storage.
Sophos Central Device Encryption (CDE)
Sophos CDE provides functionality for managing native disk encryption on Windows and MacOS. Sophos Central Device Encryption makes it easy to enable disk encryption on a large number of endpoints and provides monitoring and recovery functionality.
Encryption techniques are used to:
- Store disk encryption recovery keys in Sophos Central in encrypted form
- Leverage disk encryption functionality provided by the operating system (BitLocker on Windows, FileVault2 on Mac)
Information Processed by Sophos CDE
Sophos may process the following types of information in Sophos Central Device Encryption:
- Endpoint
- computer ID/name
- user ID/name
- IP address
- Domain name,
- Customer ID
Purpose of Information Processed by the Sophos CDE
Data is processed by Sophos CDE to provide services to the customer. CDE creates a single administration console within which the customer can manage the product. CDE also allows the customer to recover access to encrypted disk volumes. Data processed by Sophos CDE is analysed for purposes of Sophos reporting, customer-side analysis, and future innovation.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos Service Agreement.
Sub-processors
As customer data is stored on Sophos Central, data processed by Sophos CDE is hosted in AWS data centers in the region(s) selected by the customer at the time of Sophos Central account creation. Visit our Sub-processor listing to find out more about sub-processors engaged by Sophos.
Retention
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
Security
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Sophos Central has achieved SOC2 Type II certification and PCI DSS v3.2 attestation to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where Sophos CDE data resides, visit the AWS Security Documentation Center.
Further information on how Sophos Central protects your data is available at https://docs.sophos.com/central/Framework/security-framework/central/Framework/concepts/SophosCentralPlatform.html
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protecting the personal data it processes. Unless otherwise stated, Sophos will access data to enable it to provide the services you have signed up for, to enhance features and services that bring benefits to the customer and for R&D innovation of future capabilities.
Access
Customer Access
Where data is stored in Sophos Central, customers with Sophos Central can access their account and product information in Sophos Central. Multi-factor authentication (MFA) must be enabled for all administrators of a Sophos Central account.
Sophos Access
Where data is stored on Sophos Central, Sophos may access the customer account for purposes of providing technical support or maintenance. This is only available if customer expressly turns on remote support. Specific services may also require access to customer account as detailed in the applicable EULA.
Data is sent to Sophos Central (for customer administration purposes), Engineering (telemetry), Support (at customer’s request) and local logs (for analysis by Customer as required, and used in diagnostics when Support are involved).
Disclaimer
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Privacy Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.