This is the privacy notice of Sophos Limited and its subsidiaries.
This document was last updated on 10 February 2022.
We are committed to safeguarding the privacy of your personal data. Please read the following privacy notice to understand how we collect and use your personal data, for example when you contact us, visit or use one of our websites, mobile applications, portals, or other parts of our network (each a “Site”), apply for a job, or use our products and services, regardless of how you access them. This privacy notice also explains the rights available to you in respect of your personal data.
- What personal data do we collect, how do we collect it, and why?
- Other specific ways we collect and use your personal data
- Legal basis for processing personal data
- With whom might we share your personal data
- International transfers of data
- Data retention
- Use by children
- Automated decision-making
- Your data protection rights
- California privacy rights
- Data Processing Agreement
- Notification of changes
What personal data do we collect, how do we collect it, and why?
Data that you provide voluntarily to us
When you use our Site, products or services, or you otherwise communicate with us, we may ask you to provide certain personal data voluntarily, including but not limited to your name, company position, postal address, telephone number, mobile number, fax number, email address, credit card or other payment details, age or date of birth, account usernames, passwords, or gender. For example, we may ask you to provide some or all of this personal data when you register an account with us, subscribe to our marketing communications, purchase products or services, and/or submit enquiries to us. We use this information to create and administer your account, send you marketing communications, provide you with the products and services you request, and to respond to your enquiries. In general, the personal data that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal data.
Data collected automatically
When you use our Site, products, or services, we may collect certain data automatically from your computers or devices (including mobile devices). The data we collect automatically may include your IP address (explained further below), device type, operating system details, unique device identification numbers (including mobile advertising identifiers), browser-type, browser language, operating system, geographic location (as explained further under the heading “Location information”) and other technical information. We may also collect data about how your device has interacted with our Site, products or services, including the pages or features accessed and links clicked, the amount of time spent on particular pages, mouse hovers, the date and time of the interaction, error logs, referring and exit pages and URLs, and similar information. Collecting this data enables us to better understand the visitors who use our Site, products, and services, including where they come from and what features are of interest to them. We use this information for our internal analytics purposes, and to improve the quality, relevance, and security of our Site, products and services.
For example, every time you connect to the Site, we store a log of your visit that shows the unique number your machine uses when it is connected to the Internet - its IP address. This log tells us what your machine has looked at, whether the page request was successful or not, and which browser your machine used to view the pages. This data is used for statistical purposes as well as to help customize the user experience as you browse the Site and subsequently interact with Sophos. This helps us to understand which areas of the Site are of particular interest, which pages are not being requested, and how many people are visiting the Site in total. It also helps us to determine which products and services may be of specific interest to you. We may also use this information to block IP addresses where there is a breach of the terms and conditions for use of the Site.
Some of the data may be collected automatically using tracking technologies, as explained further under the heading “Cookies and similar tracking technology”.
Data that we obtain from third party sources
From time to time, we may receive personal data about you from third party sources (including without limitation recruitment agencies, credit check agencies, agencies providing compliance checks, lead generation providers, resellers, and other partners who sell our products and services to you), but only where such third parties have confirmed that they have your consent or are otherwise legally permitted or required to disclose your personal data to us.
The types of information we collect from third parties include contact details, CVs, credit history, and order information, and we use the information we receive from these third parties to assess your suitability for a job position, carry out compliance checks required under applicable law (such as anti-bribery and corruption checks), make credit decisions, maintain and improve the accuracy of the records we hold about you, and market our products and services to you.
We also receive information from other members of the industry that forms part of or otherwise helps us to develop, test, and enhance our own product offering (for example spam lists, malicious URL lists, and sample viruses), some of which could contain personal data (where permitted by applicable law).
We may combine information that we collect from you with information about you that we obtain from such third parties.
Data collected through our products and services
We use data that we collect from products and services for the purposes for which you provided it, usage and audience counts, monitoring the performance and effectiveness of the products/services, monitoring compliance with our terms and conditions, enabling compatibility with third party operating systems/products/services, planning future roadmap strategy, planning product/service/feature lifecycles and retirements, conducting spam, threat and other scientific research, developing new products and services, enhancing existing products and services, troubleshooting product issues, generating statistics, reporting, and trend analysis. This may include incidental personal data (for example usernames, machine IDs, domain names, IP addresses, file names, and file paths).
Cookies and similar tracking technology
A cookie is a piece of text that gets entered into the memory of your browser by a website, allowing the website to store information on your machine and later retrieve it.
We, along with our service providers, may also use other Internet technologies, such as Flash technologies, Web beacons or pixel tags, and other similar technologies, to deliver or communicate with cookies and track your use of the Site, product, or service, as well as serve you ads and personalize/customize your experience when you are using our Site, product, or service and/or when you are on other websites where those cookies can be accessed. We may also include Web beacons in email messages, newsletters, and other electronic communications to determine whether the message has been opened and for other analytics, personalization, and advertising. As we adopt additional technologies, we may also gather additional information through other methods. This practice is explained further under the heading “Marketing and promotions”.
As explained above, we occasionally share information you have provided to us with service providers, who will de-identify the information and associate it with cookies that enable us to reach you. We may also help these service providers place their own cookies, by deploying a cookie that is associated with a 'hashed' value associated with interest-based or demographic data, to permit advertising to be directed to you on other websites, applications or services.
Most browsers automatically accept cookies, but you can modify your browser setting to decline cookies by visiting the Help portion of your browser's toolbar. If you choose to decline cookies, please note that your ability to sign in, customize, or use some of the interactive features of our Site, product, or service may be impeded, and the advertisements you see may not be as relevant to you.
For more information about the cookies that we use, please refer to our Cookie Information page.
We may collect different types of information about your location, including general information (for example IP address or ZIP code) and more specific information (for example GPS-based functionality on mobile devices when used to access a Site, product, or service). This information may be used to customize the services provided to you, such as location-based information, advertising, and features. In order to do this, your location information may be shared with our agents, vendors, or advertisers. If you access the Services through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer's instructions for further details.
Other specific ways we collect and use your personal data
If you are making a job application or inquiry, you may provide us with a copy of your CV or other relevant information. We may use this information for the purpose of assessing your application or inquiry. We may also keep this information on file to contact you about future opportunities, unless you ask us not to do this.
Our resellers, distributors, and other partners may visit our partner portal Site. We may use the information provided on that Site for partner relationship management, billing, forecasting, trend analysis, renewal management, marketing, and in order to sell and provide the products and services.
If you obtain products or services from us, we may use your contact details and (where applicable) payment information for the purposes of (i) providing training, customer support, and account management, (ii) order processing and billing, (iii) verifying your usage of the products and services in accordance with the terms and conditions of your agreement with us, (iv) carrying out checks for export control, anti-bribery, anti-corruption, the prevention of modern slavery, and other compliance purposes in accordance with requirements under applicable law; (v) contacting you (including by email communication) regarding license expiry, renewal, and other related notices, and (vi) maintaining our company accounts and records.
Market research and surveys
If you participate in surveys, we may use your personal data for our internal business analysis and training purposes in order to improve our understanding of our users’ demographics, interests and behaviour, to measure and increase customer satisfaction, and to improve our products and services.
Competitions, contests, promotions
If you participate in a competition, contest, or promotion conducted by us or on our behalf, we may use your personal data in order to administer such competition, contest, or promotion. We may also use your personal data as explained further under the heading “Marketing and promotions”.
Please be careful and responsible whenever you are online. Should you choose to voluntarily disclose information to open areas of our Site, such as via the Sophos Community, online help, or other chat rooms, that information can be viewed publicly and may be collected and used by third parties without our knowledge or consent, and may result in unsolicited messages from other individuals or third parties.
Marketing and promotions
We (or our resellers or other selected third parties acting on our behalf) may contact you from time to time in order to provide you with information about products and services that may be of interest to you. Such communications may contain tracking technology that tells us whether you opened the communication and whether you followed the hyperlinks within the communication, in order to help us analyse the effectiveness of, monitor, and improve our marketing campaigns. All marketing communications that we send to you will respect any marketing preferences you have expressed to us and any consent obligations required under applicable privacy and anti-spam rules. You have the right to ask us not to process your personal data for certain or all marketing purposes, but if you do so, we may need to share your contact information with third parties for the limited purpose of ensuring that you do not receive marketing communications from them on our behalf.
We may collect logs and other data about access to and traffic passing through our network and equipment for the purposes of availability and performance monitoring, maintenance, security monitoring and investigations, conducting spam, threat and other scientific research, new product and service development, the enhancement of existing products and services, generating statistics, reporting, and trend analysis.
We collect information about suspected spam, suspected malicious files, and files that may be unwanted or undesirable for our customers (for example file names, URLs, file paths, hashes, and file samples) that are (i) received by our own network and equipment, and (ii) voluntarily submitted via our products and services or our Site submission pages. We use this information for spam, threat and other scientific research, new product and service development, the enhancement of existing products and services, generating statistics, reporting, and trend analysis.
Legal basis for processing personal data
Our legal basis for collecting and using personal data will depend on the personal data concerned and the specific context in which we collect it.
However, we will normally collect personal data from you only where we need the personal data to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal data from you or may otherwise need the personal data to protect your vital interests or those of another person.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided under the “Contact” heading.
With whom might we share your personal data
We may transfer or disclose your personal data to the following categories of recipients:
- to our authorised resellers, distributors, and other channel partners in order to process your order or sales enquiry, manage your subscription, provide technical or customer support, advise of upcoming product or service subscription expiry and renewal dates, or as otherwise notified to you when we collect your personal data;
- a subset of our threat intelligence data to selected reputable members of the IT security industry for the purpose of anti-spam and security threat research;
- to any government department, agency, court or other official bodies where we believe disclosure is necessary (i) as a matter of applicable law or regulation (such as in response to a subpoena, warrant, court order, or other legal process), (ii) to exercise, establish, participate in, or defend our legal rights, or limit the damages we sustain in litigation or other legal dispute, or (iii) to protect your vital interests, privacy, or safety, or those of our customers or any other person;
- to any other person with your consent to the disclosure.
As a global company, we and our service providers operate, and our Site, products, and services are accessed from, all over the world. When you give us personal data, that data may be used, processed, or stored anywhere in the world, including in countries that have data protection laws that are different to the country in which you reside.
We retain personal data we collect from you for as long as necessary for the purposes for which the personal data was collected or where we have an ongoing legitimate business need to do so (for example, to provide you with a product or service you have requested, to ensure that transactions can be processed, settled, refunded, charged back, or to identify fraud), or to comply with applicable legal, tax, or regulatory requirements. Even if you close your account, we will retain certain information in order to meet our obligations.
When we have no ongoing legitimate business need to process your personal data, we will either securely destroy, erase, delete or anonymise it, or if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
Use by children
The Site, the products, and the services are not intended for persons under the age of 16. By using the Site, product, or service, you hereby represent that you are at least 16 years old.
In some instances, our use of your personal data may result in automated decisions being taken that legally affect you or similarly significantly affect you.
Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without our human review. For example, our products and services use automated decisions to determine whether a domain, URL, or IP address is sending spam or malicious content in order to protect our customers from unwanted or undesirable content. We have implemented measures to safeguard the rights and interests of individuals whose personal data is subject to automated decision-making, including controlled product releases and regular quality assessments.
When we make an automated decision about you (for example if we block a domain, URL, or IP address used by you), you have the right to contest the decision, to express your point of view, and to require a human review of the decision. You can exercise this right by contact us using the contact details provided under the “Contact” heading.
Your data protection rights
You have the following data protection rights:
- You can access, delete or request portability of your personal data by completing this form.
- You may also ask us to correct or update your personal data, object to processing of your personal data, or ask us to restrict processing of your personal data using the contact details provided under the “Contact” heading
- You have the right to opt-out of marketing communications we send you at any time. You can usually exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. Alternatively, or to opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “Contact” heading.
- If we have collected and process your personal data with your consent, then you can withdraw your consent at any time by contacting us using the contact details provided under the “Contact” heading. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local data protection authority.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
While we strive to protect your personal data, no data transmission or storage can be guaranteed as 100% secure. We endeavour to protect all personal data using reasonable and appropriate physical, administrative, technical, and organisational measures, and in accordance with our internal security procedures and applicable law. These safeguards vary based on the sensitivity of the information that we collect, process, and store, and the current state of technology.
If you have been given or have created log-in details to provide you with access to certain parts of our Site (for example our partner portal), you are responsible for keeping those details confidential in order to prevent unauthorised access to your accounts.
California privacy rights
California Online Privacy Protection Act Notice Concerning Do Not Track Signals
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. We do not recognize or respond to browser-initiated DNT signals, as the Internet industry is currently still working toward defining exactly what DNT means, what it means to comply with DNT, and a common approach to responding to DNT. To learn more about Do Not Track, you can do so here.
Your California privacy rights
California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their 'personal information' (if any, and as defined under applicable California law) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties. If you are a California resident and would like to request this information, please submit your request using the contact details provided under the “Contact” heading.
Data Processing Agreement
If the provision of products and/or services constitutes processing by Sophos of personal data as processor under applicable data protection laws, Sophos’ obligations are documented in the Sophos Data Processing Addendum (“DPA Addendum”). The DPA Addendum is incorporated by reference into our agreements with our Customers, Managed Service Providers and OEM partners. If you require a signable Data Processing Agreement (“DPA”), you can countersign our pre-signed version here.
Please note, Sophos will not sign a Data Processing Agreement with its distributors and resellers, unless they are using Sophos products. Order data from end customers that is provided by distributors/ resellers to Sophos is received by Sophos in its capacity as a data controller.
If you wish to unsubscribe from marketing communications, please email email@example.com.
Notification of changes