Solution-specific privacy policies

General Privacy Policy

Corporate business privacy policy

September 2019

This policy is provided on behalf of WithSecure Corporation and explains the processing of your personal data by companies belonging to WithSecure's group of companies. It sets out how the personal data that we collect from you, or that you provide to us, will be processed by us.

The data controller for this policy is WithSecure Corporation, a Finnish company with business ID 0705579-2. Our contact information can be found at the end of this policy.

The personal data of individuals discussed in this policy is primarily collected because WithSecure is in, or is seeking to enter in, a commercial relationship with the entities you are employed by.

The collected information and its use varies based on whether we have a pre-existing, commercial relationship between WithSecure and your employer (see section for CUSTOMERS AND PARTNERS) or we have no prior engagement with your employer (see section about MARKETING).

Marketing

What kind of data we collect on you

From persons visiting our website, we acquire data on the device used, your IP address, the route by which you arrived at our website, and your activities therein, as well as any information you have submitted to us through forms. For more detailed information, see our website privacy policy.

If you provide us your data via forms – online or offline – we ask you the following information: names of the person and company, email address, country, industry, size of company, telephone number, and area or service of interest.

We may also collect your information via our discussion boards or other social media hosted by WithSecure, competitions, promotion, surveys, webinars, and other such events or points of interaction.

If you have been identified as a decision maker or influencer by a third party, or listed as such in public sources, we typically obtain the following information on you and the organization that you represent: company name, title, name, function, language, email, zip code, city and state, country, phone number, industry, turnover, and size of company.

We may aggregate such data with general data on your organization.

For what purposes do we use it

We collect and process the data so that we can, based on your position in your organization, send you information relating to the services, conduct customer surveys, arrange competitions, advertise and market our services (both personalized and in aggregate), and share information and know-how about cyber security and on our services. We also make use of the collected data in market research, product and service development, and business offering development.

Should you or the organization that you represent become our customer, we combine data collected at this pre-sales phase for you when your organization becomes our customer. In such cases, we use it in accordance to the same practices that we employ with the representatives of our corporate customers and partners.

Legal grounds

We collect data on individuals in influential, decision-making positions in companies that would benefit from our services. We consider such activity to be in the legitimate interests of both WithSecure as a vendor and your employer as a buyer.

Where legitimate interest is not suitable or applicable to a type of data processing, we will seek your consent. For example; consent is the legal grounds for data that we collect on your browsing of our websites. Where we base our processing on consent, you may withdraw your consent at any time.

Customers and partners

What kind of data we collect on you

Regarding individuals, with whose employers we are in a commercial relationship, we process the following personal data on you: your name, your position / role / title, your email address and phone number, which legal entity that has purchased the license or service, such entity’s street / mailing address, country, your language and messaging preferences, available LinkedIn information, relevant access credentials to and logs in our systems.

WithSecure collects this data:

  • Via marketing activities (more information under Corporate Business - marketing),
  • Via our website, our discussion boards or other social media hosted by WithSecure,
  • Via competitions, promotion, surveys, webinars, and other such events or points of interaction,
  • Through sales, support, and account management activities, and
  • Through partner sales and customer management activities (e.g. a partner orders a license to an end customer or changes an end customer’s information).

For what purposes do we use it

We collect and process the data so that we can manage our customer relationships, provide you with information, products and services that you request from us, run joint planning sessions, analyze the data for business development purposes, deliver license certificates, undertake all steps of order fulfillment and payment processes, perform personalized marketing activities, communicate in relation to both the initial sales of our services as well as license and service renewals, our other offerings and other relevant information, collect your feedback and identify authorized users for selected systems and administer user accounts, and provide help and support for the services.

As you may approach us or submit information to us via multiple channels – such as our resellers, events, or website – we combine such information to make our communications relevant to your needs.

Legal grounds

WithSecure has a legitimate interest to process personal data of the employees of its customers and partners to enable and facilitate provisioning its commercial services to its corporate customers and partners, including undertaking relevant sales and marketing activities as enabled by applicable laws on different forms of marketing-related communications.

Where processing is required for an activity, it is necessary that we are able to process the required data. This is the case e.g. when we need to effectively communicate with the representatives of our partners and customers, deliver and invoice the agreed services, respond to an enquiry or support request, or enable your participation in our corporate customer beta program.

Where legitimate interest is not suitable or applicable to a type of data processing, we will seek your consent. For example; consent is the legal grounds for data that we collect on your browsing of our websites. Where we base our processing on consent, you may withdraw your consent at any time.

Profiling

To keep our interaction focused on the services that you are primarily interested in, some of the data that we collect may be based on your activity on our corporate web pages. This occurs in the event that you have consented to having such traffic linked to you, for example by filling any of our web forms. We do not record your web traffic outside WithSecure websites. The more activity and interest you show towards our solutions, the more likely it is that we will approach you. This is elaborated in our cookie banners and in our website privacy policy.

If you do not wish us to have your email address for this purpose, you may freely request that we remove it from our records. The impact on you is that the messaging that you may receive from us may be less relevant for you and your employer.

We do not disclose such profile information to external parties. We may share general data on your interest with our reseller to better serve your needs (e.g. to enable you to purchase via our local reseller), but only in the event that we have actually started sales negotiations.

Transfers and disclosures

Personal data is primarily processed by WithSecure™'s local company that you are interacting with the most. In addition to local processing, the most common reason for exchange of information between different WithSecure™ offices is to enable us to efficiently serve you and manage our relationship. See the list of our local country offices here).

Personal data can also be made available to WithSecure™'s channel partners when - and to the extent that - disclosure of data is necessary for the relevant purposes of processing data (listed above). For example, if you are interested in purchasing our services, we provide such information to our reseller partner in the area.

Some of WithSecure™'s affiliated companies, subcontractors, and distributing partners are located in multiple countries, including outside the European Economic Area (EEA). Even if the data is stored within the EEA, it may also be processed by our staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details, and the provisioning of support services.

Where personal data is transferred to other jurisdictions, including to outside the EEA, WithSecure™ undertakes to safeguard the security and integrity of processing by implementing the appropriate measures as required by law, and by imposing appropriate contractual safeguards on such data importers (for example by adhering to data transfer clauses approved by the European Union).

Advertisers and advertising networks that require the data to select and serve relevant advertisements to you and others are listed on our website privacy policy.

Third parties

We also work closely with third parties (including, for example, business partners, subcontractors in technical, payment, and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them. These vendors have collected this information from private or public sources or directly from you.

Other uses and disclosures

Information on secondary purposes for which personal data may occasionally be processed.

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Retention

On a monthly basis, we purge our direct marketing records from all contacts who have not reacted to our messaging or visited our web pages during the last 24 months and who are not affiliated with any of our customers or partners.

If you become our customer or partner, the data is retained for the duration of your organization's relation. User data in our corporate customer registry is stored for the duration of the license/subscription/engagement and up to five years after the last engagement or subscription with the customer or partner has expired.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

WithSecure™ Elements Endpoint Protection

WithSecure Elements Endpoint protection privacy policy

May 2021

In brief

Elements Endpoint Protection combines VPN, mobile device management, software update management as well as workstation and server security, which are all controlled via the management portal. The core privacy aspects of this service are:

  • the focus of data collection is on your device and our service, not you as an individual;
  • much of the collected data is available for your employer’s IT administrator, so they can better manage company devices and applications;
  • we collect anonymous security data to protect your device.

The service does not enable WithSecure or your company’s IT administrator to follow your movements, view your photos, or see who you call or communicate with, nor are we able to track the sites that you visit through the service.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

User data

The service collects the following data, which is available through the management portal, on administrator users:

  • Username
  • The user’s email address
  • The user’s phone number (optional)
  • Logs of the user’s actions

Data on other users in the management portal

Depending on the software that you have a subscription for, the service may collect the following data about you, your device, and use of the service, and makes it available through the management portal:

  • User’s name, user’s email address, device name, device identifiers (e.g. IMEI, WINS name, IP address), and phone number that act as identifiers for the user data in the system.
  • The service version number, subscription key, installation and update date and time, blocked malware (may include the file name and path), blocked applications, blocked USB devices, device operating system and version, feature status.
  • Installed applications as part of the service offering.
  • Connected USB devices as part of the device control feature.
  • Various data (e.g. encryption state, user privileges, password policies, etc.) describing the security posture and usage of the company devices for better manageability.
  • Mobile device model, as well as the potential jailbreak or root status, service statistics per device such as the virtual location, the aggregate amount of traffic in the VPN tunnel, the amount of traffic scanned, the harmful sites, the number of blocked tracking attempts and blocked website counters.
  • Other substantially similar data.

The collected data varies according to what devices and services you use.

We use this data to operate the services, to manage them (including identifying authorized users, managing licenses, and sending push notifications), to measure performance, and to further develop, enhance, and improve the service. The data can be used to provide support and problem resolution services.

This data is visible to your company’s IT administrator for similar purposes. The data is also available to WithSecure and through the portal. If the company’s IT administration has been outsourced, the data is also available to the outsourcing partner (WithSecure’s ’distributor partner’), so that they can provide your company with support and corresponding IT services.

In addition to data that is made available in the portal: WithSecure also collects the following data directly via the service. This data is not shared with the customer company or distribution partner.

  • Your device’s language, so the service language is consistent with the device language; and
  • For mobile clients, the battery level, internal memory and SD card memory sizes, and a list of installed applications.
  • For the Password Protection product, we store your passwords for you in encrypted form. The master password is only known by you and is not stored by WithSecure.

This data is used for operating the service, troubleshooting, performance measurement, statistics, and service development.

Some jurisdictions require that we collect user devices’ public and private IP addresses as well as the start and end time for the VPN tunnel. If we receive a legally valid request, this data can be used to reveal which origin IP was used to connect to a target IP at a given time. It does not compromise the invisibility of your browsing traffic via the service towards WithSecure or your IT administrator, as we do not connect the IP address to you. We do not sell or disclose your VPN data to any third parties unless we are required under law.

WithSecure and the reseller partner may also each initiate a collection of additional diagnostic data from the protected device, where it is necessary to resolve a support case. You will be prompted prior to sending the diagnostic data to WithSecure. More information on related data collection is available in the WithSecure Support Tool privacy policy.

Transfers and disclosures

The data presented in the service portal is visible to your company’s IT administrator, whether internal or external. If the company’s IT is managed by a third party, this data is also available to them (WithSecure’s "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, F‑Secure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

 

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

Additionally, Web Portal analytics are put in place to improve WithSecure products.

In the case of data that is not strictly necessary to provide you with the services — but would help us in providing you with better services in the long run — we collect such data only with your consent.

Your employing company independently establishes its legal grounds for the processing of identifiers for the purposes set out above.

Retention

The data is stored for a length of service provisioning to our customer company and is visible in the Elements Endpoint Protection portal for the same duration. After termination of the service agreement or license with the service provider, this data is retained in WithSecure storage for a limited number of months, before final deletion or anonymization.

In addition to the above, audit logs, which show which users accessed the portal, are kept for three years on a rolling basis. Service logs, which show what actions happened in the portal, are kept for one year on a rolling basis. These actions include, but are not limited to, subscription renewals, user creation, profile changes, and registration of new devices.

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security data

The service sends queries on potential malicious activities or protected devices and networks to WithSecure Security Cloud. WithSecure Security Cloud is a cloud-based system for cyber threat analysis that is operated by WithSecure. With the Security Cloud, WithSecure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. While we limit the processing of any information that could be considered sensitive by our users, we collect the minimum amount of user and organization information for the purpose of providing high quality protection to our users. The collected data may contain:

  • Files that are blocked by WithSecure for a security reason, and related metadata. The metadata includes for example file hash, file name and file path. We need to analyze files and emails for malicious content and behaviors for your protection. Files are processed in a safe environment to catch harmful behaviors. Collection of this data helps WithSecure to keep a global threat situation map that allows reacting quickly to new threats.
  • Web addresses that you have tried to visit but have been blocked by WithSecure for a security reason or which exhibit potentially malicious behavior, and related metadata. The metadata includes for example response headers. A site may get blocked based on selected protection preferences and parental control reasons. The collected information also allows protection against phishing and ransomware attacks.

The portal administrators will only see a summary of the result, for example if the file is infected or not. However; if the service detects malware, a summary of the detection is visible in the portal and can be connected to an individual device by those having access to portal.

Data collection for VPN component

Our guiding principle is that we do not seek to spy on the exact content of your private communications. We analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact;

  • we process some metadata (such as the traffic volume, timestamps, IP addresses) of your traffic when providing the service for you;
  • the target IP, port, or URL of traffic relayed through the VPN are not stored in a way that they could be later connected to you;
  • we also analyze the traffic for suspicious or malicious files and destinations (i.e. URLs); and
  • we automatically screen the traffic to inhibit usage that is against our acceptable use policy.

Other services

Elements Endpoint Protection management capabilities can also be used to manage certain other WithSecure services. Data processing related to such other services is subject to their respective privacy policies.

Analytics

In addition to the data visualized in the portal, the service also uses a subset of collected data for service analytics. We do this so that we can create services that are of value to you and our other customers. WithSecure also collects analytics data on the service portal to learn how the administrator users use the service portal so we can improve the portal user experience.

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

 

 

WithSecure™ Elements Vulnerability Management

WithSecure elements vulnerability management privacy policy

May 2021

In brief

WithSecure Elements Vulnerability Management is a vulnerability scanning and management platform that allows you to identify and manage threats, report risks, and get an outlook on the security posture of your IT systems. The core privacy aspects of this service are:

  • the focus of data collection is on detecting vulnerabilities in your employer's corporate network, not on any individual's activities therein;
  • the only directly identifying data that we need is your name, email, and optionally phone number;
  • we monitor service use to maintain its performance and prevent misuse.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What do we collect and what do we do with it?

Data in the management portal

We ask you - as the portal user - for subscriber data in the form of full name, email, password (encrypted), and phone number, which act as identifiers for the user's personal account in the system, as well as language and time zone preferences.

The service automatically collects the following data on its operational environment, and on the use of the service, and makes it available through the management portal:

  • Data on service use; subscriber access tokens, scan node, device identifiers (including IP address), service version number, subscription key, installation and update date and time, feature status, and basic operating system status (such as memory and disk usage).
  • Data on vulnerability scan results; information about the occurrence of known vulnerabilities and risks identified during the scan as presented to you via the service.
  • for authenticated Elements Vulnerability Management system scans:
  • ▸  The certificate or credentials that act as access tokens to perform an in-depth scan
    ▸  The software and its version installed on target systems

The portal provides limited visibility among those who share the same subscription.

Data in WithSecure systems

In addition to vulnerability scan result data that is made available to you via the service, WithSecure also collects the following organization-level data directly via the service. This data is not shared with the customer company or distribution partner.

  • The amount and the value of unique IP addresses scanned for vulnerabilities within organization; and
  • in the case of on-premise scan node deployments, the scan node’s configuration details, such as installation directory and hardware fingerprint of the device on which the scan node agent is installed.

This data is used for operating the service, troubleshooting, performance measurement, statistics, logging and resolving malicious usage, and service development.

Lawful use

The service is built to find vulnerabilities in the hardware and software of your employer's corporate network, enabling you to find and fix them and thus prevent breaches performed by malicious parties.

Legal grounds

WithSecure has a legitimate interest in identifying its portal users and monitoring such users' portal usage as set out above to make sure that only authorized users are able to utilize the service and that services are only used for their lawful purposes. To this effect, you are responsible for providing accurate and truthful access credentials to be able to use the service.

The data collected by the service in the form of "vulnerability scan results" is processed for the dual purposes of i) improving WithSecure's customers' network and device security as well as the confidentiality and availability of the data therein, and ii) allowing WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that WithSecure services can keep on par with evolving threats. The vulnerability scan results do not, by default, contain personally identifiable data.

Transfers and disclosures

To help you in managing your subscriptions and settings and to help us help you better in case of problems, the following data is visible to those who share the same subscription: email address, first name, last name. The visibility of your phone number (if provided) is limited to users with the company administrator role.

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data on vulnerability scan results is stored in accordance with the service settings, which are adjustable by the customer.

Otherwise; the personally identifiable data is stored for a length of service provisioning to our customer company and is visible in the portal for the same duration. After termination of the subscription, the data is stored for eight months before final deletion.

Regardless of the above deletion, WithSecure continues to retain certain application logs – which contain a limited data set of the above – to resolve any misuse of the services that may arise.

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Learn more

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

WithSecure™ Elements Collaboration Protection

WithSecure Elements Collaboration Protection privacy policy

In brief

WithSecure Elements Collaboration Protection is a cloud-based security service that is designed to mitigate business risks in organizations by providing effective threat protection for various Microsoft Office 365 services (such as Exchange Online and SharePoint Online). This service protects against threats such as; internal/external email threats, advanced phishing attacks, and malicious content and URLs in emails, malicious content in files stored in SharePoint. In addition to email messages, other Exchange items such as tasks, calendar appointments, contacts, and sticky notes are inspected for malicious content and URLs.

  • The focus of data collection is on finding malicious content in; file storage spaces (such as SharePoint), users' mailboxes and not in collecting any personal information about individuals
  • Much of the processed and collected data remains in the customer company's Microsoft 365 tenant

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What data is processed and what it is used for

Security

WithSecure Elements Collaboration Protection processes content such as files stored in Microsoft 365 services (such as SharePoint), email messages, calendar appointments, tasks, contacts, and groups in Microsoft 365 mailboxes of the customer, which are defined in the security policy and have a valid license assigned.

While processing this data, the solution analyzes files, attachments, web links (URLs) included in message bodies, and some parts of message headers. To identify security threats, files, file attachments and URLs are sent to WithSecure's Security Cloud for reputation checks and advanced threat analysis.

The service sends queries on potential malicious activity, malicious software, or unwanted applications on protected devices, data traffic, and networks to WithSecure Security Cloud. WithSecure Security Cloud is a cloud-based system for cyber threat analysis that is operated by WithSecure. With the Security Cloud, WithSecure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. These queries – such as URLs, file identifiers, and application metadata – cannot be connected to an identifiable user by WithSecure. To protect your privacy, WithSecure separates the above security data from other data collected on your use of the service, anonymizes it, and destroys it when it is no longer needed for the purpose..

If harmful content is detected (such as a malicious attachment or URL), the solution moves or copies the entire object or affected parts to the hidden quarantine folder located in the customer's Office 365 tenant. The relevant properties of quarantined items such as file location, file author & editor, filename, user mailbox, sender and recipient addresses, item subject, folder name, and harmful attachment name and URL are saved in the quarantine database

For users administering the solution via the WithSecure Elements Collaboration Protection portal, contact information (email address) and credentials (username, password) are stored and used for managing the administrator’s access to the portal.

A system administrator, predefined and authorized by the customer, can choose to not send certain metadata or file content to WithSecure Security Cloud for analysis, with the explicit understanding that it reduces the security capabilities provided by the solution. The system administrator can further exclude email and file content from being manually analyzed for threats, with the explicit understanding that it reduces the security capabilities provided by the solution.

The data collected for the purpose of detecting malicious or suspicious content can include:

  • name of the user mailbox where the message or item with harmful content was found
  • full email content (email headers, body and attachments)
  • email address of the sender (messaging metadata)
  • email addresses of recipients (messaging metadata)
  • subject of message or item (messaging metadata)
  • email message headers (messaging metadata)
  • name of the folder where harmful content was found (messaging metadata)
  • names of the files where harmful content was found
  • web links (URLs) found to be harmful
  • name of the file and which SharePoint site it came from
  • name and email for both the original author and last editor of the file

WithSecure processes the data to protect the target networks, the devices and data therein. In particular:

  • to block real or potentially harmful content in inbound, outbound, and internal email traffic
  • to detect malicious and suspicious activity in users' mailboxes
  • to detect other threats and security attacks against or via Office 365 services
  • to analyze the service and security data collected for the purposes of improving the detection capability of WithSecure services, with emphasis
  • on improving the functionality, usability, and detection capability of this service.

System administrators, predefined and authorized by the customer, can view the results of scanning if suspicious content is detected, for the purpose of administering the solution via the WithSecure Elements Collaboration Protection portal. A system administrator can in certain situations, where suspicious content has been detected, review the full email content for the purpose of assessing the veracity of the detection. If exercising the ability to analyze the content, the administrator must always follow the local privacy laws and processes.

The WithSecure Elements Collaboration Protection portal collects non-identifiable telemetry data on the use of its features for service improvement purposes, which the administrator can choose to opt out from sending in the policy settings.

WithSecure checks your email address on a regular basis for data breaches. WithSecure engages a third-party provider for detecting and collecting information on data breaches that relate to the email address that WithSecure checks for you.

Contact

The contact data of the customer company’s contact persons is processed as explained in the corporate business privacy policy.

Legal grounds

Both WithSecure and each customer company operate as independent controllers over their respective areas of data processing that takes place in the context of the services.

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the service is mandatory for the efficient protection of customer company data in its Office 365 organization. While the individual service's settings may enable an Office 365/IT administrator to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.

Transfers and disclosures

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

More information on transfers and disclosures of data:

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data controlled by the customer

Quarantine items and related properties are removed based on the policy defined by the customer.

Data controlled by WithSecure

The data is stored for a length of service provisioning to the customer and is visible in the WithSecure Elements Collaboration Protection portal for the same duration. After termination of the service agreement or license with the customer, this data is retained in WithSecure storage for 4 months before final deletion or anonymization.

Anonymized security data and statistical data are stored on WithSecure servers without a set end date as long as the data continues to be useful for the purpose it was collected for.

The other data types (i.e. technical support data, contact information) mentioned above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

More information, exceptions, and additions:

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

Learn more

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

WithSecure™ Cloud Protection for Salesforce

WithSecure™ Cloud Protection for Salesforce privacy policy

May 2019

In brief

WithSecure™ Cloud Protection for Salesforce is a cloud-based security solution that is designed to complement and extend the native security capabilities of the Salesforce platforms. The service protects organizations against threats posed by files and web links (URLs) uploaded to or shared via the Salesforce cloud.

The core privacy aspects of this service are:

  • the focus of data collection is on the customer company's Salesforce organization, not on individuals;
  • much of the processed and collected data remains in the customer company's Salesforce organization;
  • when data is sent to WithSecure Security Cloud, it is anonymous to WithSecure by design;
  • the customer company's Salesforce or IT administrator has access to the data collected in identifiable format.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What data is collected and what it is used for

Security

The solution is composed of a native Salesforce application and WithSecure's Security Cloud.

The WithSecure Cloud Protection application is installed in the customer company's Salesforce organization. The application inspects all files uploaded and stored as Salesforce Files or Attachments with standard or custom objects in the Salesforce platform. For advanced malware analysis, the WithSecure Cloud Protection application may send the actual content of files of unknown reputation to WithSecure's Security Cloud. Such contents are scanned in WithSecure's Security Cloud and deleted near-instantaneously after the analysis. See the ‘Retention' section for more information. It is possible to disable sending the actual content of files via the privacy control settings available in the application's configuration.

Web links (URLs) are inspected only in a few standard objects such as Chatter messages, Chatter comments, Case descriptions, Case comments, and EmailMessage bodies. To check the security reputation and classification of web links, the WithSecure Cloud Protection application sends them to WithSecure's Security Cloud. The application does not send actual message or body texts that contain web links.

WithSecure's Security Cloud is a cloud-based threat analysis and reputation system that scans data for any malicious or harmful content. Data sent to Security Cloud is always anonymized and cannot be connected to an individual user in any way.

Of the data collected by the scanning activity, the results are made available to the customer company's Salesforce or IT administrators via alerts and scan event logs. The results may include but not limited to:

  • User name (given and surname)
  • IP address of the network or device of origin for content uploaded to or downloaded from Salesforce
  • Timestamp when content was accessed (uploaded or downloaded)
  • Name, type, and size of file accessed (uploaded or downloaded)
  • Location (name of standard or custom object) that a file is associated with or attached to
  • Target web links (URLs) and their categories (e.g. gambling)

The customer company's Salesforce or IT administrator is likely able to link an employee's identity with the above results provided by the service. This is necessary so that administrators can react to security issues detected by the service, for example. WithSecure does not have access to this data in a format that could be personally identifiable.

Technical support

If the service does not work as intended and there are no workarounds for the problem, the customer company's Salesforce or IT administrator may utilize WithSecure's expertise to investigate and resolve issues. In such rare cases, WithSecure's support engineers may log in and access data in the customer company's Salesforce organization remotely via the support tool provided by Salesforce. The remote login access is explicitly granted by the customer company's Salesforce administrator and is always time-limited.

When investigating problems with the WithSecure service via remote login access, no data except debug logs relevant to the WithSecure service are collected from the customer company's Salesforce organization. WithSecure is the controller for such data.

Contact

The contact data of the customer company's contact persons is processed as explained in the corporate business privacy policy.

Legal grounds

Both WithSecure and each customer company operate as independent controllers over their respective areas of data processing that takes place in the context of the services.

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the service is mandatory for the efficient protection of customer company data in its Salesforce organization. While the individual service's settings may enable an Salesforce/IT administrator to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.

Transfers and disclosures

The security data produced by the service is visible to the customer company's Salesforce and/or IT administrator for its determined purposes. If the company has outsourced its Salesforce/IT administration, including the monitoring of this service, that data may also be available to such outsourcing partner.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data controlled by the customer

Results of scanning activity, such as alerts as well as file and URL scanning events, are stored inside the customer company's Salesforce organization depending on the retention intervals configured in the WithSecure Cloud Protection application. The customer company's Salesforce or IT administrators can delete them at any time and make backups if/as needed.

Data controlled by WithSecure

Anonymized security data and service statistics are stored without a set end date as long as the data is useful for the purpose it was collected for. As an exception, and to protect the confidentiality and privacy of the corporate customer's file contents, the service automation deletes any contents that are not found to be suspicious near-instantaneously after analysis.

The other data types (i.e. technical support data, contact information) mentioned above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

 

Consulting Services (PCI)

Withsecure consulting services privacy policy (payment card industry)

September 2019

In brief

This privacy policy sets out the data processing related to WithSecure consulting services regarding Payment Card Industries (hereon PCI) criteria. These services include Data Security Standard (hereon DSS) and 3 Domain Security (hereon 3DS) assessments. The core privacy aspects of these service are:

  • PCI DSS and 3DS security standards require the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years;
  • This evidence data is collected from the organization being assessed (the customer), and might include personally identifiable information;
  • Evidence data of the assessment is stored for the needs of the PCI Security Standard Council quality assurance program and is used to verify
  • WithSecure's judgement of the performed assessment, if requested by the council;
  • Evidence data is not shared with any other parties except PCI Security
  • Standard Council or their appointed auditors.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What do we collect and what do we do with it?

Collected evidence from the organization being assessed

During the PCI DSS or 3DS assessment, we collect evidence from the assessed organization's information systems and related devices. We also conduct documented interviews with customer organization personnel. This data is used to showcase that the organization being assessed has built its security controls to match the requirements of PCI DSS and/or 3DS, and that they are capable of performing security management processes and procedures as is required of them:

  • Screen captures of management systems;
  • Security log exports;
  • Configuration exports from the security infrastructure devices; and
  • Internal documentation of the customer organization.

Certain PCI DSS/3DS security controls require personally identifiable evidence items to be collected (for example to ensure fulfillment of audit trail requirements), others might include unintentional personally identifiable information (such as identifiable names in device configuration exports).

  • Third-party service providers' employee data; In case the organization being assessed uses third-party services to support, develop, or maintain parts (or all) of their PCI DSS/3DS-related information systems or related processes, evidence collection might include collecting personally identifiable information of third-party personnel.

Legal grounds

The PCI DSS and 3DS security standard requires the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years. Therefore WithSecure has a legitimate interest in collecting the evidence data, as it is necessary in order for WithSecure to provide customers with PCI DSS/3DS-related services.

For collected evidence data that WithSecure receives during the PCI DSS/3DS assessments and stores as defined in this privacy policy, WithSecure acts as a controller of the data.

During assessments, only the necessary amount of personal data is collected in order to fulfill the assessment requirements set by the PCI Security Standards Council.

Disclosures

Evidence data is stored for the needs of the PCI Security Standard Council quality assurance program and to possibly verify WithSecure's judgement of the performed assessment.

Evidence data is not shared with any external parties, except upon written request to PCI Security Standard Council or their appointed forensics investigators.

WithSecure further employs its own affiliates and subcontractors so that we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

The PCI DSS and 3DS security standard requires the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years. WithSecure securely destroys the evidence data after this defined retention period has exceeded.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

PCI DSS/3DS assessment-related evidence data is stored in a secure document management system, managed by WithSecure and protected by access controls, firewalls, and other protective measures.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

Business Suite

WithSecure Business Suite privacy policy

August 2018

In brief

WithSecure Business Suite is an information security product suite for both workstations and servers, which are controlled via a management portal. The core privacy aspects of this service are:

  • the focus of data collection is on catching malicious activity on the protected devices;
  • the collected security data is anonymous to WithSecure by design;
  • your employer's IT administrator has access to the data collected in identifiable format.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

Covered services

The individual services of Business Suite are Client Security and Client Security for Mac, which protect the employee computers; Server Security, which protect corporate servers; Linux Security, which protects Linux desktops and servers; Atlant for Virtual Environments, which scans uploaded files and aims to optimize performance inside virtual environments.

Your employer's environment may have all or only some of the individual services. The data collection and processing schemes for the mentioned individual services are similar to each other.

All of the above individual services can be managed by Policy Manager, which is a centralized management tool for the customer company's IT administrator. Policy Manager is on-premise server software.

What data is collected and what it is used for

The security data that is sent automatically by individual Services to WithSecure is handled by WithSecure’s ’Security Cloud’ component or its subset. An individual service sends queries to Security Cloud on potentially malicious activity on your devices and data traffic passing through them. WithSecure does not connect these queries to the identity of the user. However, your employer’s IT administrator is likely able to link your identity with the results provided by Security Cloud, as they need to be able to react to security issues detected by the service.

WithSecure has no visibility into the individual employee data that a customer company's IT administrator processes via Policy Manager for the purpose of managing the services on company-owned devices. WithSecure's service-use-based data collection is limited to statistical data for service management and invoicing purposes from Policy Manager, from which an individual person cannot be identified.

If the services do not work as intended, your employer may utilize WithSecure's expertise to resolve issues. In such cases, you are typically asked to run an WithSecure support tool on the device – whether a personal computer or a server – where the individual service is installed and to deliver the information to WithSecure. The separate WithSecure support tool privacy policy explains the processes for data collection and handling in such cases.

WithSecure's processing of the personal data of relevant customer company contact persons is explained in the corporate business privacy policy.

Legal grounds

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the services is mandatory for the efficient protection of the device/network. While the individual service's settings may enable an IT administrator or employee to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.

Transfers and disclosures

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s public web pages.

When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Anonymized security data and statistical data are stored without a set end date as long as the data is useful for the purpose it was collected for. The other data types described above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Analytics

As of the date of this policy, individual services within Business Suite do not collect additional analytics data. Data collection is limited to that strictly required to provide the Service.

Policy Manager reports statistical analytics on its usage (for example, used features) to WithSecure. The statistical analytics relate to the general usage of the service, not to any individual.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

Freedome for Business

WithSecure Freedome for business privacy policy

May 2021

In brief

Freedome for Business combines VPN surfing with mobile device management, which are both controlled via the management portal. To achieve this:

  • the service encrypts your data traffic from third parties;
  • the focus of data collection is on your device and our service, not you as an individual;
  • much of the collected data is available for your employer's IT administrator, so they can better manage company devices and applications;
  • we collect anonymous security data to protect your device;

The purpose of the service is to secure and manage your device and its connections. The service is not built to monitor employees. The service does not enable WithSecure or your company's IT administrator to follow your movements, view your photos, or see who you call or communicate with, nor are we able to track the sites that you visit through the service.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

Your private communications

Our guiding principle is that we do not seek to spy on the exact content of your private communications. We only analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact, this means that:

  • we need to process some metadata (such as the traffic volume and IP addresses) of your traffic when providing the service to you. To safeguard your privacy, the target IP, port or URL of traffic relayed through the VPN are not stored in a way that they could be later connected to you;
  • we analyze the traffic for suspicious or malicious files and destinations (i.e. URLs); and
  • we automatically screen the traffic to inhibit usage that is against our acceptable use policy.

User data

User data in the management portal

The service collects the following data about you, your device, and use of the service, and makes it available through the management portal:

  • User’s name, email, and phone number. This data is linked to your “device ID” that acts as an identifier of the user data in the system.
  • The service version number, device identifiers (e.g. IMEI, model, etc.), subscription key, installation and update date and time, operating system and version, feature status.
  • In addition to the above, the service collects: your mobile device model, as well as the potential jailbreak or root status, service statistics per device such as the virtual location, the aggregate amount of traffic in the VPN tunnel, the amount of traffic scanned, the harmful sites, the number of blocked tracking attempts and blocked website counters.

The collected data varies according to what devices and services you use.

We use this data to operate the services, to manage them (including identifying authorized users and managing licenses), to measure performance, and to further develop, enhance, and improve the service. The data can be used to provide support and problem resolution services.

This data is visible to your company’s IT administrator and is also available to WithSecure and through the portal. If the company’s IT administration has been outsourced, the data is also available to the outsourcing partner (WithSecure’s “distributor partner”), so that they can provide your company with support and like IT services.

User data in WithSecure systems

In addition to data that is made available in the portal, WithSecure also collects the following data via the service:

  • your device ID, so we can send push notifications to the devices and to combine different types of user data;
  • your device’s language, so the service language is consistent with the device language; and
  • we may also collect the battery level, internal memory and SD card memory sizes, and a list of installed applications (to check that the service is installed correctly) for management feature development purposes.

Some jurisdictions require that we collect user devices’ public and private IP addresses as well as the start and end time for the VPN tunnel. If we receive a legally valid request, this data can be used to reveal which origin IP was used to connect to a target IP at a given time. It does not compromise the invisibility of your browsing traffic via the service towards WithSecure or your IT administrator, as we do not connect the IP address to you. We do not sell or disclose your VPN data to any third parties unless we are required under law.

Analytics

For us to learn when and how you use our service, to enhance it, and to learn how customers find out about the service, the service collects data on installation success, installation and activation paths, performance, operation environment, connections, used features, etc. We do this so that we can create services that are of value to you and our other customers.

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.

Elements Endpoint Protection privacy policy

The usage of Security Cloud, the roles in which different parties process your personal data, data retention rules, and the legal grounds on which personal data is being processed are described in the WithSecure Elements Endpoint Protection privacy policy.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.