Corporate Business Privacy

Elements Endpoint Protection

WithSecure Elements Endpoint protection privacy policy

May 2021

In brief

Elements Endpoint Protection combines VPN, mobile device management, software update management as well as workstation and server security, which are all controlled via the management portal. The core privacy aspects of this service are:

  • the focus of data collection is on your device and our service, not you as an individual;
  • much of the collected data is available for your employer’s IT administrator, so they can better manage company devices and applications;
  • we collect anonymous security data to protect your device.

The service does not enable WithSecure or your company’s IT administrator to follow your movements, view your photos, or see who you call or communicate with, nor are we able to track the sites that you visit through the service.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

User data

Data on administrator-level users in the management portal

The service collects the following data, which is available through the management portal, on administrator users:

  • Username
  • The user’s email address
  • The user’s phone number (optional)
  • Logs of the user’s actions

 

Data on other users in the management portal

Depending on the software that you have a subscription for, the service may collect the following data about you, your device, and use of the service, and makes it available through the management portal:

  • User’s name, user’s email address, device name, device identifiers (e.g. IMEI, WINS name, IP address), and phone number that act as identifiers for the user data in the system.
  • The service version number, subscription key, installation and update date and time, blocked malware (may include the file name and path), blocked applications, blocked USB devices, device operating system and version, feature status.
  • Installed applications as part of the service offering.
  • Connected USB devices as part of the device control feature.
  • Various data (e.g. encryption state, user privileges, password policies, etc.) describing the security posture and usage of the company devices for better manageability.
  • Mobile device model, as well as the potential jailbreak or root status, service statistics per device such as the virtual location, the aggregate amount of traffic in the VPN tunnel, the amount of traffic scanned, the harmful sites, the number of blocked tracking attempts and blocked website counters.
  • Other substantially similar data.

The collected data varies according to what devices and services you use.

We use this data to operate the services, to manage them (including identifying authorized users, managing licenses, and sending push notifications), to measure performance, and to further develop, enhance, and improve the service. The data can be used to provide support and problem resolution services.

This data is visible to your company’s IT administrator for similar purposes. The data is also available to WithSecure and through the portal. If the company’s IT administration has been outsourced, the data is also available to the outsourcing partner (WithSecure’s ’distributor partner’), so that they can provide your company with support and corresponding IT services.

User data in WithSecure systems

In addition to data that is made available in the portal: WithSecure also collects the following data directly via the service. This data is not shared with the customer company or distribution partner.

  • Your device’s language, so the service language is consistent with the device language; and
  • For mobile clients, the battery level, internal memory and SD card memory sizes, and a list of installed applications.
  • For the Password Protection product, we store your passwords for you in encrypted form. The master password is only known by you and is not stored by WithSecure.

This data is used for operating the service, troubleshooting, performance measurement, statistics, and service development.

Some jurisdictions require that we collect user devices’ public and private IP addresses as well as the start and end time for the VPN tunnel. If we receive a legally valid request, this data can be used to reveal which origin IP was used to connect to a target IP at a given time. It does not compromise the invisibility of your browsing traffic via the service towards WithSecure or your IT administrator, as we do not connect the IP address to you. We do not sell or disclose your VPN data to any third parties unless we are required under law.

WithSecure and the reseller partner may also each initiate a collection of additional diagnostic data from the protected device, where it is necessary to resolve a support case. You will be prompted prior to sending the diagnostic data to WithSecure. More information on related data collection is available in the WithSecure Support Tool privacy policy.

Transfers and disclosures

The data presented in the service portal is visible to your company’s IT administrator, whether internal or external. If the company’s IT is managed by a third party, this data is also available to them (WithSecure’s "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, F‑Secure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

 

Legal grounds

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

Additionally, Web Portal analytics are put in place to improve WithSecure products.

In the case of data that is not strictly necessary to provide you with the services — but would help us in providing you with better services in the long run — we collect such data only with your consent.

Your employing company independently establishes its legal grounds for the processing of identifiers for the purposes set out above.

Retention

The data is stored for a length of service provisioning to our customer company and is visible in the Elements Endpoint Protection portal for the same duration. After termination of the service agreement or license with the service provider, this data is retained in WithSecure storage for a limited number of months, before final deletion or anonymization.

In addition to the above, audit logs, which show which users accessed the portal, are kept for three years on a rolling basis. Service logs, which show what actions happened in the portal, are kept for one year on a rolling basis. These actions include, but are not limited to, subscription renewals, user creation, profile changes, and registration of new devices.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security data

The service sends queries on potential malicious activities or protected devices and networks to WithSecure Security Cloud. WithSecure Security Cloud is a cloud-based system for cyber threat analysis that is operated by WithSecure. With the Security Cloud, WithSecure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. While we limit the processing of any information that could be considered sensitive by our users, we collect the minimum amount of user and organization information for the purpose of providing high quality protection to our users. The collected data may contain:

  • Files that are blocked by WithSecure for a security reason, and related metadata. The metadata includes for example file hash, file name and file path. We need to analyze files and emails for malicious content and behaviors for your protection. Files are processed in a safe environment to catch harmful behaviors. Collection of this data helps WithSecure to keep a global threat situation map that allows reacting quickly to new threats.
  • Web addresses that you have tried to visit but have been blocked by WithSecure for a security reason or which exhibit potentially malicious behavior, and related metadata. The metadata includes for example response headers. A site may get blocked based on selected protection preferences and parental control reasons. The collected information also allows protection against phishing and ransomware attacks.

The portal administrators will only see a summary of the result, for example if the file is infected or not. However; if the service detects malware, a summary of the detection is visible in the portal and can be connected to an individual device by those having access to portal.

Data collection for VPN component

Our guiding principle is that we do not seek to spy on the exact content of your private communications. We analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact;

  • we process some metadata (such as the traffic volume, timestamps, IP addresses) of your traffic when providing the service for you;
  • the target IP, port, or URL of traffic relayed through the VPN are not stored in a way that they could be later connected to you;
  • we also analyze the traffic for suspicious or malicious files and destinations (i.e. URLs); and
  • we automatically screen the traffic to inhibit usage that is against our acceptable use policy.

Other services

Elements Endpoint Protection management capabilities can also be used to manage certain other WithSecure services. Data processing related to such other services is subject to their respective privacy policies.

Analytics

In addition to the data visualized in the portal, the service also uses a subset of collected data for service analytics. We do this so that we can create services that are of value to you and our other customers. WithSecure also collects analytics data on the service portal to learn how the administrator users use the service portal so we can improve the portal user experience.

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Learn more

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

Elements Vulnerability Management

WithSecure elements vulnerability management privacy policy

May 2021

 

In brief

WithSecure Elements Vulnerability Management is a vulnerability scanning and management platform that allows you to identify and manage threats, report risks, and get an outlook on the security posture of your IT systems. The core privacy aspects of this service are:

  • the focus of data collection is on detecting vulnerabilities in your employer's corporate network, not on any individual's activities therein;
  • the only directly identifying data that we need is your name, email, and optionally phone number;
  • we monitor service use to maintain its performance and prevent misuse.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What do we collect and what do we do with it?

Data in the management portal

We ask you - as the portal user - for subscriber data in the form of full name, email, password (encrypted), and phone number, which act as identifiers for the user's personal account in the system, as well as language and time zone preferences.

The service automatically collects the following data on its operational environment, and on the use of the service, and makes it available through the management portal:

  • Data on service use; subscriber access tokens, scan node, device identifiers (including IP address), service version number, subscription key, installation and update date and time, feature status, and basic operating system status (such as memory and disk usage).
  • Data on vulnerability scan results; information about the occurrence of known vulnerabilities and risks identified during the scan as presented to you via the service.
  • for authenticated Elements Vulnerability Management system scans:
  • ▸  The certificate or credentials that act as access tokens to perform an in-depth scan
    ▸  The software and its version installed on target systems

The portal provides limited visibility among those who share the same subscription.

Data in WithSecure systems

In addition to vulnerability scan result data that is made available to you via the service, WithSecure also collects the following organization-level data directly via the service. This data is not shared with the customer company or distribution partner.

  • The amount and the value of unique IP addresses scanned for vulnerabilities within organization; and
  • in the case of on-premise scan node deployments, the scan node’s configuration details, such as installation directory and hardware fingerprint of the device on which the scan node agent is installed.

This data is used for operating the service, troubleshooting, performance measurement, statistics, logging and resolving malicious usage, and service development.

Lawful use

The service is built to find vulnerabilities in the hardware and software of your employer's corporate network, enabling you to find and fix them and thus prevent breaches performed by malicious parties.

Legal grounds

WithSecure has a legitimate interest in identifying its portal users and monitoring such users' portal usage as set out above to make sure that only authorized users are able to utilize the service and that services are only used for their lawful purposes. To this effect, you are responsible for providing accurate and truthful access credentials to be able to use the service.

The data collected by the service in the form of "vulnerability scan results" is processed for the dual purposes of i) improving WithSecure's customers' network and device security as well as the confidentiality and availability of the data therein, and ii) allowing WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that WithSecure services can keep on par with evolving threats. The vulnerability scan results do not, by default, contain personally identifiable data.

Transfers and disclosures

To help you in managing your subscriptions and settings and to help us help you better in case of problems, the following data is visible to those who share the same subscription: email address, first name, last name. The visibility of your phone number (if provided) is limited to users with the company administrator role.

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data on vulnerability scan results is stored in accordance with the service settings, which are adjustable by the customer.

Otherwise; the personally identifiable data is stored for a length of service provisioning to our customer company and is visible in the portal for the same duration. After termination of the subscription, the data is stored for eight months before final deletion.

Regardless of the above deletion, WithSecure continues to retain certain application logs – which contain a limited data set of the above – to resolve any misuse of the services that may arise.

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Learn more

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

Elements Collaboration Protection

WithSecure Elements Collaboration Protection privacy policy

In brief

WithSecure Elements Collaboration Protection is a cloud-based security service that is designed to mitigate business risks in organizations by providing effective threat protection for various Microsoft Office 365 services (such as Exchange Online and SharePoint Online). This service protects against threats such as; internal/external email threats, advanced phishing attacks, and malicious content and URLs in emails, malicious content in files stored in SharePoint. In addition to email messages, other Exchange items such as tasks, calendar appointments, contacts, and sticky notes are inspected for malicious content and URLs.

  • The focus of data collection is on finding malicious content in; file storage spaces (such as SharePoint), users' mailboxes and not in collecting any personal information about individuals
  • Much of the processed and collected data remains in the customer company's Microsoft 365 tenant

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What data is processed and what it is used for

Security

WithSecure Elements Collaboration Protection processes content such as files stored in Microsoft 365 services (such as SharePoint), email messages, calendar appointments, tasks, contacts, and groups in Microsoft 365 mailboxes of the customer, which are defined in the security policy and have a valid license assigned.

While processing this data, the solution analyzes files, attachments, web links (URLs) included in message bodies, and some parts of message headers. To identify security threats, files, file attachments and URLs are sent to WithSecure's Security Cloud for reputation checks and advanced threat analysis.

The service sends queries on potential malicious activity, malicious software, or unwanted applications on protected devices, data traffic, and networks to WithSecure Security Cloud. WithSecure Security Cloud is a cloud-based system for cyber threat analysis that is operated by WithSecure. With the Security Cloud, WithSecure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. These queries – such as URLs, file identifiers, and application metadata – cannot be connected to an identifiable user by WithSecure. To protect your privacy, WithSecure separates the above security data from other data collected on your use of the service, anonymizes it, and destroys it when it is no longer needed for the purpose..

If harmful content is detected (such as a malicious attachment or URL), the solution moves or copies the entire object or affected parts to the hidden quarantine folder located in the customer's Office 365 tenant. The relevant properties of quarantined items such as file location, file author & editor, filename, user mailbox, sender and recipient addresses, item subject, folder name, and harmful attachment name and URL are saved in the quarantine database

For users administering the solution via the WithSecure Elements Collaboration Protection portal, contact information (email address) and credentials (username, password) are stored and used for managing the administrator’s access to the portal.

A system administrator, predefined and authorized by the customer, can choose to not send certain metadata or file content to WithSecure Security Cloud for analysis, with the explicit understanding that it reduces the security capabilities provided by the solution. The system administrator can further exclude email and file content from being manually analyzed for threats, with the explicit understanding that it reduces the security capabilities provided by the solution.

The data collected for the purpose of detecting malicious or suspicious content can include:

  • name of the user mailbox where the message or item with harmful content was found
  • full email content (email headers, body and attachments)
  • email address of the sender (messaging metadata)
  • email addresses of recipients (messaging metadata)
  • subject of message or item (messaging metadata)
  • email message headers (messaging metadata)
  • name of the folder where harmful content was found (messaging metadata)
  • names of the files where harmful content was found
  • web links (URLs) found to be harmful
  • name of the file and which SharePoint site it came from
  • name and email for both the original author and last editor of the file

WithSecure processes the data to protect the target networks, the devices and data therein. In particular:

  • to block real or potentially harmful content in inbound, outbound, and internal email traffic
  • to detect malicious and suspicious activity in users' mailboxes
  • to detect other threats and security attacks against or via Office 365 services
  • to analyze the service and security data collected for the purposes of improving the detection capability of WithSecure services, with emphasis
  • on improving the functionality, usability, and detection capability of this service.

System administrators, predefined and authorized by the customer, can view the results of scanning if suspicious content is detected, for the purpose of administering the solution via the WithSecure Elements Collaboration Protection portal. A system administrator can in certain situations, where suspicious content has been detected, review the full email content for the purpose of assessing the veracity of the detection. If exercising the ability to analyze the content, the administrator must always follow the local privacy laws and processes.

The WithSecure Elements Collaboration Protection portal collects non-identifiable telemetry data on the use of its features for service improvement purposes, which the administrator can choose to opt out from sending in the policy settings.

WithSecure checks your email address on a regular basis for data breaches. WithSecure engages a third-party provider for detecting and collecting information on data breaches that relate to the email address that WithSecure checks for you.

Contact

The contact data of the customer company’s contact persons is processed as explained in the corporate business privacy policy.

Legal grounds

Both WithSecure and each customer company operate as independent controllers over their respective areas of data processing that takes place in the context of the services.

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the service is mandatory for the efficient protection of customer company data in its Office 365 organization. While the individual service's settings may enable an Office 365/IT administrator to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.

Transfers and disclosures

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

More information on transfers and disclosures of data:

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data controlled by the customer

Quarantine items and related properties are removed based on the policy defined by the customer.

Data controlled by WithSecure

The data is stored for a length of service provisioning to the customer and is visible in the WithSecure Elements Collaboration Protection portal for the same duration. After termination of the service agreement or license with the customer, this data is retained in WithSecure storage for 4 months before final deletion or anonymization.

Anonymized security data and statistical data are stored on WithSecure servers without a set end date as long as the data continues to be useful for the purpose it was collected for.

The other data types (i.e. technical support data, contact information) mentioned above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

More information, exceptions, and additions:

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

Learn more

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

Cloud Protection for Salesforce

WithSecure cloud protection for salesforce privacy policy

May 2019

 

In brief

WithSecure Cloud Protection for Salesforce is a cloud-based security solution that is designed to complement and extend the native security capabilities of the Salesforce platforms. The service protects organizations against threats posed by files and web links (URLs) uploaded to or shared via the Salesforce cloud.

The core privacy aspects of this service are:

  • the focus of data collection is on the customer company's Salesforce organization, not on individuals;
  • much of the processed and collected data remains in the customer company's Salesforce organization;
  • when data is sent to WithSecure Security Cloud, it is anonymous to WithSecure by design;
  • the customer company's Salesforce or IT administrator has access to the data collected in identifiable format.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What data is collected and what it is used for

Security

The solution is composed of a native Salesforce application and WithSecure's Security Cloud.

The WithSecure Cloud Protection application is installed in the customer company's Salesforce organization. The application inspects all files uploaded and stored as Salesforce Files or Attachments with standard or custom objects in the Salesforce platform. For advanced malware analysis, the WithSecure Cloud Protection application may send the actual content of files of unknown reputation to WithSecure's Security Cloud. Such contents are scanned in WithSecure's Security Cloud and deleted near-instantaneously after the analysis. See the ‘Retention' section for more information. It is possible to disable sending the actual content of files via the privacy control settings available in the application's configuration.

Web links (URLs) are inspected only in a few standard objects such as Chatter messages, Chatter comments, Case descriptions, Case comments, and EmailMessage bodies. To check the security reputation and classification of web links, the WithSecure Cloud Protection application sends them to WithSecure's Security Cloud. The application does not send actual message or body texts that contain web links.

WithSecure's Security Cloud is a cloud-based threat analysis and reputation system that scans data for any malicious or harmful content. Data sent to Security Cloud is always anonymized and cannot be connected to an individual user in any way.

Of the data collected by the scanning activity, the results are made available to the customer company's Salesforce or IT administrators via alerts and scan event logs. The results may include but not limited to:

  • User name (given and surname)
  • IP address of the network or device of origin for content uploaded to or downloaded from Salesforce
  • Timestamp when content was accessed (uploaded or downloaded)
  • Name, type, and size of file accessed (uploaded or downloaded)
  • Location (name of standard or custom object) that a file is associated with or attached to
  • Target web links (URLs) and their categories (e.g. gambling)

The customer company's Salesforce or IT administrator is likely able to link an employee's identity with the above results provided by the service. This is necessary so that administrators can react to security issues detected by the service, for example. WithSecure does not have access to this data in a format that could be personally identifiable.

Technical support

If the service does not work as intended and there are no workarounds for the problem, the customer company's Salesforce or IT administrator may utilize WithSecure's expertise to investigate and resolve issues. In such rare cases, WithSecure's support engineers may log in and access data in the customer company's Salesforce organization remotely via the support tool provided by Salesforce. The remote login access is explicitly granted by the customer company's Salesforce administrator and is always time-limited.

When investigating problems with the WithSecure service via remote login access, no data except debug logs relevant to the WithSecure service are collected from the customer company's Salesforce organization. WithSecure is the controller for such data.

Contact

The contact data of the customer company's contact persons is processed as explained in the corporate business privacy policy.

Legal grounds

Both WithSecure and each customer company operate as independent controllers over their respective areas of data processing that takes place in the context of the services.

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the service is mandatory for the efficient protection of customer company data in its Salesforce organization. While the individual service's settings may enable an Salesforce/IT administrator to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.

Transfers and disclosures

The security data produced by the service is visible to the customer company's Salesforce and/or IT administrator for its determined purposes. If the company has outsourced its Salesforce/IT administration, including the monitoring of this service, that data may also be available to such outsourcing partner.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data controlled by the customer

Results of scanning activity, such as alerts as well as file and URL scanning events, are stored inside the customer company's Salesforce organization depending on the retention intervals configured in the WithSecure Cloud Protection application. The customer company's Salesforce or IT administrators can delete them at any time and make backups if/as needed.

Data controlled by WithSecure

Anonymized security data and service statistics are stored without a set end date as long as the data is useful for the purpose it was collected for. As an exception, and to protect the confidentiality and privacy of the corporate customer's file contents, the service automation deletes any contents that are not found to be suspicious near-instantaneously after analysis.

The other data types (i.e. technical support data, contact information) mentioned above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

Learn more

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

 

Consulting Services (PCI)

Withsecure consulting services privacy policy (payment card industry)

September 2019

In brief

This privacy policy sets out the data processing related to WithSecure consulting services regarding Payment Card Industries (hereon PCI) criteria. These services include Data Security Standard (hereon DSS) and 3 Domain Security (hereon 3DS) assessments. The core privacy aspects of these service are:

  • PCI DSS and 3DS security standards require the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years;
  • This evidence data is collected from the organization being assessed (the customer), and might include personally identifiable information;
  • Evidence data of the assessment is stored for the needs of the PCI Security Standard Council quality assurance program and is used to verify
  • WithSecure's judgement of the performed assessment, if requested by the council;
  • Evidence data is not shared with any other parties except PCI Security
  • Standard Council or their appointed auditors.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What do we collect and what do we do with it?

Collected evidence from the organization being assessed

During the PCI DSS or 3DS assessment, we collect evidence from the assessed organization's information systems and related devices. We also conduct documented interviews with customer organization personnel. This data is used to showcase that the organization being assessed has built its security controls to match the requirements of PCI DSS and/or 3DS, and that they are capable of performing security management processes and procedures as is required of them:

  • Screen captures of management systems;
  • Security log exports;
  • Configuration exports from the security infrastructure devices; and
  • Internal documentation of the customer organization.

Certain PCI DSS/3DS security controls require personally identifiable evidence items to be collected (for example to ensure fulfillment of audit trail requirements), others might include unintentional personally identifiable information (such as identifiable names in device configuration exports).

  • Third-party service providers' employee data; In case the organization being assessed uses third-party services to support, develop, or maintain parts (or all) of their PCI DSS/3DS-related information systems or related processes, evidence collection might include collecting personally identifiable information of third-party personnel.

Legal grounds

The PCI DSS and 3DS security standard requires the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years. Therefore WithSecure has a legitimate interest in collecting the evidence data, as it is necessary in order for WithSecure to provide customers with PCI DSS/3DS-related services.

For collected evidence data that WithSecure receives during the PCI DSS/3DS assessments and stores as defined in this privacy policy, WithSecure acts as a controller of the data.

During assessments, only the necessary amount of personal data is collected in order to fulfill the assessment requirements set by the PCI Security Standards Council.

Disclosures

Evidence data is stored for the needs of the PCI Security Standard Council quality assurance program and to possibly verify WithSecure's judgement of the performed assessment.

Evidence data is not shared with any external parties, except upon written request to PCI Security Standard Council or their appointed forensics investigators.

WithSecure further employs its own affiliates and subcontractors so that we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

The PCI DSS and 3DS security standard requires the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years. WithSecure securely destroys the evidence data after this defined retention period has exceeded.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

PCI DSS/3DS assessment-related evidence data is stored in a secure document management system, managed by WithSecure and protected by access controls, firewalls, and other protective measures.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

 

Business Suite

WithSecure Business Suite privacy policy

August 2018

In brief

WithSecure Business Suite is an information security product suite for both workstations and servers, which are controlled via a management portal. The core privacy aspects of this service are:

  • the focus of data collection is on catching malicious activity on the protected devices;
  • the collected security data is anonymous to WithSecure by design;
  • your employer's IT administrator has access to the data collected in identifiable format.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

Covered services

The individual services of Business Suite are Client Security and Client Security for Mac, which protect the employee computers; Email Server Security and Server Security, which protect corporate servers (including Windows, Exchange, and SharePoint servers); Linux Security, which protects Linux desktops and servers; Internet Gatekeeper, which scans the traffic passing through corporate gateways; Scanning and Reputation Server, which scans uploaded files and aims to optimize performance inside virtual environments.

Your employer's environment may have all or only some of the individual services. The data collection and processing schemes for the mentioned individual services are similar to each other.

All of the above individual services can be managed by Policy Manager, which is a centralized management tool for the customer company's IT administrator. Policy Manager is on-premise server software.

What data is collected and what it is used for

The security data that is sent automatically by individual Services to WithSecure is handled by WithSecure’s ’Security Cloud’ component or its subset. An individual service sends queries to Security Cloud on potentially malicious activity on your devices and data traffic passing through them. WithSecure does not connect these queries to the identity of the user. However, your employer’s IT administrator is likely able to link your identity with the results provided by Security Cloud, as they need to be able to react to security issues detected by the service.

WithSecure has no visibility into the individual employee data that a customer company's IT administrator processes via Policy Manager for the purpose of managing the services on company-owned devices. WithSecure's service-use-based data collection is limited to statistical data for service management and invoicing purposes from Policy Manager, from which an individual person cannot be identified.

If the services do not work as intended, your employer may utilize WithSecure's expertise to resolve issues. In such cases, you are typically asked to run an WithSecure support tool on the device – whether a personal computer or a server – where the individual service is installed and to deliver the information to WithSecure. The separate WithSecure support tool privacy policy explains the processes for data collection and handling in such cases.

WithSecure's processing of the personal data of relevant customer company contact persons is explained in the corporate business privacy policy.

Legal grounds

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the services is mandatory for the efficient protection of the device/network. While the individual service's settings may enable an IT administrator or employee to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.

Transfers and disclosures

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Anonymized security data and statistical data are stored without a set end date as long as the data is useful for the purpose it was collected for. The other data types described above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Analytics

As of the date of this policy, individual services within Business Suite do not collect additional analytics data. Data collection is limited to that strictly required to provide the Service.

Policy Manager reports statistical analytics on its usage (for example, used features) to WithSecure. The statistical analytics relate to the general usage of the service, not to any individual.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

 

Freedome for Business

WithSecure Freedome for business privacy policy

May 2021

In brief

Freedome for Business combines VPN surfing with mobile device management, which are both controlled via the management portal. To achieve this:

  • the service encrypts your data traffic from third parties;
  • the focus of data collection is on your device and our service, not you as an individual;
  • much of the collected data is available for your employer's IT administrator, so they can better manage company devices and applications;
  • we collect anonymous security data to protect your device;

The purpose of the service is to secure and manage your device and its connections. The service is not built to monitor employees. The service does not enable WithSecure or your company's IT administrator to follow your movements, view your photos, or see who you call or communicate with, nor are we able to track the sites that you visit through the service.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

Your private communications

Our guiding principle is that we do not seek to spy on the exact content of your private communications. We only analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact, this means that:

  • we need to process some metadata (such as the traffic volume and IP addresses) of your traffic when providing the service to you. To safeguard your privacy, the target IP, port or URL of traffic relayed through the VPN are not stored in a way that they could be later connected to you;
  • we analyze the traffic for suspicious or malicious files and destinations (i.e. URLs); and
  • we automatically screen the traffic to inhibit usage that is against our acceptable use policy.

User data

User data in the management portal

The service collects the following data about you, your device, and use of the service, and makes it available through the management portal:

  • User’s name, email, and phone number. This data is linked to your “device ID” that acts as an identifier of the user data in the system.
  • The service version number, device identifiers (e.g. IMEI, model, etc.), subscription key, installation and update date and time, operating system and version, feature status.
  • In addition to the above, the service collects: your mobile device model, as well as the potential jailbreak or root status, service statistics per device such as the virtual location, the aggregate amount of traffic in the VPN tunnel, the amount of traffic scanned, the harmful sites, the number of blocked tracking attempts and blocked website counters.

The collected data varies according to what devices and services you use.

We use this data to operate the services, to manage them (including identifying authorized users and managing licenses), to measure performance, and to further develop, enhance, and improve the service. The data can be used to provide support and problem resolution services.

This data is visible to your company’s IT administrator and is also available to WithSecure and through the portal. If the company’s IT administration has been outsourced, the data is also available to the outsourcing partner (WithSecure’s “distributor partner”), so that they can provide your company with support and like IT services.

User data in WithSecure systems

In addition to data that is made available in the portal, WithSecure also collects the following data via the service:

  • your device ID, so we can send push notifications to the devices and to combine different types of user data;
  • your device’s language, so the service language is consistent with the device language; and
  • we may also collect the battery level, internal memory and SD card memory sizes, and a list of installed applications (to check that the service is installed correctly) for management feature development purposes.

Some jurisdictions require that we collect user devices’ public and private IP addresses as well as the start and end time for the VPN tunnel. If we receive a legally valid request, this data can be used to reveal which origin IP was used to connect to a target IP at a given time. It does not compromise the invisibility of your browsing traffic via the service towards WithSecure or your IT administrator, as we do not connect the IP address to you. We do not sell or disclose your VPN data to any third parties unless we are required under law.

Analytics

For us to learn when and how you use our service, to enhance it, and to learn how customers find out about the service, the service collects data on installation success, installation and activation paths, performance, operation environment, connections, used features, etc. We do this so that we can create services that are of value to you and our other customers.

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.

Elements Endpoint Protection privacy policy

The usage of Security Cloud, the roles in which different parties process your personal data, data retention rules, and the legal grounds on which personal data is being processed are described in the WithSecure Elements Endpoint Protection privacy policy.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

 

Riddler

WithSecure Riddler privacy policy

April 2018

In brief

WithSecure Riddler is a service for searching and discovering the web's topology. To achieve this:

  • We crawl publicly available websites to map the topology of the web on a technical level.
  • We provide a search interface into the web's topology.
  • We provide the option of registering for a user account so that you can search even more, store your favorite search queries for your convenience, and, should you so wish, get news from us.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What data is collected and what it is used for

We provide you the option of registering for a user account. When registering, we ask you for your email address, password, first name, and last name. We also store the last IP address that you have logged in from. You may also provide us with your organization's name and website. We use this information to authenticate and manage your use of the service and to provide help and support to you. We may also use this information to send you news and offers, but only if you have opted to give us permission to do so.

This data can be updated or amended at any time by the logged-in user via the service.

While using the service, should you search for host names or IP addresses that the service has never encountered before, those host names or IP addresses may be added to our web crawler's queue for later crawling.

To help us improve the service, we generate statistics about the usage of the service by storing some data about all searches performed through the service. Specifically, we store the search query, the time and date of the search, and the IP address from which the search was performed. This data is not used for linking searches to personally identifiable individuals.

Since the service is intended to enable search and discovery of the web's topology, we also store data about websites and the servers hosting them. We collect this data by crawling publicly available websites. We only store technical data about the web's topology. We do not store the contents of any websites and we do not collect or store any data from the web about people, only about infrastructure.

Legal grounds

We process your data so that we can provide you with this service in accordance to its terms, which you have contractually agreed to. Tendering of services may take the form of a purchase or be free of charge.

WithSecure needs to identify its portal users and monitor such users' portal usage as set out above to make sure that only authorized users are able to utilize the service and that services are only used for their lawful purposes. To this effect, you are responsible for providing accurate and truthful access credentials to be able to use the service.

The data collected by the service in the form of "search results" is processed so that we can continue improving the service for your and other customers' benefit. The search results themselves do not, by default, contain personally identifiable data.

Disclosures

WithSecure employs affiliates and subcontractors for delivering the service.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

All data associated with a user account is stored for the duration of the user account's existence and is deleted when the account is deleted. In addition to the above; the user search results remain stored in an identifiable format for one year from the date of the search and are thereafter deleted automatically.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Analytics

The service collects analytical data on service and website use (such as which features are used and how often). We do not seek to identify you personally from the analytics data. We are interested in the needs and behavior of our users as a part of the group, not in the names of those users.

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.

ThreatShield

WithSecure Threatshield privacy policy

In brief

WithSecure ThreatShield is a gateway-level security solution for protecting email and web traffic. It is designed specifically to protect against spam, ransomware, phishing, and advanced targeted attacks.

The core privacy aspects of this product are:

  • the focus of data collection is on catching malicious activity against protected devices or services;
  • the collected security data is anonymous to WithSecure by design;
  • WithSecure corporate customers’ IT administrators may have access to some of the security data in identifiable format.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What data is collected and what it is used for

The data processing that takes place in connection with the service can be categorized into four different sets (security, analytics, technical support, contact):

Security

The service sends queries on potential malicious activity, malicious software, or unwanted applications on protected devices, data traffic, and networks to WithSecure Security Cloud. WithSecure Security Cloud is a cloud-based system for cyber threat analysis that is operated by WithSecure. With the Security Cloud, WithSecure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. These queries — such as URLs, file identifiers, and application metadata — cannot be connected to an identifiable user by WithSecure. To protect your privacy, WithSecure separates the above security data from other data collected on your use of the service, anonymizes it, and destroys it when it is no longer needed for the purpose.

The service also collects access and detection logs as a part of web and email traffic scanning and for the purposes of providing Web Content Control.

Of the data collected by the scanning activity, the results are made available to our corporate customers’ IT administrators via logs, dashboards, and reports. The results contain inter alia the following ’privacy-relevant’ data types;

  • quarantined email messages
  • timestamps of arriving/departing emails and access to web resources
  • IP address of the device of origin for the traffic (typically the employee’s device)
  • target URLs
  • content type and messaging metadata
  • category (e.g. gambling)
  • other similar data

Corporate customers can adjust their visibility to the collected traffic logs (e.g. potentially suspicious traffic as well as detection and access logs of varying granularity).

The customer company’s IT administrator is likely able to link your identity with the above results provided by the service. This is necessary so that administrators can react to security issues detected by the product, for example. WithSecure does not have access to this data in a format that could be personally identifiable.

Analytics

WithSecure’s service-use-based data collection is limited to statistical data for product management and licensing purposes, from which an individual person cannot be identified.

The service produces statistical reports for the customer company based on web and email access/detection information. Reports and raw data are not sent and are not visible to WithSecure, but the customer company’s IT administrator can have access to the data.

Technical support

If the product does not work as intended, our corporate customers may utilize WithSecure’s expertise to resolve issues. In such cases, you are typically asked to run an WithSecure support tool where the product is installed and to deliver the information to WithSecure. The separate WithSecure support tool privacy policy explains the processes for data collection and handling in such cases.

Contact

The contact data of the customer company’s contact persons is processed as explained in the corporate business privacy policy.

Legal grounds

Both WithSecure and each of our customer companies operate as independent controllers over their respective areas of data processing that takes place in the context of the services.

To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing WithSecure services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;
  • enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing undertaken by the service is mandatory for the efficient protection of the customer companies’ devices/networks. While the individual product’s settings may enable an IT administrator to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the product.

Customer companies that make use of the services independently establish their legal grounds for the processing of personal data for their purposes.

Transfers and disclosures

The data presented in the service portal is visible to your company’s IT administrator, whether internal or external. If the company’s IT is managed by a third party, this data is also available to them (WithSecure’s "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or — in the case of our corporate services — with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

WithSecure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. The locations of WithSecure affiliates can be viewed from WithSecure’s public web pages

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within WithSecure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data controlled by customer companies

Quarantined email messages are stored depending on the amount of available space in storage utilized by the customer company. The customer company’s IT administrator can delete and release quarantined messages, adjust available storage space, or set other applicable deletion rules. Access and detection logs are reliant on the rules of the underlying operating system’s (i.e. Linux) log rotation functionality. It can also be configured by the company’s IT administrator.

Data controlled by WithSecure

Anonymized security data and statistical data are stored on WithSecure servers without a set end date as long as the data continues to be useful for the purpose it was collected for.

The other data types (i.e. technical support data, contact information) mentioned above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an WithSecure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an WithSecure Community account or ii) you continue to subscribe to our marketing messages. The WithSecure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, WithSecure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via our consumer support channels.
  • If you are a client of our corporate line of products, please contact us via corporate support channels.
  • You can contact WithSecure’s Data Protection Officer by sending a message to privacy@WithSecure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

General

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.