Solution-specific privacy policies
WithSecure general privacy policy
January 2023
This privacy policy is effective as of January 1, 2023. Please note that this privacy policy will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.
In brief
- Our core interest is keeping our customers safe with our services.
- To do that, we need to process data on you and on your devices.
- We have a culture of respecting your privacy.
The personal data, as described in this policy, is primarily collected because WithSecure is in, or is seeking to enter into, a commercial relationship with the entities you are employed by.
The collected information and its use vary based on whether we have a pre-existing, commercial relationship between WithSecure and your employer (see relevant sections for CUSTOMERS AND PARTNERS) or we have no prior engagement with your employer (see relevant sections about our MARKETING activities).
Our guiding privacy principles are here.
Our product and solution-specific privacy policies (for services such as Business Suite and WithSecure™ Elements products) are here.
Structure
This privacy policy is given by WithSecure Corporation, a Finnish publicly listed corporation with Business ID 0705579-2 (“WithSecure”, “we”, “our”, “us”). All our subsidiaries also apply this policy.
The data controller for this policy is WithSecure Corporation, or its subsidiary, as applicable. Our contact information can be found at the end of this policy.
Our data collection can be grouped as follows:
- Marketing data; the data that we need to collect for marketing purposes.
- Client relationship data; the data that we need to manage our relationship with our clients and to market and sell our services to you or to the legal entity that you represent.
- Service data; the data that we automatically process to provide you with the services that you have requested. This also includes the data that you actively submit to us when subscribing to our services.
- Security data; the data that we need to collect to keep you secure.
- Analytics data; additional anonymous or pseudonymous data that we collect to learn when and how our services are found and used.
This privacy policy describes WithSecure’s common practices for processing all of our customers’ personal data. It also complements the solution-specific privacy policies as well as our license terms and other, shorter notices on case-specific data collection (e.g. support tools). Depending on what WithSecure services you use and how much you interact with us, some sections of this policy may not apply to you or may apply to you only in part.
If there is no specific policy for a specific interaction, this privacy policy shall apply as such.
Where we process your personal data as a data processor, such processing is not covered by this privacy policy. In such cases we have a contractual arrangement with your employer that governs the processing of your personal data and if you have any questions or concerns, or you wish to exercise your data subject rights, please contact your employer.
Definitions
This is what we mean when we make certain references within this policy.
“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.
“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.
“Services”, “solutions” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.
“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.
What do we collect?
The service and interaction-specific policies set out the personal data collected per service type and interaction.
Marketing
What kind of data we collect on you
From persons visiting our website, we acquire data on the device used, your IP address, the route by which you arrived at our website, and your activities therein, as well as any information you have submitted to us through forms. For more detailed information, see our website privacy policy.
If you provide us your data via forms – online or offline – we ask you the following information: names of the person and company, email address, country, industry, size of company, telephone number, and area or service of interest.
We may also collect your information via our discussion boards or other social media hosted by WithSecure, competitions, promotion, surveys, webinars, and other such events or points of interaction.
In addition, we may collect your data from other marketing events where we either sponsor or co-host such event with our partners.
If you have been identified as a decision maker or influencer by a third party, or listed as such in public sources, we typically obtain the following information on you and the organization that you represent: company name, title, name, function, language, email, zip code, city and state, country, phone number, industry, turnover, and size of company.
We may aggregate such data with general data on your organization.
Customers and partners
What kind of data we collect on you
Regarding individuals, with whose employers we are in a commercial relationship, we process the following personal data on you: your name, your position / role / title, your email address and phone number, which legal entity that has purchased the license or service, such entity’s street / mailing address, country, your language and messaging preferences, available LinkedIn information, relevant access credentials to and logs in our systems.
WithSecure collects this data:
- Via marketing activities (more information under Marketing),
- Via our website, our discussion boards or other social media hosted by WithSecure,
- Via competitions, promotion, surveys, webinars, and other such events or points of interaction,
- Through sales, support, and account management activities, and
- Through partner sales and customer management activities (e.g. a partner orders a license to an end customer or changes an end customer’s information).
Other specific ways we collect and use your personal data
We collect information on harmful and suspected URLs and files that you submit to us via our Submit a Sample page on our Website. We use such information for threat research purposes. If you have submitted a sample that contains personal data, we will handle such data in accordance with our privacy principles this general privacy policy and/or the applicable service-specific privacy policy, as applicable.
What do we do with it?
The interaction and service-specific privacy policies and notices set out the specific purposes for using the personal data collected by each service or processed in such activity.
Marketing data
For what purposes do we use it
We collect and process the data so that we can, based on your position in your organization, send you information relating to the services, conduct customer surveys, arrange competitions, advertise and market our services (both personalized and in aggregate), and share information and know-how about cyber security and on our services. We also make use of the collected data in market research, product and service development, and business offering development.
Should you or the organization that you represent become our customer, we combine data collected at this pre-sales phase for you when your organization becomes our customer. In such cases, we use it in accordance to the same practices that we employ with the representatives of our corporate customers and partners.
Customers and Partners
For what purposes do we use it
We collect and process the data so that we can:
- manage our customer relationships,
- provide you with information, products and services that you request from us,
- run joint planning sessions,
- analyze the data for business development purposes,
- deliver license certificates,
- undertake all steps of order fulfillment and payment processes,
- perform personalized marketing activities,
- communicate in relation to both the initial sales of our services as well as license and service renewals, our other offerings and other relevant information,
- collect your feedback and identify authorized users for selected systems and administer user accounts, and
- provide help and support for the services.
As you may approach us or submit information to us via multiple channels – such as our resellers, events, or website – we combine such information to make our communications relevant to your needs.
In addition to the abovementioned purposes, the following general purposes of personal data use apply across all of our services:
- Provisioning of services. To deliver our services to you, we process the data for the following purposes:
- Customer journey. To identify authorized users, process and track transactions, administer user accounts, as well as for shipping, invoicing, and managing licenses.
- Deliver, fix, and enhance. Delivering, maintaining, and developing our services and websites, and to provide help and support for the services.
- Analyze. To track that our services are taken into use and how they are used so that we can improve the services, manage your customer relationship, and approach you with relevant messages.
- Communicate. To send you information relating to the services, conduct customer surveys, and market our services to you. The actual communication may be handled either by WithSecure or by our partners.
- Regulatory. To prevent fraudulent, illegal, or infringing activities and to comply with legal or regulatory requirements.
Legal grounds
This section gives you a more comprehensive explanation of the legal grounds based on which we process personal data. This complements the exact service-specific legal grounds on which our personal data processing relies for the respective activity.
Marketing
We collect data on individuals in influential, decision-making positions in companies that would benefit from our services. We consider such activity to be in the legitimate interests of both WithSecure as a vendor and your employer as a buyer.
Where legitimate interest is not suitable or applicable to a type of data processing, we will seek your consent. For example; consent is the legal grounds for data that we collect on your browsing of our websites. Where we base our processing on consent, you may withdraw your consent at any time.
Web analytics data
To keep our interaction focused on the services that you are primarily interested in, some of the data that we collect may be based on your activity on our corporate web pages. This occurs in the event that you have consented to having such traffic linked to you, for example by filling in any of our web forms. We do not record your web traffic outside WithSecure websites. The more activity and interest you show in our solutions, the more likely it is that we will approach you. This is elaborated in our cookie banners and in our website privacy policy.
If you do not wish us to have your email address for this purpose, you may freely request that we remove it from our records. The impact on you is that the messaging that you may receive from us may be less relevant for you and your employer.
We do not disclose such profile information to external parties. We may share general data on your interest with our reseller to better serve your needs (e.g. to enable you to purchase via our local reseller), but only in the event that we have actually started sales negotiations.
Customers and Partners
WithSecure has a legitimate interest to process personal data of the employees of its customers and partners to enable and facilitate provisioning its commercial services to its corporate customers and partners, including undertaking relevant sales and marketing activities as enabled by applicable laws on different forms of marketing-related communications.
Where processing is required for an activity, it is necessary that we are able to process the required data. This is the case e.g. when we need to effectively communicate with the representatives of our partners and customers, deliver and invoice the agreed services, respond to an enquiry or support request, or enable your participation in our corporate customer beta program.
Where legitimate interest is not suitable or applicable to a type of data processing, we will seek your consent. For example; consent is the legal grounds for data that we collect on your browsing of our websites. Where we base our processing on consent, you may withdraw your consent at any time.
Client relationship data
By using our services, you are our client. To interact with you and to provide our services to our clients, we must process some data on you. Such processing typically occurs when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, submit information through our web solutions, enter a contest or sweepstakes, register your email address with us, or send us email.
Since we need the data to pursue the above legitimate activities, we have a right to process relevant personal data. This right typically takes place in the form of “contract performance”, “legitimate interest”, or “consent”.
Service data and security data
We need to automatically collect and process relevant data for our services to work, to enhance them, and to provide them to you. The data is processed to:
- provide WithSecure™ services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;
- enable WithSecure™ to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
- enable WithSecure™ to provide a centralized security service framework across multiple continents to a large number of customers and partners.
The data processing by the services is mandatory for the efficient protection of the device/network and a prerequisite for WithSecure™’s capability to provide its contracted services. As such processing is inseparable from the services that we provide to you, this gives us a valid need to process your data and a justification to do so.
For our solutions, this right takes place in the form of “legitimate interest”. In some cases, processing may take place in the form of “contract performance” and we may also have a “legal obligation” to process data for specified purposes.
Solution Analytics data
We also reuse the above service data and security data for data analytics purposes, based on the legal grounds established above. Data analytics are an integral part of our service delivery, as nearly all WithSecure services are dependent on our infrastructure to properly operate. Our data analytics enables us to direct that infrastructure to support your use of the services.
Where our services collect data that is only needed for the purpose of gaining more insight on how people use the services or how to serve you better, but is not necessary for providing our services, we do so only with your separate consent. You also have the right to withdraw your consent later, should you wish to do so. The legal grounds for data that is solely collected for analytics purposes is thus “consent”.
Secondary uses
In addition to the above primary legal grounds for data collection, we may also need to use and/or continue to store data i) to meet a “legal obligation” to process data for specified purposes, or ii) under the grounds of “legitimate interest”. For an example list of situations where we may resort to such justifications, see the “Other disclosures” section.
General
We consider you a client of WithSecure™, not a client of the individual service. Hence, data collected by different services (e.g. Business Suite) and interactions (e.g. contacting support) are combined to your WithSecure™ account. However, we do not aggregate data against our specific privacy promises (for example, we maintain a hands-off approach to your traffic inside our VPN service).
Transfers and disclosures
We do much ourselves, but also have partners to help us provide our services. This also means that we need to exchange data with our partners. When doing so, we take great care in sharing only the necessary personal data.
The most impactful data exchanges with our sales partners and corporate customers are set out primarily in the service-specific privacy policy. The below details expand on this information and also list other data disclosures and data transfers that take place for all — or nearly all — WithSecure personal data processing activities.
Marketing
Personal data is primarily processed by WithSecure™'s local company that you are interacting with the most. In addition to local processing, the most common reason for exchange of information between different WithSecure™ offices is to enable us to efficiently serve you and manage our relationship. See the list of our local country offices here.
Personal data can also be made available to WithSecure™'s partners when - and to the extent that - disclosure of data is necessary for the relevant purposes of processing data (listed above). For example, if you are interested in purchasing our services, we provide such information to our reseller partner in the area.
Advertisers and advertising networks that require the data to select and serve relevant advertisements to you and others are listed on our website privacy policy.
Sales and delivery
We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.
Our distribution partners are likely to have a pre-existing customer relationship with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.
Subcontracting
We may transfer or disclose some of your personal data to WithSecure group companies and our subcontractors who help us create the services.
Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.
Third parties
Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services.
We also work closely with third parties (including, for example, business partners, subcontractors in technical, payment, and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them. These vendors have collected this information from private or public sources or directly from you.
This privacy document only applies to personal data as long as that data is within WithSecure™’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified and lawful manner in accordance with their policies as well as for fulfilling your rights under data protection laws. The most prevalent such scenarios are the following:
- Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under WithSecure policies, our webstore providers’ policies apply to the actual purchase and related activities.
- Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, WithSecure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.
International transfers
WithSecure™ operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area (EEA) to ensure the global reach and availability of our services. Depending on the scope of your interactions with WithSecure™, your personal information may be stored in or accessed from multiple countries. The locations of WithSecure™ affiliates can be viewed from WithSecure™’s web pages here.
Personal data may also be processed in other jurisdictions, including outside the EEA, by our staff who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details, and the provisioning of support services.
When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and WithSecure™ group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.
We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.
We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.
Other uses and disclosures
Information on secondary purposes for which personal data may occasionally be processed.
There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.
One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.
Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.
We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of WithSecure, where the information is provided to the new controlling entity in the regular course of business. WithSecure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.
We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.
Sources
While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as resellers and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.
We do this to create a seamless customer experience and to have the necessary information for solving support cases.
Typical examples of third-party sources are:
- information on your purchase made in our external webstore,
- we acquire your credentials from previous sign-in data from our reseller partner, so that we can provide our service to you directly,
- we acquire your contact data from corporate decision-maker registries for marketing purposes, and
- when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.
Retention
Marketing
On a monthly basis, we purge our direct marketing records from all contacts who have not reacted to our messaging or visited our web pages during the last 24 months and who are not affiliated with any of our customers or partners.
If you become our customer or partner, the data is retained for the duration of your organization's relation. User data in our corporate customer registry is stored for the duration of the license/subscription/engagement and up to five years after the last engagement or subscription with the customer or partner has expired.
Solution, security and statistical data
Anonymized security data and statistical data are stored without a set end date as long as the data is useful for the purpose it was collected for. The other data types described above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.
More information, exceptions, and additions
This text complements the abovementioned retention times as well as the retention times set out in the service-specific privacy policies. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.
However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.
Typical reasons why we deviate from the primary retention times include the following examples:
- grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of service provisioning, so that we can safeguard the data against erroneous deletion);
- applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
- to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
- to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
- to prevent fraudulent activity (e.g. to enforce our rights);
- your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
- other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.
The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This may be the case when you i) have a WithSecure™ Community account or ii) you continue to subscribe to our marketing messages. The WithSecure™ Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.
If you have purchased our service via one of our partners, account deletion is controlled by said partner. Upon the partner notifying us that your subscription or agreement has been terminated, WithSecure™ subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.
If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.
Analytics data collected with the user's consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.
Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.
Security
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.
Your rights
You have the right to the data that we have on you.
In particular, you have the following rights to the personal data that we hold on you:
- Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
- Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
- Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
- Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
- Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
- Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.
You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.
Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.
If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).
Analytics
This section outlines our general practices for the collection and processing of data for analytics purposes.
When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.
We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.
What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.
On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.
The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.
Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.
If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.
If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.
Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.
Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.
Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.
We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.
When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.
We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.
Changes
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.
We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.
Contact information
If you have any questions or concerns about the matters discussed in our privacy policies, please contact:
WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland
How to contact us:
- Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
- In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.
WithSecure™ Cloud Protection for Salesforce privacy policy
January 2023
In brief
WithSecure™ Cloud Protection for Salesforce is a cloud-based security solution that is designed to complement and extend the native security capabilities of the Salesforce platforms. The service protects organizations against threats posed by files and web links (URLs) uploaded to or shared via the Salesforce cloud.
The core privacy aspects of this service are:
- the focus of data collection is on the customer company's Salesforce organization, not on individuals;
- much of the processed and collected data remains in the customer company's Salesforce organization;
- when data is sent to WithSecure Security Cloud, it is anonymous to WithSecure by design;
- the customer company's Salesforce or IT administrator has access to the data collected in identifiable format.
In full
This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular:
- the type of personal and private data that the service collects,
- what we use it for,
- our justification,
- typical disclosures, and
- for how long we store it.
More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links to our General privacy policy.
What data is collected and what it is used for
Security
The solution is composed of a native Salesforce application and WithSecure's Security Cloud.
The WithSecure Cloud Protection application is installed in the customer company's Salesforce organization. The application inspects all files uploaded and stored as Salesforce Files or Attachments with standard or custom objects in the Salesforce platform. For advanced malware analysis, the WithSecure Cloud Protection application may send the actual content of files of unknown reputation to WithSecure's Security Cloud. Such contents are scanned in WithSecure's Security Cloud and deleted near-instantaneously after the analysis. See the ‘Retention' section for more information. It is possible to disable sending the actual content of files via the privacy control settings available in the application's configuration.
Web links (URLs) are inspected only in a few standard objects such as Chatter messages, Chatter comments, Case descriptions, Case comments, and EmailMessage bodies. To check the security reputation and classification of web links, the WithSecure Cloud Protection application sends them to WithSecure's Security Cloud. The application does not send actual message or body texts that contain web links.
WithSecure's Security Cloud is a cloud-based threat analysis and reputation system that scans data for any malicious or harmful content. Data sent to Security Cloud is always anonymized and cannot be connected to an individual user in any way.
Of the data collected by the scanning activity, the results are made available to the customer company's Salesforce or IT administrators via alerts and scan event logs. The results may include but not limited to:
- User name (given and surname)
- IP address of the network or device of origin for content uploaded to or downloaded from Salesforce
- Timestamp when content was accessed (uploaded or downloaded)
- Name, type, and size of file accessed (uploaded or downloaded)
- Location (name of standard or custom object) that a file is associated with or attached to
- Target web links (URLs) and their categories (e.g. gambling)
The customer company's Salesforce or IT administrator is likely able to link an employee's identity with the above results provided by the service. This is necessary so that administrators can react to security issues detected by the service, for example. WithSecure does not have access to this data in a format that could be personally identifiable.
Technical support
If the service does not work as intended and there are no workarounds for the problem, the customer company's Salesforce or IT administrator may utilize WithSecure's expertise to investigate and resolve issues. In such rare cases, WithSecure's support engineers may log in and access data in the customer company's Salesforce organization remotely via the support tool provided by Salesforce. The remote login access is explicitly granted by the customer company's Salesforce administrator and is always time-limited.
When investigating problems with the WithSecure service via remote login access, no data except debug logs relevant to the WithSecure service are collected from the customer company's Salesforce organization. WithSecure is the controller for such data.
Contact
The contact data of the customer company's contact persons is processed as explained in the General privacy policy.
Legal grounds
Both WithSecure and each customer company operate as independent controllers over their respective areas of data processing that takes place in the context of the services.
To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;
- providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
- enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
- enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.
The data processing undertaken by the service is mandatory for the efficient protection of customer company data in its Salesforce organization. While the individual service's settings may enable an Salesforce/IT administrator to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.
Transfers and disclosures
The security data produced by the service is visible to the customer company's Salesforce and/or IT administrator for its determined purposes. If the company has outsourced its Salesforce/IT administration, including the monitoring of this service, that data may also be available to such outsourcing partner.
WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.
More information on transfers and disclosures is available in our General privacy policy.
Retention
Data controlled by the customer
Results of scanning activity, such as alerts as well as file and URL scanning events, are stored inside the customer company's Salesforce organization depending on the retention intervals configured in the WithSecure Cloud Protection application. The customer company's Salesforce or IT administrators can delete them at any time and make backups if/as needed.
Data controlled by WithSecure
Anonymized security data and service statistics are stored without a set end date as long as the data is useful for the purpose it was collected for. As an exception, and to protect the confidentiality and privacy of the corporate customer's file contents, the service automation deletes any contents that are not found to be suspicious near-instantaneously after analysis.
The other data types (i.e. technical support data, contact information) mentioned above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.
Please read our General privacy policy for possible exceptions or typical reasons why we may need to deviate from the primary retention rules set out above.
Security
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.
Your rights
Please read our General privacy policy for information on your statutory rights and how to contact us.
General
Please note that this privacy policy will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time.
More information on definitions and change management is available in our General privacy policy.
WithSecure Consulting Services privacy policy (payment card industry)
January 2023
In brief
This privacy policy sets out the data processing related to WithSecure consulting services regarding Payment Card Industries (hereon PCI) criteria. These services include Data Security Standard (hereon DSS) and 3 Domain Security (hereon 3DS) assessments. The core privacy aspects of these service are:
- PCI DSS and 3DS security standards require the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years;
- This evidence data is collected from the organization being assessed (the customer), and might include personally identifiable information;
- Evidence data of the assessment is stored for the needs of the PCI Security Standard Council quality assurance program and is used to verify
- WithSecure's judgement of the performed assessment, if requested by the council;
- Evidence data is not shared with any other parties except PCI Security
- Standard Council or their appointed auditors.
In full
This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular:
- the type of personal and private data that the service collects,
- what we use it for,
- our justification,
- typical disclosures, and
- for how long we store it.
More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links to our General privacy policy.
What do we collect and what do we do with it?
Collected evidence from the organization being assessed
During the PCI DSS or 3DS assessment, we collect evidence from the assessed organization's information systems and related devices. We also conduct documented interviews with customer organization personnel. This data is used to showcase that the organization being assessed has built its security controls to match the requirements of PCI DSS and/or 3DS, and that they are capable of performing security management processes and procedures as is required of them:
- Screen captures of management systems;
- Security log exports;
- Configuration exports from the security infrastructure devices; and
- Internal documentation of the customer organization.
Certain PCI DSS/3DS security controls require personally identifiable evidence items to be collected (for example to ensure fulfillment of audit trail requirements), others might include unintentional personally identifiable information (such as identifiable names in device configuration exports).
- Third-party service providers' employee data; In case the organization being assessed uses third-party services to support, develop, or maintain parts (or all) of their PCI DSS/3DS-related information systems or related processes, evidence collection might include collecting personally identifiable information of third-party personnel.
Legal grounds
The PCI DSS and 3DS security standard requires the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years. Therefore WithSecure has a legitimate interest in collecting the evidence data, as it is necessary in order for WithSecure to provide customers with PCI DSS/3DS-related services.
For collected evidence data that WithSecure receives during the PCI DSS/3DS assessments and stores as defined in this privacy policy, WithSecure acts as a controller of the data.
During assessments, only the necessary amount of personal data is collected in order to fulfill the assessment requirements set by the PCI Security Standards Council.
Transfers and disclosures
Evidence data is stored for the needs of the PCI Security Standard Council quality assurance program and to possibly verify WithSecure's judgement of the performed assessment.
Evidence data is not shared with any external parties, except upon written request to PCI Security Standard Council or their appointed forensics investigators.
WithSecure further employs its own affiliates and subcontractors so that we can provide our services globally.
More information on transfers and disclosures is available in the General privacy policy.
Retention
The PCI DSS and 3DS security standard requires the assessing organization (WithSecure) to collect and store assessment-related evidence data for three (3) years. WithSecure securely destroys the evidence data after this defined retention period has exceeded.
Please read our General privacy policy for possible exceptions or typical reasons why we may need to deviate from the primary retention rules set out above.
Security
PCI DSS/3DS assessment-related evidence data is stored in a secure document management system, managed by WithSecure and protected by access controls, firewalls, and other protective measures.
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.
Your rights
Please read our General privacy policy for information on your statutory rights and how to contact us.
General
Please note that this privacy policy will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time.
For information on definitions and change management please read our General privacy policy.
WithSecure Business Suite privacy policy
January 2023
In brief
WithSecure Business Suite is an information security product suite for both workstations and servers, which are controlled via a management portal. The core privacy aspects of this service are:
- the focus of data collection is on catching malicious activity on the protected devices;
- the collected security data is anonymous to WithSecure by design;
- your employer's IT administrator has access to the data collected in identifiable format.
Structure
This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular:
the type of personal and private data that the service collects,
- what we use it for,
- our justification,
- typical disclosures, and
- for how long we store it.
More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links to our General privacy policy.
Covered services
The individual services of Business Suite are Client Security and Client Security for Mac, which protect the employee computers; Server Security, which protect corporate servers; Linux Security, which protects Linux desktops and servers; Atlant for Virtual Environments, which scans uploaded files and aims to optimize performance inside virtual environments.
Your employer's environment may have all or only some of the individual services. The data collection and processing schemes for the mentioned individual services are similar to each other.
All of the above individual services can be managed by Policy Manager, which is a centralized management tool for the customer company's IT administrator. Policy Manager is on-premise server software.
What data is collected and what it is used for
The security data that is sent automatically by individual Services to WithSecure is handled by WithSecure’s ’Security Cloud’ component or its subset. An individual service sends queries to Security Cloud on potentially malicious activity on your devices and data traffic passing through them. WithSecure does not connect these queries to the identity of the user. However, your employer’s IT administrator is likely able to link your identity with the results provided by Security Cloud, as they need to be able to react to security issues detected by the service.
WithSecure has no visibility into the individual employee data that a customer company's IT administrator processes via Policy Manager for the purpose of managing the services on company-owned devices. WithSecure's service-use-based data collection is limited to statistical data for service management and invoicing purposes from Policy Manager, from which an individual person cannot be identified.
If the services do not work as intended, your employer may utilize WithSecure's expertise to resolve issues. In such cases, you are typically asked to run an WithSecure support tool on the device – whether a personal computer or a server – where the individual service is installed and to deliver the information to WithSecure. The separate WithSecure support tool privacy policy explains the processes for data collection and handling in such cases.
WithSecure's processing of the personal data of relevant customer company contact persons is explained in the General privacy policy.
Legal grounds
To the extent that the data processed by WithSecure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;
- providing WithSecure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
- enabling WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
- enabling WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.
The data processing undertaken by the services is mandatory for the efficient protection of the device/network. While the individual service's settings may enable an IT administrator or employee to limit the processing of security data by WithSecure, such adjustments are not recommended, as they endanger achieving the above intended purposes of the services.
Transfers and disclosures
The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (WithSecure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.
WithSecure further employs its own affiliates and subcontractors so we can provide our services globally.
More information on transfers and disclosures is available in the General privacy policy.
Sources
More information on data sources is available in the General privacy policy..
Retention
Anonymized security data and statistical data are stored without a set end date as long as the data is useful for the purpose it was collected for. The other data types described above are stored for the duration given in their respective privacy policies, after which they are deleted or anonymized.
More information on retention times is available in our General privacy policy.
Analytics
As of the date of this policy, individual services within Business Suite do not collect additional analytics data. Data collection is limited to that strictly required to provide the Service.
Policy Manager reports statistical analytics on its usage (for example, used features) to WithSecure. The statistical analytics relate to the general usage of the service, not to any individual.
Security
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.
Your rights
Please read our General privacy policy for information on your statutory rights and how to contact us.
General
Please note that this privacy policy will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time.
For information on definitions and change management please read our General privacy policy.