How Sophos stores and manages your data

Find out how Sophos looks after your data, and about our GDPR compliance

To use Sophos Cloud Optix, you need to connect to one or more cloud environments, for example an Amazon Web Services (AWS) account, a Microsoft Azure subscription, or a Google Cloud Platform project. When you connect a cloud environment, you explicitly authorize Sophos to access information via APIs and collect log data.

Data movement between Sophos Cloud Optix and cloud environments

Data is transferred from the customer's cloud environment to Sophos Cloud Optix in the following ways: 

  1. Infrastructure metadata is pulled from the environment using the cloud platform's APIs, for example AWS SDK.
  2. Network flow logs and usage logs are pushed to Sophos Cloud Optix log collectors by a serverless function in the customer's cloud environment, for example AWS Lambda.

In both cases, the data transfer uses TLS encryption.

How data is stored, protected, and managed

Infrastructure metadata includes inventory information about your cloud resources, such as instances/VMs, storage buckets and security groups, and their associated security states.

Activity logs, such as AWS CloudTrail logs, may include information about an IAM entity that accessed or made changes to the infrastructure. VPC/Network flow logs include information about which IP address is communicating with another IP address, and the port and protocol used, for example 1.1.1.1 to 2.2.2.2 on port 80 via TPC.

All infrastructure metadata and log information collected by the service is stored using industry-standard AES 256 encryption.

You can remove a cloud environment from your Sophos Cloud Optix account at any time. All associated infrastructure metadata and log information is deleted automatically.

Sophos Cloud Optix also offers optional third-party integrations, for example Slack, Jira, ServiceNow, PagerDuty, and Splunk. Credentials you provide to use these integrations are stored using AES 256 encryption.

Sophos Cloud Optix and GDPR

To the extent that the General Data Protection Regulation (GDPR) or, portion of it, applies to a customer's use of the Sophos Cloud Optix service, Sophos represents that it complies with GDPR in the Sophos Services Agreement, which governs the use of Sophos Cloud Optix.

Section 10.2 of the Sophos Services Agreement states: "Each party agrees to comply with all laws applicable to the actions and obligations contemplated by this Agreement", which includes GDPR.