F-Secure Rapid Detection & Response privacy policy

May 2018

 

Rapid Detection & Response solution at a glance

F-Secure Rapid Detection & Response ("RDR") is a security solution specifically designed to detect technical information security anomalies and advanced attacks using methods beyond the reach of more traditional antivirus solutions. RDR consists of a number of sensors placed within customers' networks, a backend run by F-Secure, and a service portal that operates as the communication venue between F-Secure, our corporate end user ("customers"), and the reseller partner.

Through RDR, the customer gains additional visibility to their own network. Such visibility enables spotting and investigating signs of ongoing and past attacks and attempts to breach security controls.

What RDR is and what it is not

The focus is on detecting technical security anomalies in customer devices and networks.

The solution is not intended for monitoring non-security-related activities such as profiling employees’ activities, interests, or interactions.

The focus of data collection is not on individual employees, business documents or email contents.

Key privacy principle

All data collection and handling in the context of RDR is aimed at supporting the detection and subsequent investigation of security breaches and attempts to circumvent the technical security controls of the customer's technical infrastructure and other assets.

RDR forms a part of security measures that protect valuable data (such as employee information, trade secrets, business plans) residing in the customer network. F-Secure's processing of data collected by RDR is bound to the purpose of providing information security services of constantly evolving capabilities to its customers.

RDR privacy policy

This solution-specific privacy policy describes the data collected by our RDR solution. This stand-alone privacy policy is given by F-Secure Corporation, a Finnish publicly listed corporation with Business ID 0705579-2 ("F-Secure", "we", "our"). All our relevant subsidiaries also apply this policy.

The RDR solution may be provided jointly with F-Secure Protection Service for Business, the data collection of which is described in its own dedicated privacy policy.

What kind of data is collected

In order to detect and preserve evidence about security anomalies in the customer's network, a set of data RDR sensors are installed on the customer network on devices designated by the customer. These sensors gather event logs and record relevant aspects of device usage. The data is sent from the RDR sensor to F-Secure for analysis.

RDR sensors collect the following kinds of event-based data ("Event Data"):

  • technical user identifiers;
  • domain names and network connections;
  • metadata of process creation, behavior, and access to various systems / subsystems;
  • system log entries relevant to detecting security breaches;
  • data that matches known attack patterns that trigger detection rules and other known indicators of compromise; and
  • other substantially similar device and service data.

Events are timestamped, and annotated in a fashion to enable automation to identify the user and device under which the events took place.

Data sent to the service backend on an ongoing basis is filtered both to minimize the amount of data traffic and to protect the privacy of the customer's employees.

Application metadata

The RDR solution also collects information on applications present on endpoints where the sensor is installed, as well as system/network information and other metrics from such RDR sensors (“Application Metadata”). Application Metadata does not include Event Data.

RDR portal

The portal collects non-identifiable telemetry data on the use of its features for service improvement purposes.

Use of collected data

The collected data is used to:

  • provide effective security anomaly detection;
  • enable subsequent security incident response activities;
  • service performance monitoring and direct troubleshooting efforts;
  • further develop and enhance the service functionality and F-Secure's overall detection capability to respond to threats;
  • network health status measurement; and
  • provide customers with visibility about the applications and activity in their network.

Security Cloud

The service sends queries on potential malicious activity, malicious software, or unwanted applications on protected devices, data traffic, and networks to F-Secure Security Cloud. These queries – such as URLs, file identifiers, and application metadata – cannot be connected to an identifiable user by F-Secure. The Security Cloud data collection is explained in more detail in its dedicated privacy statement.

To protect your privacy, F-Secure separates the above security data from other data collected on your use of the service, anonymize it, and destroy it when it is no longer need it for the purpose.

Legal grounds

To the extent that the data processed by F-Secure in the services is identifiable to an individual, the services process data to safeguard the following legitimate interests;

  • providing F-Secure services to secure our customers' networks and devices as well as the confidentiality and availability of the data therein;
  • enabling F-Secure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
  • enabling F-Secure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The results of these services are utilized for the benefit of F-Secure's customers. Both the customer and F-Secure – as a provider of security services – have a recognized legitimate interest to undertake necessary and proportional activities to that effect.

The core "privacy interest" of the RDR solution is to safeguard the valuable data residing in the customer’s devices and network. This also includes personal data of the employees of the customer whose devices the RDR sensors monitor. To achieve the above, the solution profiles the events taking place in the devices of the corporate network(s) to reveal potentially malicious activities taking place on specific devices within customer networks. Objecting to such data collection has a negative impact on the protection awarded by the F-Secure services for the above data in your organization.

The potential negative privacy impact of consequent employee device monitoring is mitigated by technical safeguards, limitations on collected data types, and correlating the collected data to identifiable individuals / devices only in pre-designed phases of processing. Providing the RDR solution is dependent on automated data collection from the protected devices / environment.

Transfers and disclosures

Disclosures as part of services provisioning

The data presented in the service portal is visible to your company's IT administrator, whether internal or external. If the company's IT is managed by a third party, this data is also available to them (F-Secure's "distributor/reseller partner"), so that they can provide your company with support for our services and corresponding IT services.

This means that such resellers and in some cases distributors can view details related to detections and application inventory in the RDR portal in order to perform activities required to offer detection and response services.

Disclosures to third parties

F-Secure shares Event Data with third parties only where there is an authorization to do so from the customer. This may take place, for example, for the purposes of initiating a law enforcement investigation or in situations where a customer has outsourced the handling of incidents to a third party.

F-Secure may publish or share individual pieces of data or aggregate statistics with third parties for the purposes of better combatting cyber threats. In such cases, F-Secure will remove any data that could expose victim organization or individual users.

Other disclosures

Learn more

Sales and delivery

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc,), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.

Our distribution partners are likely to have a pre-existing customer relationship with you or – in the case of our corporate services – with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.

Subcontracting

We may transfer or disclose some of your personal data to F-Secure group companies and our subcontractors who help us create the services.

Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.

International transfers

F-Secure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services.

When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F-Secure group companies, for example by using data transfer clauses that are approved by the European Union – the fixed content of such clauses is available here.

In some cases, we may also accept other mechanisms to justify transfer outside the EEA. Such other justifications include providing data to entities who have registered under the United States’ Privacy Shield program or providing data to entities processing such data in countries with an adequate level of privacy legislation that safeguards the data subject’s rights.

We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.

Other uses and disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.

Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business. F-Secure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.

We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of third-party sources are:

  • information on your purchase made in our external webstore,
  • we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
  • we acquire your contact data from corporate decision-maker registries for marketing purposes, and
  • when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.

Third parties

Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within F-Secure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under F-Secure policies, our webstore providers’ policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, F-Secure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.

Retention

Data is stored in identifiable form as long as it remains useful for the purposes of processing and up to the duration of the customer's engagement of the RDR solution. Upon termination of an engagement, the Event Data shall be subsequently deleted / anonymized within thirty (30) days from the effective date of account termination. At the time of writing this policy, the data is stored for one (1) year on a rolling basis during the customer engagement and is deleted within two (2) months after termination of engagement.

Further; upon termination of engagement; i) any remaining Event Data pertaining to live investigation of incidents is deleted unless otherwise agreed on a case-by-case basis with the customer; ii) Event Data residing in a separate analytics data set remains stored for a limited number of months for the purposes of identifying and detecting similar attacks in other customer environments, and is thereafter anonymized or deleted in accordance to its retention cycle. If an event or series of events triggers detection, the event is stored without a set end date for the same purpose. Backups are retained and subsequently deleted in accordance to the F-Secure practices that are current at that time.

Learn more

This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.

However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.

Typical reasons why we deviate from the primary retention times include the following examples:

  • grace periods and backups (e.g. keeping your personal data stored for a designated time after the end of your subscription, so that we can safeguard the data against erroneous deletion);
  • applicable laws require us to store the data (e.g. to keep track of the purchase and payment of our services);
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation);
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership);
  • to prevent fraudulent activity (e.g. to enforce a ban on our community);
  • your personal data is incorporated to other data for a secondary purpose (e.g. retaining logs);
  • other similar circumstances, where there continues to be a legitimate need for the ongoing storage of personal data.

The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an F-Secure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an F-Secure Community account or ii) you continue to subscribe to our marketing messages. The F-Secure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, F-Secure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.

If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.

Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.

Data that does not contain personal data (e.g. security data and aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.

Security

Information on the security practices that we employ to keep your data secure.

Learn more

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by F-Secure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

Learn more

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of you on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided – pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the "Contact information" section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

F-Secure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • If you are a client of our consumer line of products, please contact us via f-secure.com/support.
  • If you are a client of our corporate line of products, please contact us via f-secure.com/corporate-support.
  • If you are a client of MWR Infosecurity, please use the contact information at mwrinfosecurity.com/privacy-policy/.
  • You can contact F-Secure’s Data Protection Officer by sending a message to privacy-office@f-secure.com. If you wish to exercise your rights as a data subject, please use the above links instead.

 

General

Information on definitions and change management.

Learn more

Definitions

This is what we mean when we make certain references within this policy.

"Client", "you", refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, and who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

"Personal data" refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

"Services" refer to any services or products that are manufactured or distributed by F-Secure, including software, web solutions, tools, and related support services.

"Website" refers to the www.f-secure.com website or any other website that F-Secure hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.