Protection Service for Business combines VPN, mobile device management, software update management as well as workstation and server security, which are all controlled via the management portal. The core privacy aspects of this service are:
- the focus of data collection is on your device and our service, not you as an individual;
- much of the collected data is available for your employer's IT administrator, so they can better manage company devices and applications;
- we collect anonymous security data to protect your device.
The service does not enable F-Secure or your company's IT administrator to follow your movements, view your photos, or see who you call or communicate with, nor are we able to track the sites that you visit through the service.
We wrote this to tell you about the personal and private data that we collect from you in this service and what we use it for. We believe that these topics matter to you the most, so we focus on them in this policy. For other aspects (international transfers, data subject rights, contact information, etc.) regarding the processing of your personal data, please see the 'F-Secure privacy statement', which applies to all of our services and to which this service-specific policy is an add-on.
User data in the management portal
The service collects the following data about you, your device, and use of the service, and makes it available through the management portal:
- User's name, email, computer name, device identifiers (e.g. IMEI, WINS name, IP address) and phone number that act as identifiers for the user data in the system.
- The service version number, subscription key, installation and update date and time, blocked malware (may include the file name and path), operating system and version, blocked applications, blocked USB devices, feature status.
- Installed applications as part of the service offering.
- Connected USB devices as part of the Device Control feature.
- Various data describing the security posture and use of company devices to improve manageability (e.g. encryption state, user privileges, password policy, memory).
- Anonymous data on administrator actions within the user interface.
- Other substantially similar data.
The collected data varies according to what devices and services you use.
We use this data to operate the services, to manage them (including identifying authorized users, managing licenses, and sending push notifications), to measure performance, and to further develop, enhance, and improve the service. The data can be used to provide support and problem resolution services.
This data is visible to your company's IT administrator for similar purposes. The data is also available to F-Secure and through the portal. If the company's IT administration has been outsourced, the data is also available to the outsourcing partner (F-Secure's 'distributor partner'), so that they can provide your company with support and corresponding IT services.
User data in F-Secure systems
In addition to data that is made available in the portal: F-Secure also collects the following data directly via the service. This data is not shared with the customer company or distribution partner.
- Your device's language, so the service language is consistent with the device language; and
- For mobile clients, the battery level, internal memory and SD card memory sizes, and a list of installed applications.
- For the Password Protection product, we store your passwords for you in encrypted form. The master password is only known by you and is not stored by F-Secure.
This data is used for operating the service, troubleshooting, performance measurement, statistics, and service development.
The user data in the management portal is visible to your company's IT administrator for similar purposes. The data is also available to F-Secure and through the portal. If the company's IT is managed by a third party, this data is also available to them (F-Secure's 'distributor/reseller partner'), so that they can provide your company with support and corresponding IT services.
F-Secure also employs its affiliates and subcontractors based on the principles set out under "Transfers" in its privacy statement.
Your company establishes the employees to whom the service is allocated and what kind of subsequent activities are taken based on service outcome. Consequently, your company is the 'controller' for user names, email addresses, and/or telephone numbers inserted by the company and processed for the purposes set out above (jointly "identifiers"). The above identifiers apply to the allocation of Freedome for Business and/or Password Protection for Business clients and are not used to manage PSB desktop and server clients.
F-Secure in turn is the controller of the 'technical service data' (i.e. data beyond the 'identifiers' above, which is company-controlled data) that the solution needs in order to function. F-Secure establishes how this technical service data is processed by the service and is consequently the 'controller' for the same data. This technical service data is collected automatically and is necessary for the services to operate as intended.
F-Secure processes the above data in order to fulfill the following legitimate interests:
i) To protect F-Secure's customers' network and device security as well as the confidentiality and availability of the data therein;
ii) For F-Secure to be able to detect emerging threats and security-relevant trends among all of its customers, so that F-Secure services can keep on par with evolving threats; and
iii) For F-Secure to provide a centralized security service framework across multiple partners.
Web Portal analytics are put in place to improve F-Secure products.
In the case of data that is not strictly necessary to provide you with the services – but would help us in providing you with better services in the long run – we collect such data only with your consent.
Your employing company independently establishes its legal grounds for the processing of identifiers for the purposes set out above.
The data is stored for a length of service provisioning to our customer company and is visible in the Protection Service for Business portal for the same duration. After termination of the service agreement or license with the service provider, this data is retained in F-Secure storage for a limited number of months, before final deletion or anonymization.
In addition to the above, audit logs, which show which users accessed the portal, are kept for three years on a rolling basis. Service logs, which show what actions happened in the portal, are kept for one year on a rolling basis. These actions include, but are not limited to, subscription renewals, user creation, profile changes, and registration of new devices.
Exceptions and additions to the above are set out in the F-Secure privacy statement.
However; if the service detects malware, a summary of the detection is visible in the portal and can be connected to an individual device by those having access to portal.
Data collection for VPN component
Our guiding principle is that we do not seek to spy on the exact content of your private communications. We analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact;
- we process some metadata (such as the traffic volume, timestamps, IP addresses) of your traffic when providing the service for you;
- the target IP, port or URL of traffic relayed through the VPN are not stored in a way that they could be later connected to you;
- we also analyze the traffic for suspicious or malicious files and destinations (i.e. URLs); and
- we automatically screen the traffic to inhibit usage that is against our acceptable use policy.
In addition to the data visualized in the portal, the service also uses a subset of collected data for service analytics. We do this so that we can create services that are of value to you and our other customers. Our analytics are explained in more detail in the analytics section of our privacy statement.