F-Secure RADAR privacy policy

In brief

F-Secure Radar is a vulnerability scanning and management platform that allows you to identify and manage threats, report risks, and get an outlook on the security posture of your IT systems. The core privacy aspects of this service are:

  • the focus of data collection is on detecting vulnerabilities in your employer's corporate network, not on any individual's activities therein;
  • the only directly identifying data that we need is your name, email, and optionally phone number;
  • we monitor service use to maintain its performance and prevent misuse.

In full

This product-specific policy is an add-on to the F-Secure privacy statement. This add-on policy focuses on 1) the type of personal and private data that we collect from you in this service, 2) what we use it for, and 3) how long we keep it for. We focus on these items because we believe that they matter to you the most. For other aspects regarding the processing of your personal data, see the F-Secure privacy statement, which applies to all of our services.

This policy is split into the following parts:

  • What do we collect and what do we do with it?
  • Lawful use
  • Legal grounds
  • Disclosures
  • Retention

What do we collect and what do we do with it?

Data in the management portal

We ask you, as the portal user, for subscriber data in the form of full name, email, password (encrypted), and phone number, which act as identifiers for the user's personal account in the system, as well as language and time zone preferences.

The service automatically collects the following data on its operational environment, and on the use of the service, and makes it available through the management portal:

  • Data on service use; subscriber access tokens, scan node, device identifiers (including IP address), service version number, subscription key, installation and update date and time, feature status, and basic operating system status (such as memory and disk usage).
  • Data on vulnerability scan results; information about the occurrence of known vulnerabilities and risks identified during the scan as presented to you via the service.
  • for authenticated Radar system scans:
    • The certificate or credentials that act as access tokens to perform an in-depth scan
    • The software and its version installed on target systems

The portal provides limited visibility among those who share the same subscription.

Data in F-Secure systems

In addition to vulnerability scan result data that is made available to you via the service, F-Secure also collects the following organization-level data directly via the service. This data is not shared with the customer company or distribution partner.

  • The amount and the value of unique IP addresses scanned for vulnerabilities within organization; and
  • in the case of on-premise scan node deployments, the scan node's configuration details, such as installation directory and hardware fingerprint of the device on which the scan node agent is installed.

This data is used for operating the service, troubleshooting, performance measurement, statistics, logging and resolving malicious usage, and service development.

Lawful use

The service is built to find vulnerabilities in the hardware and software of your employer's corporate network, enabling you to find and fix them and thus prevent breaches performed by malicious parties.

Legal grounds

F-Secure has a legitimate interest in identifying its portal users and monitoring such users' portal usage as set out above to make sure that only authorized users are able to utilize the service and that services are only used for their lawful purposes. To this effect, you are responsible for providing accurate and truthful access credentials to be able to use the service.

The data collected by the service in the form of "vulnerability scan results" is processed for the dual purposes of i) improving F-Secure's customers' network and device security as well as the confidentiality and availability of the data therein, and ii) allowing F-Secure to detect emerging threats and security-relevant trends among all of its customers, so that F-Secure services can keep on par with evolving threats. The vulnerability scan results do not, by default, contain personally identifiable data.

Disclosures

To help you in managing your subscriptions and settings and to help us help you better in case of problems, the following data is visible to those who share the same subscription: email address, first name, last name. The visibility of your phone number (if provided) is limited to users with the company administrator role.

The data that is visible in the management portal is visible to users within the company according to role-based access control settings and is also available to F-Secure and through the portal. If the company's IT administration (and access to the service) has been outsourced, the same data is also available to the outsourcing partner (F-Secure's "distributor partner"), so that they can provide your company with support and other IT services.

Retention

Data on vulnerability scan results is stored in accordance with the service settings, which are adjustable by the customer.

Otherwise; the personally identifiable data is stored for a length of service provisioning to our customer company and is visible in the portal for the same duration. After termination of the subscription, the data is stored for eight months before final deletion.

Regardless of the above deletion, F-Secure continues to retain certain application logs – which contain a limited data set of the above – to resolve any misuse of the services that may arise.