Deepwatch Privacy and Security Addendum

Overview

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, European Council, and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). GDPR became effective on May 25, 2018, and reflects the aim of the European Commission to unify data protection laws across the European Union through one regulation, the GDPR. GDPR eliminates inconsistencies in national laws by raising the bar to provide better privacy protection for individuals within the EU. GDPR updates the law to better address contemporary privacy challenges, such as those posed by the internet, social media, and behavioral marketing. The regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. GDPR, by regulation, protects data privacy and requires organizations to implement best practices in the way data can be used, stored and/or transferred.

Definitions

• Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member State law, the controller or where the specific criteria for its nomination may be provided for by Union or Member State law, processed.
• Data Processor: A natural or legal person, public authority, agency or another body that processes personal data on behalf of a data controller.
• Data Subject: Is an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors whose personal data is processed by a Data Controller or Data Processor.
  
  

Data Processing

Under GDPR, Deepwatch is a Data Processor, acting on behalf of the Data Controller (Deepwatch customer).  Deepwatch’s legitimate interest to process data is based on securing network and enterprise environments, Lawfulness of processing (1) Processing shall be lawful only if and to the extent that at least one of the definitions apply as defined in GDPR Article 6(1)(f):

“Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

In addition, under the guidelines of Recital 49 of GDPR, it provides Deepwatch's managed security solutions to process data in the legitimate interest of the organization. Deepwatch only uses personal data for security review and does not transmit or share data with third parties outside of the scope of network security. Under Recital 49, the Data Controller is legally obligated to protect their systems and users from security risks and thus does not require user consent.

Deepwatch processes data in the legitimate interest of Data Controllers to protect their users from abuse, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data.

GDPR Recital 49 referenced above is as follows,

“The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.”

Deepwatch GDPR Scope

Deepwatch processes system and security logs on behalf of the Data Controller to validate network and data security. Monitoring server logs may include personal data that is necessary to prevent fraud or abuse. Additionally, Deepwatch requires server log information to facilitate incident response investigations for damaging or potentially illegal activity. As a result, Deepwatch is categorized under GDPR as a Computer Emergency Response Team (CERT) or Computer Security Incident Response Team (CSIRT).

Examples of Deepwatch processing data with legitimate interest under the scope of Recital 49 are the prevention of the following activities: malicious code distribution and preventing unauthorized access to networks. Examples of personal data that Deepwatch may process with legitimate interest include:

• IP & MAC Addresses
• Computer Hostname
• Name & Location
• Email Address & Username
• Badge Information
• Employee ID Number
  
  

Deepwatch Protections

Deepwatch has completed a rigorous data impact assessment and is in certified compliance with the Payment Card Industry’s Data Security Standards (PCI DSS) version 3.2 for processing cardholder data. Additionally, Deepwatch maintains Service Organization Control (SOC) 2 Type 2 reports, free of exceptions, for the Confidentiality, Availability, and Security Trust Services Criteria.

Deepwatch also undertakes rigorous measures to lessen risk and exposure in terms of personal data. Deepwatch manages data access and management in accordance with PCI DSS v3.2 requirements 8.1.1 through 8.1.8. GDPR Article 35 (Data Protection Impact Assessment) requires that a limited pool of people with access to the data can be used to help demonstrate the “proportionality” of the processing operations. As such, Deepwatch restricts electronic access by using multi-factor authentication, restricts access to only those who require it, and restricts physical access to buildings and infrastructure using advanced access management hardware and software.

Deepwatch utilizes Cloud Service Providers (CSP) with isolated Virtual Private Clouds (VPCs) for each customer. Deepwatch employees connect to the production network through secure IPSEC Virtual Private Network (VPN) tunnels from both the Denver, Colorado and Saint Petersburg, Florida Security Operations Center (SOC) locations. Customer data transmitted on the network is encrypted over TLS connections, while data at rest is encrypted utilizing volume-based or object-based encryption. Key Management for encryption is handled by CSP’s Key Management Service (KMS).

Additional Measures

Deepwatch undertakes numerous steps to secure data and lessen risk in terms of data leakage and exposure. GDPR Article 32 requires Data Processors and Data Controllers to implement protocols and measures that determine an acceptable level of data security for the organization processing the data. Deepwatch undertakes the following added steps to reduce risk in terms of data exposure for GDPR and assure an enhanced level of security.

1. Utilizes the Center for Internet Security (CIS) benchmarks for system hardening procedures.
2. Secures log forwarding by encrypting the communication with signed certificates and monitoring the proper functioning of Splunk Forwarders.
3. Utilizes multi-factor role-based access authentication.
4. Secures browser configurations and encrypted web communications and traffic.
5. Monitors the use of Splunk and detects anomalies as you would with any other critical service.
6. Utilizes strong passwords compliant with PCI DSS v3.2 requirements.
   
   

Deepwatch Data Retention

Customer log data is maintained for the duration explicitly stated won the Deepwatch Order Form executed by both Deepwatch and the customer. Standard Deepwatch log data retention is one year, with approximately three (3) months online in hot/warm storage, with the remainder stored in cold storage within CSP object storage. All data at rest is encrypted utilizing one of the strongest block ciphers available – 256-bit Advanced Encryption Standard (AES-256), leveraging CSP’s KMS. CSP KMS provides increased security for encryption keys, by preventing access to humans, never storing them in plaintext, and only utilizing them in memory. Each customer volume (hot/warm) or object (cold) is encrypted with a unique key, which is deleted upon the destruction of the volume or object store. Since the encryption key is destroyed, even if the data could be accessed it could not be decrypted.

Deepwatch Sub-Processor (updated 2023-10-01)

Information about Deepwatch Sub-processors, including their functions and locations, is available at: https://legal.deepwatch.com/sub-processors (as may be updated by Deepwatch from time to time). When engaging any Sub-processor, Deepwatch will enter into a written contract with such Sub-processor containing data protection obligations not less protective than those in its Data Processing Addendum with respect to its customers' Personal Data and the extent applicable to the nature of the services provided by such Sub-processor pursuant to the terms of the underlying agreement with its customer.   
 

Data Protection Officer (updated 2023-10-01)

Deepwatch maintains Data Protection Officer whom can be reached at compliance@deepwatch.com.