Hosted Mender Security and Data Privacy

Updated December 15th, 2022

Hosted Mender Security and Data Privacy

To comply with data protection laws like GDPR and relevant data retention and privacy policies, Northern.tech (“NT”) has developed a comprehensive legal and technical framework and internal processes to ensure compliance.

NT adheres to industry best practices by exercising the appropriate professional skill, care, diligence, prudence and reasonable foresight that is to be expected from a data processor.

Personal Data

Hosted Mender is a service to manage software on connected devices as well as ensure that they run correct versions of software, have applied the latest security patches, etc. In most cases, the only personal data NT has access to will be the IP-address and characteristics (OS, Mac-address, etc.) of managed devices. This means that we gain access to no or little personal data. Such non-personal data is not subject to the GDPR.

NT will in no event deconstruct, decompress and analyze, or scrape any of the data files (eg. images, files, etc.) to be deployed to the devices. NT maintains all personal data strictly confidential and does not disclose or grant access to the personal data to any unauthorized third parties.

Besides what is mentioned above, NT has access to the data you as a customer of NT has provided to us as part of signing up and using Hosted Mender. That could be your name, email address, our communication, your company address, etc.. See the relevant privacy policy.

Technical and organizational measures

The protection of your personal data is a high priority for us. We continuously work to protect personal data and other confidential information. Our security measures include physical, technical and administrative measures that will ensure that your personal data is not compromised, not unintentionally changed and available when required.

Any threats to data security are handled efficiently as security and the protection of your personal data is part of the daily work of our business.

We comply with the requirements for the protection and safeguarding of personal data as provided by applicable privacy laws, including GDPR, and good industry practice. Login information and all other data are encrypted and separation of customer data is provided by the software. We use sub-processors who require two- factor authentication to store personal data.

Our employees receive training and guidance on how to handle personal data safely. We have routines and access control to prevent unauthorized disclosure and unauthorized access to your personal data. All developer and system administrator laptops have encrypted harddisks.

Any breach of security practices will be documented. We have procedures and capacity to detect and deal with any breaches of security. If a security breach is detected, it will be reported to the management, the risk of privacy breaches will be assessed and the Norwegian Data Inspectorate (Datatilsynet) will be notified if required. You will also be notified if the breach poses a risk to you and your rights.

Our security measures are continually monitored and improved to reflect technological developments.

Any questions or comments regarding NT’s security and data privacy policies can be sent to its Head of Data Privacy, Gaustadalleen 21, N-0349 Oslo, Norway, Email: data-privacy-officer@mender.io.

Sub-processors

NT seeks to keep the number of sub-processors to a minimum. Every sub-processor shall comply with the same standards as NT. Hosted Mender currently uses two sub-processors that store personal data; Amazon AWS and Atlas MongoDB. In addition, NT uses various sub-processors to conduct the business with you as a customer. A complete list of sub-processors follows below.

Amazon Web Services (AWS)

PLATFORM INFO

https://aws.amazon.com/

DATA PROVIDED TO THE AWS PLATFORM/SERVICE: CUSTOMER DATA

IP addresses of users and devices during product usage.
Update files for devices
Inventory data reported by devices
Various data related to the device upgrade process such as installation logs from devices, statuses, installed software, progress information, etc.
Various data related to the core functionality of the product such as device groups, upgrade history, etc.
Application usage data related to operations: application logs, API usage, error logs, monitoring data.
Data backups

REGULATORY COMPLIANCES STATEMENTS

GDPR Policy:
- https://aws.amazon.com/compliance/gdpr-center/
Following the EU's invalidation of EU - US Privacy Shield as a legal basis for export of data from the EEA to the USA, NT and AWS have entered into an AWS GDPR DATA PROCESSING ADDENDUM available at http://aws.amazon.com/agreement

PEOPLE WITH ACCESS TO THIS DATA
Engineering and customer organization team
Parts of application data are available to users directly through the product.

TYPES OF OPERATIONS THAT WILL BE PERFORMED ON THIS DATA

Data will be used to:

deliver core functionality for Hosted Mender and ensure fair usage policy compliance
keep track of activities and product usage (randomized data) so we can learn and constantly improve Hosted Mender
operate and maintain the service
provide customer support
determine service usage and charges related to the subscription.

Atlas MongoDB

PLATFORM INFO

https://www.mongodb.com/

DATA PROVIDED TO THE Atlas MongoDB PLATFORM/SERVICE: CUSTOMER DATA

Inventory data reported by devices
Various data related to the device upgrade process such as installation logs from devices, statuses, installed software, progress information, etc.
Various data related to the core functionality of the product such as device groups, upgrade history, etc.
Application data
- Internal application data
- Data provided by the user during their usage of the product
- Data sent by integrated devices such as hardware inventory
- Data backups
User email
Company name
Account usage statistics

REGULATORY COMPLIANCES

Overall Compliances:
- https://www.mongodb.com/cloud/compliance
GDPR Policy:
- https://www.mongodb.com/cloud/trust/compliance/gdpr
Following the EU's invalidation of EU-US Privacy Shield as basis for export of data from the EEA to the USA NT has entered into a separate agreement with MongoDB complying with EU Standard Contractual Clauses, Commission Decision C(2010)593, Standard Contractual Clauses.

PEOPLE WITH ACCESS TO THIS DATA

Engineering team and customer organization team
Users through the product itself

TYPES OF OPERATIONS THAT WILL BE PERFORMED ON THIS DATA

The data will be used to:

deliver core functionality for the purchased service.
keep track of activities and product usage so we can learn and constantly improve our product.
determine service usage and charges related to the subscription.

Microsoft Azure

PLATFORM INFORMATION

https://azure.microsoft.com/en-us/

DATA PROVIDED TO THE AZURE PLATFORM/SERVICE: CUSTOMER DATA

IP Addresses of users and devices during product usage.
Update files for devices.
Inventory data reported by devices.
Various data related to the device upgrade process such as installation logs from devices, statuses, installed software, progress information, etc.
Various data related to the core functionality of the product such as device groups, upgrade history, etc.
Application usage data related to operations: Application logs, API usage, error logs, monitoring data.
Data backups

REGULATORY COMPLIANCES STATEMENTS

Overall Compliance:
- https://www.microsoft.com/en-us/trust-center/privacy
GDPR Policy:
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWRql1?culture=en-us&country=US
PEOPLE WITH ACCESS TO THIS DATA
Engineering team and customer organization team.
Parts of application data are available to users directly through the product.

Types of operations that will be performed on this data

Data will be used to:
Deliver core functionality for Hosted Mender and ensure fair usage policy compliance.
Keep track of activities and product usage (anonymized data) so we can improve Hosted Mender.
Operate and maintain the service.
Provide customer support.
Determine service usage and charges related to the subscription.

Other sub-processors

In addition to MongoDB and AWS where all personal data related to the use of Hosted Mender is stored, we use other sub-processors to conduct the business with you as a customer. Below is a list of all our sub-processors. If you would like detailed information about each of these, their compliance, etc, please send us an email at data-privacy@mender.io

ActiveCampaign - https://www.activecampaign.com - Marketing automation provider
Google Workspace - https://workspace.google.com/ - Collaboration and productivity provider
HubSpot - https://www.hubspot.com/ - Marketing automation provider
Jira Atlassian - https://jira.atlassian.com/ - Issue tracking provider
Salesforce - https://salesforce.com - Customer Relationship Management provider
Slack -https://slack.com/ - Internal communication provider
Stripe - https://stripe.com - Payment provider
Zapier -https://zapier.com/ - Process automation provider
Zendesk - https://www.zendesk.com/ - Customer support provider

Legal agreements

All legal agreements related to Hosted Mender can be found at https://northern.tech/legal.

Our Privacy Policy details what processing takes place, and can be found at https://northern.tech/legal/privacy-policy.

Our Data Collection overview can be found at https://northern.tech/legal/data.

Updates to Hosted Mender Security and Data Privacy

If you want to be informed about any updates regarding NT and Hosted Mender’s security and data privacy practices and/or agreement, please send an email to data-privacy@mender.io

Hosted Mender Security and Data Privacy