BeyondTrust acts as a processor under the GDPR when providing services to our customers. This means that we will only process customer data to provide these services and in accordance with your instructions. In some instances, BeyondTrust acts as a data controller, for example, in relation to billing, account management, contract administration, security, and product improvement.

Where we act as a data controller, we are responsible for ensuring our compliance with applicable data protection laws. Please see our Privacy Notice for more information.

BeyondTrust acts as a service provider under the CCPA when providing services to our customers. This means that we will only process customer data to provide these services and in accordance with your instructions. Please see our Privacy Notice for more information.

BeyondTrust processes limited personal information in order to enable us to provide services to you. For example, we will process your personal data to set up your account; to provide and maintain the service; to support you when you ask; and to send you administrative communications.

This may include contact information such as your full name, your work address, telephone number, email address and job title as well as identity data such as your user ID and username. You can find out more about the type and nature of personal information processed in our DPA.

No, we do not generally require any sensitive personal information, such as race and ethnic origin; religious or philosophical beliefs; sex life and sexual orientation; political opinions; trade union membership; health information; or genetic and biometric data to be transmitted to us to enable us to provide the services to you.

You can find out more about the type and nature of personal information processed in our Privacy Notice.

No, BeyondTrust does not need or require access to any personal or Protected Health Information in order to provide our services to customers.

For Remote Support customers, we always recommend closing down any windows containing any PHI or other sensitive information prior to accepting the session and commencing the screen share.

Customers purchasing BeyondTrust cloud products may choose to host their data in any of the locations provided by BeyondTrust worldwide, depending on their geographic location and/or preference. Available hosting locations include, among others, USA, Canada, Europe, UK, Japan, India, South America, Australia.

You can find a list of the available hosting locations, product by product, in the BeyondTrust Technical Documentation and Support page.

The BeyondTrust customer DPA is available here, and it is also incorporated into our standard EULA. Our DPA has been drafted specifically to reflect our services, our security program and our internal processes and procedures, including our externally audited Information Security Management System (ISMS) and Privacy Information Management System (PIMS). As such, our document is much more tailored to the services which we will be providing than customer-provided templates.

Yes, BeyondTrust uses sub-processors to provide customers with services such as hosting and technical support.

You can find the list of our sub-processors here and at Schedule 3 of our DPA.

BeyondTrust has implemented and maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to (i) help secure customer data against accidental or unlawful loss, access or disclosure; and (ii) minimize security risks, including through risk assessment and regular testing.

This security program includes physical, technical, and administrative measures (including any relevant certifications) designed to protect customer data from unauthorized access, alteration, acquisition, use, disclosure, or destruction and has been implemented by BeyondTrust to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

More information about these measures can be found in Schedule 2 of our DPA.

BeyondTrust utilizes secure communications (i.e., HTTPS, SSL, TLS) for web-based communications and data collection. Our products are configurable to meet data transmission and data at rest requirements. Customer data processed by BeyondTrust is encrypted during transmission and at rest for storage purposes.

You can find further information about the type of encryption implemented by BeyondTrust in our Trust Center.

BeyondTrust has a comprehensive list of industry certifications that demonstrates our commitment to security and compliance.

A full list of our security and compliance certifications can be found in our Trust Center.

We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for. This includes the purposes of satisfying any legal, accounting, or reporting requirements.

We consider different factors to determine the appropriate retention period for personal data. For example, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes of processing and if we can achieve those purposes in other ways, and the applicable legal requirements.

You can exercise your rights by contacting us at dataprotectionofficer@beyondtrust.com

When you contact us, please include sufficient information to confirm your identity and deal with your request, such your name, surname, and email address. This is a security measure to ensure that your personal data is not disclosed to someone with no right to receive it.

We will respond to all legitimate requests in one month (or by the timeframe provided by applicable law). Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you, explain the reasons, and keep you updated.

For further information, please see our Privacy Notice.

No, the GDPR does not require that personal data is stored or processed exclusively in the EU and there are no data residency requirements created by it. The GDPR imposes restrictions on the transfer of personal data outside the EEA (for example to non-EEA countries or international organizations) to ensure that the level of protection granted by the GDPR remains the same in the destination country.

Transfers of data outside of the EU are permitted subject to the use of an available transfer mechanism, such as adequacy decisions, Standard Contractual Clauses (SCCs), or the EU-US Data Privacy Framework (DPF).

BeyondTrust customers may submit personal data covered by EU, UK, or Swiss law to enable us to provide our services, the extent of which is determined and controlled and may be documented by customer in its sole discretion. The categories of data subjects whose data may be transferred, as well as the categories of personal data subject to transfers, are outlined in Schedule 1, Part B of the DPA.

Where personal data covered by EEA, UK or Swiss law is submitted by customer to BeyondTrust, this data may be transferred to countries not deemed adequate according to the European Commission, the UK Secretary of State, and/or the Swiss Federal Data Protection and Information Commissioner.

The transfer of customer personal data may include remote access, third country storage and disclosure, transmission, emails, share drive, etc. Please see Q18 for more information about the transfer mechanisms used in these circumstances.

Where personal data covered by EEA, UK or Swiss law is submitted by customer to BeyondTrust, data may be transferred onward to BeyondTrust sub-processors to provide customers with services such as hosting and technical support.

BeyondTrust ensures that personal data subject to onward transfers is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country, in line with the data minimization/proportionality principle, as provided by EU/UK GDPR and the Swiss Federal Act.

BeyondTrust also ensures that it has entered into an agreement as per Article 28 of the EU/UK GDPR with all its sub-processors, including a lawful transfer mechanism for the onward transfer of customer data.

The Data Privacy Framework (DPF) was developed by the U.S. Department of Commerce, together with the European Commission, the UK Government and the Swiss Federal Administration. It is a mechanism for personal data transfers to the United States from the European Union/European Economic Area, the UK (and Gibraltar) and Switzerland, while ensuring data protection that is consistent with EU, UK and Swiss law.

BeyondTrust has certified its compliance with the DPF and its principles, as outlined in our Privacy Notice and in the DPF list.

This means that customers can safely transfer personal data to BeyondTrust under the DPF, as provided by section 6.4 of the BeyondTrust customer DPA. BeyondTrust welcomes the EU-US DPF and its UK Extension, as well as the Swiss-U.S. DPF, as new mechanisms to lawfully and safely transfer individuals’ personal data to the US.

For transfers of EU data, BeyondTrust relies on the EU Standard Contractual Clauses, approved by the European Commission in decision 2021/914/EU, as its lawful transfer mechanism for EU data. The EU SCCs are incorporated in the DPA.

For transfers of UK data, BeyondTrust relies on the EU SCCs, as integrated by the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018. The UK Addendum integrating the EU SCCs is incorporated in the DPA.

For transfers of data covered by Swiss law, BeyondTrust relies on the EU SCCs, as amended according to the guidance of the Swiss Federal Data Protection and Information Commissioner.

BeyondTrust also relies on SCCs for onward transfers of customer data to our sub-processors and affiliates. All the above SCCs are supported by supplementary security measures, as outlined in Schedules 2 and 4 of the DPA.

BeyondTrust carries out Transfer Impact Assessments (TIAs) before transferring EU, UK, or Swiss personal data internationally. We also monitor the circumstances of the transfers to ensure that the personal data is granted a level of protection substantially equivalent to the one provided under EU, UK, or Swiss law.

Our Transfer Impact Assessments are carried out in line with the requirements of EU law and the 6-step recommendations of the European Data Protection Board (“EDPB”) set out in Recommendation 01/2020: On Measures That Supplement Transfer Tools To Ensure Compliance With The EU Level Of Protection Of Personal Data.

BeyondTrust is unable to complete customer TIAs as the customer is in control over the volume and nature of the data which is submitted to us.

We can, however, assist customers in carrying out their own TIAs by providing information about our services, processing locations and security program.

Please contact us at dataprotectionofficer@beyondtrust.com.

We believe that customers and individuals deserve transparency on how and in what circumstances governments and law enforcement authorities may access their information.

Please see the BeyondTrust Government & Law Enforcement Access Request Policy which describes how we handle these access requests.

If you have any further questions, including requests to exercise your rights, please contact us at dataprotectionofficer@beyondtrust.com.

Please visit our Privacy Center to explore all privacy policies and notices at BeyondTrust.

Prefers reduced motion setting detected. Animations will now be reduced as a result.