We welcome your comments or questions about this Policy.You may contact us in writing at [email protected] if you have any additional questions.
On May 25th, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect.GDPR gives individuals greater access to their personal information and control over how it is used.This new standard gives all EU residents a consistent approach to the protection of their data.GDPR applies to all organizations that collect, process, or store Personal Data about EU residents and to organizations that transfer or receive such information outside of the EU.
Tenable provides a suite of products for Cyber Exposure (including Vulnerability Management, Audits, and Policy Compliance assessments) which are hosted on the Tenable.io platform.Our role as a “Data Processor” as defined by GDPR is focused on Tenable.io; we do not store your Scan Data when you use our on-premise offerings such as SecurityCenter and Nessus Professional.The term “we” herein refers to “Tenable Network Security Ireland Limited”, “Tenable, Inc.”, or “Tenable Public Sector LLC” (depending on your jurisdiction).
Data collected by customer and processed by Tenable
Tenable processes several types of data from customers to both manage customer relationships and satisfy contractual obligations.We also use this data to support the functionality of our product suite.We process information about you when you provide it to us and when you use our Services.
You (the customer) are the “Data Controller” as defined by GDPR for the Personal Data relating to Data Subjects (typically, your employees) which resides on your networks.When you initiate a Scan on your data, you collect Scan Data based on what resides on your networks.You are the only one who knows (or is capable of knowing) to what extent Personal Data may or may not reside on your networks.
If you collect Personal Data during a Scan and then store the Scan Data in Tenable.io through your use of our services, we act as a “Data Processor” as defined by GDPR.We only process Personal Data on your behalf when it satisfies a legitimate interest, such as providing customer support, feature personalization, or protecting the safety and security of our services.
You have the option at any time to request that Personal Data not be collected when you use Tenable for vulnerability scans, audits, and policy compliance assessments.We refer to this as “Light Collection Mode”, described below.
Types of Data We Process on Your Behalf
Tenable processes three primary types of data:
- User Information
- Telemetry Data
Tenable processes personal data from customers about their Admin Users subsequent to the initial account setup and configuration, where you collect and provide us with such information.We do the same for any subsequent Admin Users that you create.This includes:
- Business contact information - first name, last name, work phone number (for two-factor authentication), work email address, and an optional secondary email address
- Username (typically an email address) and a password (which is anonymized for Tenable)
In addition, Tenable logs the IP address every time an Admin User logs into Tenable.io.
How Tenable uses User Information
Business contact information is used only by Tenable for essential customer service and support purposes.
We take protecting your data seriously and we only use this Personal Data to satisfy our contractual obligations to you.We do not sell or disclose this information to any third party.
How Tenable uses Telemetry Data
Tenable collects Product Usage Telemetry data about how you interact with the Tenable.io Service.We analyze this data to troubleshoot technical issues and to improve or optimize our product design.
Examples of Product Usage Telemetry Data include:
- What screens a customer looks at
- The length of time a customer spends on a screen
- What functions a customer clicks on
- What features a customer uses and how
- What web browser and browser version a customer uses
Product Usage Telemetry Data does not contain Personal Data as defined by GDPR.
When you initiate a scan – for example, asset discovery, vulnerability assessment, audit, or Policy Compliance scans – you also generate Scan Data .You conduct these scans using a “Scanner” situated within your environment.We store your Scan Data in the Tenable.io Cloud Service.Only your Admin Users can access your Scan Data.
The Nessus plugins you select determine the scope of your Scan Data.The return values of all plugins are aggregated and constitute the resulting “Scan Data”.
Scan Data generally includes information about your:
- Computer assets
- Computer networks
- Network and system architecture
- Computer hardware
- Computer operating system and software types, versions, and and associated configuration data
Scan Data is confidential because it contains information about to your assets, their configuration and policy settings, and potential vulnerabilities.It is possible that a subset of your Scan Data may contain Personal Data -- such as IP-addresses, usernames, and email addresses -- as necessary to help you with remediation.
In this case, Tenable stores this Personal Data in Tenable.io.As such, we act as a Data Processor and our Data Protection Addendum (DPA) applies.
You are the only party that knows or is capable of knowing what Personal Data resides in your environment and what could be included in the Scan Data.
Scan Data Usage
You collect Scan Data for your own use.Tenable stores it and makes it available to you via Tenable.io.We process Scan Data on your behalf to provide reports on topics such as vulnerability management, analysis, audits, and policy compliance.
Research and Development
We anonymize and aggregate a subset of the Scan Data to generate insights about product usage, end user behavior, vulnerability prevalence, and general service and product trends. We may use Scan Data to generate aggregated, anonymized benchmarking metrics to eventually provide new service features, research white papers, and studies.None of these metrics can be directly linked back to a specific customer and do not include any Personal Data.
How we secure your data
Data storage and security
We take securing and protecting your data very seriously and follow industry leading practices to safeguard it.
We use Amazon Web Services (AWS) Cloud for Tenable.io service delivery.AWS provides rich security measures and capabilities that we use to protect our infrastructure.These include:
- DDoS mitigation
- Web application firewalls
- Network firewalls
- Encryption in transit across all services
- Inventory and configuration management
- Identify and access control
We designed our information security management program with one goal in mind -- to safeguard our customers’ data.Our mature program includes:
- Threat & Vulnerability Management
- Patch Management
- Security Monitoring
- 2-Factor Authentication
- Role-based access
- Penetration Testing
We deploy multiple layers of data security measures including, but not limited to, Amazon’s Data encryption capabilities - specifically, Amazon Server Site encryption and Amazon’s Key Management Service.
What if there is a Data Breach?
How long do we retain your data
Our data retention policies vary across the the various data types and the purpose for which they are processed.Read on for more detail.
Customer User Information
We retain the information for your Admin Users for as long as you remain a Tenable customer or until you remove selected Admin User accounts.If you sever your customer relationship with Tenable, we delete the entire Tenable.io container with both your Scan Data and Admin User data.We make exceptions for certain Customers to resolve disputes, enforce contractual agreements, support business operations or fulfil legal obligations.
Customer Scan Data
For your use and to meet regulatory requirements, we retain your Scan Data for the default time periods outlined below.
Data Retention Periods for Scan Data
|Scan Data Type||Retention period|
|Customer Scan Data||15 Months|
|PCI-related Customer Scan Data||36 Months*|
*this is the minimum required retention period for PCI Scan Data
Access & control of Personal Data
The GDPR defines an individual’s rights for the access to and control of their Personal Data.We will assist you in exercising the following rights on behalf of your EU-based data subjects whose data we may process:
- The right to request a copy of their Personal Data
- The right to correct their Personal Data
- The right to delete their Personal Data
Admin User Data Subject
Primary Admin Users can add, delete, and correct Personal Data about themselves or other Admin Users in the Tenable.io user configuration.
Individual Data Subjects
You control your organization’s data and may receive requests from data subjects who wish to exercise their rights under GDPR.Tenable can help you fulfill requests to confirm, correct, or delete such Personal Data upon request.We are also developing self-service capabilities so you can handle these requests autonomously.
Light Collection Mode
As mentioned above, Tenable offers customers the option to use our Light Collection Mode to minimize the Personal Data collected by Plug-ins during Scans.In Light Collection Mode, our plugins anonymize Personal Data so that it is not collected or stored in Tenable.io.
Details of the Anonymization Process
Plugins return data as necessary to describe the state or configuration of the asset for during various types of scans.In some cases, Personal Data is critical information for subsequent assessments and/or remediation.Anonymization permanently and irreversibly modifies elements of Personal Data when you collect them.This means Tenable never processes the original value of the Personal Data.
Customer Provided Data
In certain circumstances, you may introduce Personal Data to Tenable.io without our knowledge.Should this happen, we will not anonymize such data and you will be responsible for such data.
Scan Data from Customer Developed Plug-Ins
You can develop your own Plug-ins for Scans.When running your own Plug-ins, the Scan Data results are stored in Tenable.io.This Scan Data may contain Personal Data.
Customer Imported Data
You may import external data through APIs from third parties into Tenable.io containing Personal Data.
How we use Data Sub-Processors
We share certain information with third-party service providers such as hosting services, storage, or virtual infrastructure vendors.These companies help us to operate and process your data to improve and customize your user experience.Any third-party service provider that is required to process your information must do so under our instruction.We require all of these vendors to be GDPR compliant and to protect your information through the appropriate policies and procedures.We will share the current list of our Sub-Processors upon request.
Third Party Data Sub-processors
Tenable engages select third parties as Data Sub-processors as defined by the GDPR.We are committed to transparency and ensuring that all parties that participate with Tenable in the processing of Personal Data on your behalf are GDPR compliant and employ the requisite security technology and processes to protect your data.
The following third parties either process data collected directly from our customers or provide services to Tenable as part of our role as a Data Processor.
For more information about Third Party Data Sub-processors or general questions about GDPR, please contact us at [email protected].
|Party||Use case||Personal Data Types||Comments / Justification|
|Amazon Web Services (AWS) Cloud||Hosting service for Tenable.io and customer data containers||Any Personal Data captured in Scan Data and Admin User Information||AWS directly supports our role as a Data Processor for customer's historical Scan Data.Native AWS Data Security and Access controls applied to the customer's containers help satisfy GDPR requirements for Tenable as a Data Processor and AWS as a Sub-Processor.|
|SendGrid||Email Notifications||Admin User Information||Used when a customer signs up for trials or requests a password reset.Serves as verification for valid email address.|
|Twilio||SMS Notifications and Two-factor Authentication||Admin User Information||Phone number and authentication codes are sent to Twilio, but no information is shared to identify who the phone number belongs to.|