Faced with constant change, IT departments are often trapped in a vicious circle – trying to innovate yet struggling to address employee issues. Nexthink Infinity breaks that cycle. It provides IT with the real-time analytics, employee feedback, and automated remediation that they need to progress from reactive problem solving to proactive and continuous improvement making.

1. Overview

What is Nexthink Infinity?

Nexthink Infinity provides the real-time insight IT departments of organizations need to proactively prevent and/or automatically resolve disruptions of work devices and continuously improve the employee experience. Combining rich technical metrics and employee sentiment, Companies gain real-time visibility across devices, applications and networks.

Why does an organization use Nexthink Infinity?

Companies use Nexthink Infinity to help measure, manage and improve the digital employee experience every moment. By correlating technical performance and employee sentiment, Companies can see the true experience for the first time.

Does Nexthink make a DPA available to its customers?

Yes, it can be found here.

What are Nexthink’s and the customer’s roles under the DPA?

Nexthink processes Personal Data on behalf of its customers and only upon the instruction of the respective customer. Therefore, Nexthink is always the Processor and the customer is the Controller.

Which Privacy and Data Protection laws does Nexthink’s solution comply with?

Nexthink complies with all privacy and data protection laws applicable to it, including but not limited to the following: Swiss Data Protection Act (2020), GPDR, including as incorporated into UK law, and all relevant US State laws, such as the California Consumer Privacy Act (CCPA).

2. Scope of Processing

Which Personal Data does Nexthink collect?

While Nexthink essentially collects telemetry data pertaining to the performance of end-users’ work devices and other endpoints, it also collects a limited amount of Personal Data that allows organizations to identify the devices which need attention.

Every customer has the possibility to adjust which Personal Data is collected by Nexthink on their behalf. Depending on the choices made by each customer, Nexthink may collect the following categories of Personal Data on the end-users of the solution:

  • Identifiers: job title, first name and last name, professional phone number, professional email address, IP addresses.

  • Network activity and device information: user privileges, login data, login time, login duration, domain names, page load times, URLs accessed, number of visits to URLs, keyboard and mouse interaction within web applications (if previously defined by the customer), duration of user actions (if previously defined by the customer).

In addition, where a customer or an end-user raises a support ticket in connection with Nexthink’s services, Nexthink will also collect the Personal Data included in the ticket or that may be required to remediate the issue at hand.

Can a Nexthink customer select the types of Personal Data to be collected by Nexthink?

Yes, Nexthink’s solution allows customers to configure the software agent to ignore certain data sets. Where configured, the corresponding data is not recorded at all by Nexthink. For instance, customers can choose to opt-out the processing and storage of usernames, destination IP adresses, etc.

Does Nexthink collect sensitive or special categories of Personal Data

No, Nexthink does not collect nor process sensitive Personal Data.

Likewise, Nexthink does not collect or register any of the content consulted or written by an end-user. For instance, Nexthink cannot capture the content of an email or a Word document consulted or drafted by a customer’s employee.

While Nexthink does collect some categories of Personal Data, most of the information collected by Nexthink relates to telemetry and non-sensitive data pertaining to the performance and functioning of the end-users’ devices and endpoints.

How does Nexthink use collected Personal Data?

Nexthink processes data on behalf of its customers. Nexthink does not use any Personal Data collected from its customers and their end-users for other purposes than providing its product and services.

Does Nexthink use Personal Data for marketing purposes?

No, Nexthink does not use the Personal Data collected from its customers and their end-users for any marketing purposes.

How long is the Personal Data stored within Nexthink?

The data processing layer subdivides the incoming data into two categories, events and objects. Both of them are associated with a property called the time to live (TTL) period. Nexthink offers three possible values for that setting:

  • 7 days

  • 14 days

  • 30 days (default setting)

In addition, all information related to a particular device is automatically removed from the system in case of inactivity after a configurable amount of time – which is set to 45 days by default.

Does Nexthink return or delete Personal Data upon a customers’ request?

Yes, a customer may delete Personal Data or retrieve a copy thereof through the solution without Nexthink’s direct assistance.

After expiration or termination of the agreement, Nexthink will delete all customer’s and end-users’ Personal Data. A customer may also request Nexthink for a copy this Personal Data. In that case, Nexthink will provide a copy within 30 days from the request.

Does Nexthink have access to customer data?

Nexthink’s support and cloud operation teams will have access to your company’s data solely for the purpose of addressing tickets submitted by your company. Multi-Factor-Authentication, source IP whitelisting and/or bastion is enforced to control access to the management plane. Access to a customer instance is on demand, is logged, requires a justification and is limited in time. Creation of and changes to privileged accounts in production environments follow formal change control processes.

3. Data Subjects’ Requests and Self-Serving Features

Which features and functionalities aiming at assisting customers with their own privacy and compliance program does Nexthink provide?

You can review all our self-serving features and functionalities enabling you to meet your privacy- and compliance-related obligations and objectives – without needing Nexthink’s direct assistance – on our Establishing a privacy policy webpage.

How does Nexthink handle end-users’ requests?

In accordance with the DPAs we conclude with our customers, Nexthink commits to promptly notify its customers of any of its end-users requests. In addition, Nexthink will not further respond to such requests without the customer’s prior instruction.

How does Nexthink delete Personal Data?

The means of data destruction employed by Nexthink ensure that a customer’s data is permanently destroyed and cannot be subsequently accessed or read based on commercially reasonable standards.

Can a customer delete the service data without Nexthink’s assistance?

Yes, in addition to the automatic deletion of Personal Data following a device’s inactivity, all customers can themselves manually trigger the deletion of this data by an administrator. Upon manual deletion, the data will be removed within a 24-hour timeframe.

Can a customer download a copy of the Personal Data collected by Nexthink?

Yes, Nexthink provides built-in functionalities enabling its customers to retrieve themselves the Personal Data pertaining to a particular end-user without needing Nexthink’s direct assistance.

4. Security

How does Nexthink protect the Personal Data of its customers?

At Nexthink, security is our top priority. Nexthink’s Information Security Addendum provides a comprehensive overview of Nexthink’s state of the art technical and organizational measures.

Do Nexthink’s security measures comply with any industry standards such as ISO or SOC?

Nexthink’s technical and organizational measures are certified in accordance with ISO 27001, 27017, 27018 and 27701. These certifications demonstrate an Information Security Management System (ISMS) as well as a Privacy Information Management System (PIMS) aligned with the highest standards.

In addition, Nexthink regularly undergoes external audits to receive updated SOC 2 Type II reports. SOC 2 defines criteria for managing customer data based on five trust service principles—security, availability, processing integrity, confidentiality and privacy. The detailed reports are available upon request and under NDA.

How does Nexthink encrypt Personal Data?

At Rest: all customer data is encrypted at rest in AWS using AES-256 key encryption.

In Transit: all customer data in transit over public networks is encrypted through the industry standard HTTPS/TLS (TLS 1.2 or higher).

Which type of Personal Data are Nexthink users able to access?

Nexthink’s solution does not allow for viewing or quantifying messages sent or received by an end-user. Further, it does not show the content of web browsers, emails, or any other applications accessed by an end-user.

In order to help employees with getting the most out of their workstations, Nexthink solution does allow for a customer's IT department to identify which workstations have been assigned to which employees.

What is Nexthink’s security breach response procedure?

Nexthink’s breach response procedure follows a strict and ISO certified process. The investigation and eradication of a breach have the highest priority in order to ensure that the security of any affected subject remains intact or, where required, is restored as soon as possible. These steps may require up to 72 hours. In the unlikely case of a security breach, Nexthink would notify the affected customers once these steps are concluded. Any contracual obligation requiring an earlier notification would endangers the goal of the aforementioned priorities.

5. Subprocessors

Does Nexthink use subprocessors?

Effective and efficient performance of Nexthink's services requires the use of subprocessors. These subprocessors can include affiliates of Nexthink as well as third party organizations. The Data Processing Schedule contains a detailed overview of Nexthink’s subprocessors. All subprocessors are carefully selected and monitored in accordance with Nexthink’s certified security and compliance controls.

How does Nexthink notify its customers of new subprocessors?

Where Nexthink intends to make any changes to the Data Processing Schedule, customers will be notified via email at least 30 days ahead. Customers may object to such intended changes using the procedure set out in the DPA.

6. Processing Locations and International Data Transfers

Where does Nexthink store customer data?

Nexthink leverages AWS hosting locations across the EU, UK and USA. Customers are free to choose a single region where their data will be stored.

Does Nexthink process Personal Data outside of the European Union?

Limited transfers of data processed by Nexthink’s solution, may be necessary to provide you with continuous support and leverage the services of Nexthink’s carefully selected and monitored subprocessors. For further information, please see Nexthink’s Data Processing Schedule.

Are transfers of Personal Data beyond the EEA still legal under the GDPR?

In July 2020, the Court of Justice of the European Union held that the Privacy Shield, a mechanism used to validate transfers to the United States, could no longer be used to validate the transfer of Personal Data from the EEA to the US. However, the Court also confirmed that alternative transfer mechanisms, such as the SCCs relied upon by Nexthink, continue to be valid.

Which transfer mechanisms does Nexthink have in place?

Nexthink relies on adequacy decisions of the EU Commission and the 2021 set of Standard Contractual Clauses for transfers of customer Personal Data to its non-EEA subprocessors and affiliates, together with a variety of legal, technical and operational safeguards, and based on a comprehensive transfer impact assessment carried out in line with the requirements of EU law and the EDPB Recommendations.

Does Nexthink conclude EU Standard Contractual Clauses with all of its non-EEA subprocessors

Yes. All of Nexthink’s SCCs have been updated to the 2021 version.

Does Nexthink conclude EU Standard Contractual Clauses with its customers?

Yes. Where the customer exports Personal Data to Nexthink, Nexthink will enter the SCCs with the customer. In any other case, any relevant data transfers are covered by the SCCs between Nexthink and its subprocessors.

Has Nexthink carried out Transfer Impact Assessments with regard to the applicable data transfers?

As required under the new EU Standard Contractual Clauses, Nexthink has carried out transfer impact assessments on all relevant data transfers which consider, amongst other important factors, the number of requests for disclosures which Nexthink and its subprocessors received from any public authorities as well as the impact that an actual disclosure would have on the rights and freedoms of a data subject. The data processed by Nexthink and its subprocessors consists mainly of technical information and it does not include any special categories.

Does Nexthink share its Transfer Risk Assessments with customers?

Nexthink’s TIAs contain the legal opinions of Nexthink as well as its reputable external advisors. Therefore, Nexthink is not able to share full assessments. However, to allow customers meeting their own monitoring obligations, Nexthink can provide limited extracts of the TIAs as evidence that the required assessments were conducted. Where a customer wishes to conduct its own TIA, Nexthink will assist by providing the necessary technical information.

7. Government Access Requests

How does Nexthink handle government access requests targeting customers’ Personal Data

If Nexthink ever receives a disclosure request, such request will be handled in accordance with Nexthink’s Government Access Policy which is part of its ISO 27701 certified Privacy Information Management System. In particular, Nexthink will use its best efforts to challenge any disclosure request and, to the extent legally permitted, redirect the disclosure request to the affected customer. However, due to the nature of our services, it is actually unlikely that Nexthink would receive such requests, but in that unusual scenario, our approach is always that we would always first redirect such requests to the customer and notify the customer, where legally permitted to do so.

Does Nexthink maintain an up-to-date transparency report?

Nexthink’s transparency report is available here.

What is the CLOUD Act?

On March 23, 2018, the United States Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), updating the legal framework for United States law enforcement requests for data held by telecommunications service providers. The CLOUD Act provides a mechanism for United States law enforcement to request data stored in the United States and overseas. The CLOUD Act also created additional safeguards for cloud content, including recognizing the right of providers to challenge requests that conflict with another country’s laws or national interests and requiring that governments respect local rules of law.

Does the CLOUD Act change how law enforcement can request customer data?

No. The CLOUD Act does not change the process or requirements for law enforcement requests for data as part of a criminal investigation.

How does the CLOUD Act impact Nexthink?

The CLOUD Act does not impact Nexthink services or how Nexthink operates its business. To date Nexthink has received no United States law enforcement requests, and Nexthink will be transparent about the number of requests that it receives, if any. If Nexthink is required to disclose customer data, it will notify the customer before disclosure to provide them the opportunity to seek protection from disclosure, unless prohibited by law.

8. CCPA / US-based customer

What is the CCPA?

The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in United States. It was signed into law at the end of June 2018 and provides a variety of privacy rights to California consumers. Businesses regulated by the CCPA will have a number of obligations to those consumers, including disclosures, General Data Protection Regulation (GDPR)-like rights for consumers, an 'opt-out' for certain data transfers and an 'opt-in' requirement for minors.

What is “Personal Information” under the CCPA?

Personal information is any information that identifies, is related to, describes, is capable of being associated with or reasonably linkable, directly or indirectly, to an individual California consumer or household. Public, aggregate and de-identified information is excluded from this definition.

To whom does the CCPA apply?

The CCPA applies to any company that meets the definition of a business under the act and impacts service providers who have personal information about California residents, regardless of their location.

What are the differences between GDPR and CCPA?

There are many differences. It's easier to focus on the similarities, including:

Transparency/disclosure obligations.

Consumer rights to access, delete, and receive a copy of data.

Definition of 'service providers' that is similar to how GDPR defines 'processors' with a similar contractual obligation.

Definition of 'businesses' that encompasses the GDPR definition of 'controllers'.

The biggest difference in CCPA is the core requirement to enable an opt-out from sales of data to third parties (with 'sale' broadly defined to include sharing of data for valuable consideration). This is a narrower and more specific obligation than the broad GDPR right to object to processing, which encompasses this type of 'sale,' but is not specifically limited to covering this type of sharing.

Are there any geographic data transfer restrictions under the CCPA?

There is no requirement under the CCPA that limits data transfers geographically. CCPA does enforce the requirement that any data transfer must be accomplished with reasonable data security.

How does Nexthink fulfill its obligations as a Processor or Service Provider under the CCPA?

Nexthink offers our customers a Data Processing Addendum that supplements the MSA. This addendum incorporates the obligations and requirements set forth by the CCPA. Please note that the terms of our DPA are non-negotiable. As a Service Provider, Nexthink also assists its customers in their compliance with the CCPA. Nexthink will assist with any data subject requests Customers may receive. Nexthink will also pass along data subject requests for information related to Customer Data to the Customer.

Does Nexthink sell Personal Information?

No.