Privacy Code 2023
Nexthink is a leader in end-user experience management from the endpoint. Nexthink’s solutions combine real-time endpoint analytics and end-user feedback, through unique analytics and visualizations, to provide new insight and enable IT to be more proactive, reduce costs and enhance end-user productivity. Nexthink helps the end users, and in turn the organizations, to be safer, more productive, and more efficient by reducing IT flaws and errors. Nexthink’s cloud solutions help to alleviate employee frustration by eliminating IT bottlenecks and allowing the helpdesk to identify problems earlier and proactively even before they occur.
Our Privacy Code sets out our commitment to protect your Personal Data. It demonstrates how we will uphold this commitment and help keep your Personal Data safe through your use of Nexthink’s cloud products.
This Privacy Code addresses Nexthink’s processing of Personal Data of our worldwide customers in our role as Processor, on your behalf, as the Controller. This Privacy Code references some Controller responsibilities and it is assumed that you are fulfilling your obligations as a Controller. The Privacy Code should be read in conjunction with the Data Processing Agreement.
Although the Privacy Code uses some specific terminology based on EU data protection laws and regulations, it covers all jurisdictions and applies to you wherever you are located.
The information provided in this Privacy Code is not intended to be legal advice. If you have questions about your obligations under applicable privacy laws, including your obligations as a Controller, you should consult with your own legal counsel.
3. Product privacy overview
How Nexthink’s Cloud Solutions Work
A simplified representation of the general product architecture is set out below:
In summary, Nexthink collects various data, including Personal Data, from your predefined work devices on which the Collector is installed. It is transmitted in an encrypted form to Nexthink where it can be accessed and where it is stored. Nexthink users access this data through encrypted channels using various Nexthink products, including the Finder, the Portal, the web interface, and various APIs, which all connect to Nexthink.
The Collector mainly retrieves technical information related to the work device data but, by its nature, some of it will also qualify as Personal Data. A list of Personal Data processed by us directly, and by our sub-processors, can be found in the Data Processing Agreement.
In addition, some support and other optional services may also necessitate our accessing additional Personal Data.
Nexthink’s dedicated Privacy & Security Committee ensures we meet our duties and fulfill our responsibilities as the Processor, by ensuring the security, privacy and ownership rights of information held is appropriate, clearly specified and built into our contractual arrangements for our products and solutions. You can learn more about the Privacy & Security Committee in section 6.
The specific Personal Data that Nexthink processes on your behalf is set out in our documentation and in the Data Processing Agreement that we have entered into with you.
4. Core measures
Nexthink has implemented the following core measures which underpin our commitment to upholding the highest levels of data protection, ensuring complete compliance with applicable privacy laws, and protecting all Personal Data that we process from an accidental or unlawful destruction, loss, alteration, access or disclosure.
4.1 General technical and organizational information security measures
4.1.1 Our Data Protection Agreement and our terms and conditions ensure compliance with applicable privacy laws for both you, as the Controller, and us as the Processor.
4.1.2 All Nexthink’s policies, procedures and processes are at least annually reviewed to ensure they are strictly in accordance with the requirements of applicable privacy laws.
4.1.3 We will process Personal Data only in accordance with your written instructions, unless otherwise required by applicable law. If we need to change the way that we process Personal Data, we will only do this after providing you prior notice.
4.1.4 We will assist you in meeting the requirements of applicable privacy laws with regard to the notification of Personal Data Breaches and completing Data Protection Impact Assessments.
4.1.5 We are certified to ISO 27001, 27017, 27018, and 27701. This demonstrates that our buildings, infrastructure, systems, policies, processes, procedures and controls have been independently certified as adequately robust to protect and process all Personal Data that we process.
4.1.6 We carry out independent third party audits and maintain a comprehensive record of all our data processing activities and Personal Data flows.
4.1.7 Information security is embedded in all Nexthink’s policies, processes and procedures, and we operate a privacy by design practice across all functions.
4.1.8 We operate an integrated risk management framework. We regularly assess and manage the risks associated with protecting the confidentiality, integrity and availability of the personal data that we process and their related assets.
4.1.9 On written instruction from the Controller, we can securely destroy any data that is no longer required or has passed its retention period quickly and easily.
4.1.10 We will contribute to reasonable remote audits and inspections. The scope and timelines of such audits will be agreed with you in writing and in advance. We also regularly conduct external audits.
4.1.11 We are committed to ensuring business continuity and have a Business Continuity Plan in place to minimize the impact of any disruptive incidents or disasters, and to validate that our systems and processes are resilient enough to protect the confidentiality, integrity and availability of Personal Data.
4.1.12 We regularly test our Business Continuity and Disaster Recovery Plans to ensure that we can quickly restore our operations in the event of a disaster or incident. A summary of the non-confidential portions of our Business Continuity Plan is available on request.
4.2 Nexthink systems and software
4.2.1 We have developed our systems and software to ensure that they are legally compliant.
4.2.2 Our systems and software enable us to fulfill our obligations for your right of access to, rectification or restriction of personal data. All Personal Data is backed up, and this is encrypted and stored securely. We will inform you without undue delay of any requests or complaints that we receive from a Data Subject regarding the exercising of their rights under applicable laws. More importantly, we offer self-service capabilities that allow you to address most Data Subject requests.
4.2.3 Our solutions allow us and our customers to fulfill any obligations with regard to the “right to be forgotten”. Personal Data in the cloud is securely destroyed after 90 days. Additionally, we offer self-service capabilities that allow you to address the “right to be forgotten” directly upon request.
4.2.4 Nexthink’s systems enable us to fulfill our obligations for the right to Data Portability. All Personal Data can be exported from our systems by authorized customer users on a self-service basis or we can physically move Personal Data to an alternative location on receipt of a written request from an authorized user, if reasonably practicable.
4.2.5 Personal Data is encrypted in transit and at rest, and you can select the region where the servers hosting your Personal Data are located from a comprehensive list of options.
5. Third-party sub-processors
5.1 Third-party sub-processors may process your Personal Data as part of delivering Nexthink cloud solutions. All sub-processors who process any of your Personal Data have a binding contract with us. The contract imposes substantially the same data protection-related processing terms on the sub-processor as the Data Protection Agreement we have entered into with you.
5.2 Nexthink publishes an overview of the sub-processors involved in the delivery of its cloud solutions at https://docs.nexthink.com/legal/global-privacy-hub (or any successor URLs).
6. Supervision and compliance
6.1 Nexthink has a designated Global Data Protection Officer who is registered with at least one regulator in the EEA and is responsible for Nexthink’s compliance with this Privacy Code.
The Data Protection Officer can be reached at email@example.com.
6.3 Nexthink has an established Privacy & Security Committee which is a cross-functional body headed up by the VP of Information Security and the Global Data Protection Officer. The Privacy & Security Committee has created and maintains a program for, amongst other matters:
(i) developing and maintaining policies, procedures and other documentation;
(ii) investigating and resolving any potential incidents; and
(iii) responding to your specific queries on privacy and information security.
The Privacy & Security Committee can be reached at firstname.lastname@example.org.