Privacy Code 2022
1. Introduction
Nexthink is a leader in end-user experience management from the endpoint. Nexthink’s solutions combine real-time endpoint analytics and end-user feedback, through unique analytics and visualizations, to provide new insight and enable IT to be more proactive, reduce costs and enhance end-user productivity. Nexthink helps the end users, and in turn the organizations, to be safer, more productive, and more efficient by reducing IT flaws and errors. Nexthink Experience helps to alleviate employee frustration by eliminating IT-bottlenecks and allowing the helpdesk to identify problems earlier and pro-actively even before they occur.
Our Privacy Code sets out our commitment to protect your personal data. It demonstrates how we will uphold this commitment and help keep your personal data safe through your use of Nexthink Experience.
2. Scope
This Privacy Code addresses Nexthink’s processing of personal data of our worldwide customers in our role as data processor, on your behalf, as the data controller. This Privacy Code references some data controller responsibilities. We assume you are fulfilling your obligations as a data controller, and specifically as stated in 4.1. below. The Privacy Code should be read in conjunction with the Data Processing Agreement.
Although the Privacy Code uses some specific terminology based on EU data protection laws and regulations, it covers all jurisdictions and also applies to you wherever you are located.
The information provided in this Privacy Code is not intended to be legal advice. If you have questions about your obligations under applicable privacy laws, including your obligations as a data controller, you should consult with your own legal counsel.
3. Product privacy overview
How Nexthink Experience works
A simplified representation of the general product architecture is set out below:

In summary, Nexthink Experience collects various data, including personal data, from any of your devices on which the Collector is installed. It is transmitted in an encrypted form to Nexthink Experience where it can be accessed and where it is stored. Nexthink Experience users access this data through encrypted channels using various Nexthink products, including the Finder, the Portal and various APIs, which all connect to Nexthink Experience.
The Collector mainly retrieves technical information related to the device data but, by its nature, there will be some personal data retrieved. A list of personal data processed by us directly, and by our sub-processors, can be found in the Data Processing Agreement.
In addition, some support and other optional services may also necessitate our accessing additional personal data.
Nexthink’s dedicated Privacy & Cybersecurity Committee ensures we meet our duties and fulfil our responsibilities as the data processor under Nexthink Experience, by ensuring the security, privacy and ownership rights of information held is appropriate, clearly specified and built into our contractual arrangements for our products and solutions. You can learn more about the Privacy & Cybersecurity Committee at section 6.
The specific personal data that Nexthink processes on your behalf is set out in our documentation and in the Data Processing Agreement that we have entered into with you.
4. Core measures
Nexthink has implemented the following core measures which underpin our commitment to upholding the highest levels of data protection, ensure complete compliance with applicable privacy laws, and protect all personal data that we process from accidental or unlawful destruction, loss, alteration, access or disclosure.
General technical and organisational information security measures
Our DPA and our terms and conditions ensure compliance with applicable privacy laws for both you, as the data controller, and us as the data processor.
All Nexthink’s policies, procedures and processes are regularly reviewed to ensure they are strictly in accordance with the requirements of applicable privacy laws.
We will process personal data only in accordance with your written instructions, unless otherwise required by applicable law. If we need to change the way that we process personal data, we will only do this after providing you prior notice.
We will assist you in meeting the requirements of applicable privacy laws with regard to the notification of personal data breaches and completing data protection impact assessments.
We are certified to ISO 27001, 27017 and 27018. This demonstrates that our buildings, infrastructure, systems, policies, processes, procedures and controls have been independently certified as adequately robust to protect all personal data that we process. In addition, we will undergo a certification audit for ISO 27701 in Q2 of 2022.
We have carried out a data audit and maintain a comprehensive record of all our data processing activities and personal data flows.
Information security is embedded in all Nexthink’s policies, processes and procedures, and we operate a privacy by design practice across all functions.
We operate an integrated risk management framework. We regularly assess and manage the risks associated with protecting the confidentiality, integrity and availability of the personal data that we process and their related assets.
On written instruction from the data controller, we can securely destroy any data that is no longer required or has passed its retention period quickly and easily.
We will contribute to reasonable remote audits and inspections. The scope and timelines of such audits will be agreed with you in writing and in advance. We also regularly conduct external audits.
We are committed to ensuring business continuity and have a Business Continuity Plan in place to minimise the impact of any disruptive incidents or disasters, and to validate that our systems and processes are resilient enough to protect the confidentiality, integrity and availability of personal data.
We regularly test our business continuity and disaster recovery plans to ensure that we can quickly restore our operations in the event of a disaster or incident. Our Business Continuity Plan is available on request.
Nexthink systems and software
We have developed our systems and software to ensure that they are legally compliant.
Our systems and software enable us to fulfil our obligations for your right of access to, rectification or restriction of personal data. All personal data is backed up, and this is encrypted and stored securely. We will inform you of any requests or complaints that we receive from a data subject regarding the exercising of their rights under applicable laws. Additionally, we offer certain self-service capabilities that allow you to address certain data subject requests.
Our systems and software enable us to fulfil our obligations for the ‘right to be forgotten.’ Personal data in the cloud is securely destroyed after ninety days. Additionally, we offer certain self-service capabilities that allow you to address ‘right to be forgotten’ requests.
Nexthink’s systems enable us to fulfil our obligations for the right to data portability. All personal data can be exported from our systems by authorised client users on a self-service basis or we can physically move personal data to an alternative location on receipt of a written request from authorised users, if reasonably practicable.
Personal data is encrypted in transit and at rest, and you can select the region where the servers hosting your personal data are located from a comprehensive list of options.
5. Third-party sub-processors
Third-party sub-processors may process your personal data as part of delivering Nexthink Experience. All sub-processors who process any of your personal data have a binding contract with us. The contract shall impose similar data protection-related processing terms on the sub-processor that are no less protective than those imposed on us under the Data Protection Agreement we have entered into with you.
Nexthink publishes an overview of the sub-processors involved in the delivery of Nexthink Experience on the appropriate Nexthink website, currently Nexthink Documentation – Global Privacy Hub.
6. Supervision and compliance
Nexthink has a designated Global Data Protection Officer who is registered with at least one regulator in the EEA, and is responsible for Nexthink’s compliance with this Privacy Code. The Data Protection Officer can be reached at dl-legal@nexthink.com.
Nexthink has an established Privacy & Cybersecurity Committee who are a crossfunctional body headed up by the Global Data Protection Officer. The Privacy & Cybersecurity Committee have created and maintained a programme for, amongst other matters:
developing and maintaining policies, procedures and other documentation;
investigating and resolving any potential incidents; and
responding to your specific queries on privacy and cybersecurity.
The Privacy & Cybersecurity Committee can be reached at privacy-security@nexthink.com.