Transfer Impact Assessment Factsheet

Purpose

Nexthink has carried out transfer impact assessments (“TIA(s)”) on all relevant data transfers which consider all factors, required under the GDPR and the new 2021 version of the Standard Contractual Clauses for data transfers between the EU and non-EU countries. Nexthink’s TIAs contain the legal opinions of Nexthink as well as its reputable external advisors. For this reason Nexthink is not able to share full assessments. However, Nexthink provides this Factsheet which contains all required information to confirm the plausibility of Nexthink’s positive TIA results and, therefore, allows our customers to meet their own monitoring obligations with regard to their suppliers.

General

  1. Service provider name: Nexthink SA

  2. Service provider address: Centre Malley Lumières, Chemin du Viaduc 1, 1008 Prilly, Switzerland

  3. Brief description of the data processing activities: Provision of a cloud-based software dedicated to real-time analytics, instant remediation and automation of as well as employee feedback on an organization’s IT systems.

  4. Privacy related contact: Nexthink Privacy Team; dl-privacy@nexthink.com

  5. Service provider affiliates:

Entity
Registered Office
Role

Nexthink SA

Centre Malley Lumières, Chemin du Viaduc 1, 1008 Prilly, Switzerland

Operation and support

Nexthink France SASU

62 rue de Caumartin, 75009 Paris, France

Support

Nexthink GmbH

Westhafenplatz 1, 60327 Frankfurt am Main, Germany

Support

Nexthink Spain SLU

Av. Del General Perón 40 D, 1st Floor, 28020, Madrid, Spain

Operation and support

Nexthink Ltd.

80 Cannon Street, EC4N 6HL London, UK

Support

Nexthink Inc.

501 Boylston St, 4102 Boston, MA 02116, United States

Operation and support

Nexthink India Digital Experience Private Limited

The Executive Centre, Level 11, Prestige Trade Tower, 46 Palace Road, Bangalore, Karnataka 560001, India

Operation and support

Scope of Processing

Nexthink SA, including its affiliates and other sub-processors, may process the following data:

Nature/purpose of the processing:

Nexthink’s solutions provide real-time information about the health of work devices within an organization. The IT department of a Nexthink customer uses this information and the solution to proactively prevent and/or automatically resolve disruptions of work devices and continuously improve the employee experience within their organization.

Categories of Personal Data processed according to Customer use of Services (at Customer direction):

Identifiers, login data, user privileges, login time, login duration, professional email, IP addresses, domain names.

For Customers that elect optional functionalities:

Job title, first name, last name, professional phone number, page load times, URLs accessed, number of visits to URLs, keyboard/mouse interaction within Customer defined web applications (excluding what is actually typed), duration of user actions (such actions defined by the Customer).

For Customers that request or provide data within support ticket(s):

Contents of requests in support tickets might also contain Personal Data from those types included within the services.

Responses to ticket requests may involve collection or reporting of Personal Data from those types included within the services, necessary to remediate issue notified by customer

Special Categories of Personal Data processed:

None.

Categories of Data Subjects:

Employees and other end users of the customer.

Data Transfers

Nexthink leverages AWS and Microsoft hosting locations across the EU, UK, USA and Bahrain. Customers are free to choose a single region where their data will be stored.

Nevertheless, limited transfers of data processed by Nexthink’s solution may be necessary to provide a customer with continuous support and leverage the services of Nexthink’s carefully selected and monitored sub-processors.

Nexthink’s Support as well as Cloud Operations Teams are spread over different locations in order to provide our customers with continuous support. Both teams may access a customer’s data, but solely for the purpose of addressing tickets submitted by your company. Multi-Factor-Authentication, source IP whitelisting and/or bastion is enforced to control access to the management plane. Access to a customer instance is on demand, is logged, requires a justification, and is limited in time. Creation of and changes to privileged accounts in production environments follow formal change control processes.

Effective and efficient performance of Nexthink's services also requires the use of sub-processors. Nexthink’s Data Processing Schedule contains a detailed overview of Nexthink’s sub-processors. All sub-processors are carefully selected and monitored in accordance with Nexthink’s certified security and compliance controls.

Regulatory Framework

The following laws and practices of the applicable third-country destinations were identified by Nexthink to be mainly relevant with regard to an assessment in accordance with Clause 14 of the Standard Contractual Clauses:

United States:

  • Electronic Communications Privacy Act

  • Foreign Intelligence Surveillance Act

  • EO 12333

India:

  • Information Technology Act, 2000

  • Information Technology Rules, 2011

Under certain circumstances, the above-mentioned laws and practices may allow authorities of non-EU countries to intercept or request the disclosure of Personal Data processed by Nexthink or its sub-processors on behalf of a customer. The regulatory framework within the respective jurisdictions may not equip data subjects with substantially the same or stronger rights and means to defend any such data access as the GDPR. Therefore, effective technical measures are necessary to prevent unauthorized access to Personal Data as well as a structured process to exploit all legal means to challenge any access requests. Both has been implemented by Nexthink, as demonstrated in this Factsheet.

Transfer Mechanisms

Nexthink relies on adequacy decisions of the EU Commission and the 2021 set of Standard Contractual Clauses for transfers of customer Personal Data to its non-EEA sub-processors and affiliates, together with a variety of legal, technical and operational safeguards, and based on comprehensive transfer impact assessments carried out in line with the requirements of EU law and the current EDPB Recommendations.

Previous Access Requests

To date, Nexthink has never received any data access requests of law enforcement and intelligence authorities. Nexthink’s transparency report is available here.

Nexthink Government Access Procedure

If Nexthink ever receives a disclosure request, such request will be handled in accordance with Nexthink’s Government Access Request Procedure which is part of its ISO 27701 certified Privacy Information Management System. In particular, Nexthink will use its best efforts to challenge any disclosure request and, to the extent legally permitted, redirect the disclosure request to the affected customer. However, due to the nature of our services, it is actually unlikely that Nexthink would receive such requests.

Supplementary Measures

Nexthink’s Information Security Addendum provides a comprehensive overview of Nexthink’s state of the art technical and organizational measures. Nexthink’s technical and organizational measures are certified in accordance with ISO 27001, 27017, 27018 and 27701. These certifications demonstrate an Information Security Management System (ISMS) as well as a Privacy Information Management System (PIMS) aligned with the highest standards.

In addition, Nexthink regularly undergoes external audits to receive updated SOC 2 Type II reports. SOC 2 defines criteria for managing customer data based on five trust service principles— security, availability, processing integrity, confidentiality and privacy. The detailed reports are available upon request and under NDA.

A key measure to prevent unauthorized access is strong data encryption. Nexthink encrypts all customer data as follows:

  • At Rest: all customer data is encrypted at rest in AWS using AES-256 key encryption.

  • In Transit: all customer data in transit over public networks is encrypted through the industry standard HTTPS/TLS (TLS 1.2 or higher).

Summary

Some portions of Nexthink's solutions may fall under the US definition of a "Communication Service Provider," so that measures under FISA 702 cannot be excluded. This also applies to measures under PO 12.333.

However, in October 2022, President Biden issued EO 14086 which introduced new safeguards for US signals intelligence activities. EO 14086 is intended to address the concerns raised by the Schrems II ruling and serves as the basis of an adequacy decision by the European Commission for the new EU-US Data Privacy Framework which was ultimately adopted by the European Commission on 10 July 2023. The European Data Protection Board has confirmed that the safeguards enacted through EO 14086 are not limited to transfers made through the EU-US Data Privacy Framework and that when assessing the effectiveness of other transfer tools (e.g. the SCCs and BCR), data exporters should take into account the assessment conducted by the Commission in the adequacy decision. In its adequacy decision, the Commission considers that on the basis of its review of information about the US legal order, "any interference in the public interest, in particular for criminal law enforcement and national security purposes, by US public authorities with the fundamental rights of the individuals whose personal data are transferred from the Union to the United States under the EU-US Data Privacy Framework, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists. Therefore, in the light of the above findings, it should be decided that the United States ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679".

Moreover, the likelihood and success of such measures towards Nexthink and the data processed by Nexthink’s affiliates and sub-processors is rather doubtful. As per the guidance provided directly in the Standard Contractual Clauses, an important indicator is our own experience. Nexthink has never received a request for information by any public authority. Nexthink's transparency register is publicly available.

In addition, authorities which rely on these or similar laws seem to be mainly interested in content, i.e. content written by users, such as emails. On this point, Microsoft's Transparency Register provides a very good point of reference which needs also to be considered, as explained directly in the Standard Contractual Clauses. Nexthink processes almost exclusively technical data, even if a few of the processed data sets may constitute Personal Data, such as IP addresses. The only content communication conducted through Nexthink’s services is the exchange between a customer's IT admins and Nexthink and it is related to support requests, i.e. if there are questions about Nexthink’s service or in the event that a malfunction occurs.

All customer data is protected by the security measures described in Nexthink’s Information Security Addendum, which comply with stringent ISO standards. Data encryption in transit makes it almost impossible to intercept data during the transfer or to make any use of it. In the unlikely case that a foreign authority was to be interested in data processed by Nexthink, the latter would only be able to submit a request for information to Nexthink or to Nexthink's sub-processors. Our response to such requests is described in Nexthink's ISO 27701 certified Government Access Request Procedure; we would use our best efforts to prevent any disclosure of data and to inform the customer without undue delay. Substantially the same technical protection measures and processes also apply to all other relevant Nexthink sub-processors.

In light of the so-called Schrems II decision, this summary focuses mainly on the laws and practices of United States authorities. Nevertheless, the same processes and security measures set forth in this Factsheet apply to all data transfers, irrespective of their destination.

Last updated