Transfer Impact Assessment Factsheet
Purpose
Nexthink has carried out transfer impact assessments (“TIA(s)”) on all relevant data transfers which consider all factors, required under the GDPR and the new 2021 version of the Standard Contractual Clauses for data transfers between the EU and non-EU countries. Nexthink’s TIAs contain the legal opinions of Nexthink as well as its reputable external advisors. For this reason Nexthink is not able to share full assessments. However, Nexthink provides this Factsheet which contains all required information to confirm the plausibility of Nexthink’s positive TIA results and, therefore, allows our customers to meet their own monitoring obligations with regard to their suppliers.
General
Service provider name: Nexthink SA
Service provider address: Centre Malley Lumières, Chemin du Viaduc 1, 1008 Prilly, Switzerland
Brief description of the data processing activities: Provision of a cloud-based software dedicated to real-time analytics, instant remediation and automation of as well as employee feedback on an organization’s IT systems.
Privacy related contact: Nexthink Privacy Team; dl-privacy@nexthink.com
Service provider affiliates:
Nexthink SA
Centre Malley Lumières, Chemin du Viaduc 1, 1008 Prilly, Switzerland
Operation and support
Nexthink France SASU
62 rue de Caumartin, 75009 Paris, France
Support
Nexthink GmbH
Westhafenplatz 1, 60327 Frankfurt am Main, Germany
Support
Nexthink Spain SLU
Av. Del General Perón 40 D, 1st Floor, 28020, Madrid, Spain
Operation and support
Nexthink Ltd.
80 Cannon Street, EC4N 6HL London, UK
Support
Nexthink Inc.
501 Boylston St, 4102 Boston, MA 02116, United States
Operation and support
Nexthink India Digital Experience Private Limited
The Executive Centre, Level 11, Prestige Trade Tower, 46 Palace Road, Bangalore, Karnataka 560001, India
Operation and support
Scope of Processing
Nexthink SA, including its affiliates and other sub-processors, may process the following data:
Nature/purpose of the processing:
Nexthink’s solutions provide real-time information about the health of work devices within an organization. The IT department of a Nexthink customer uses this information and the solution to proactively prevent and/or automatically resolve disruptions of work devices and continuously improve the employee experience within their organization.
Categories of Personal Data processed according to Customer use of Services (at Customer direction):
Identifiers, login data, user privileges, login time, login duration, professional email, IP addresses, domain names.
For Customers that elect optional functionalities:
Job title, first name, last name, professional phone number, page load times, URLs accessed, number of visits to URLs, keyboard/mouse interaction within Customer defined web applications (excluding what is actually typed), duration of user actions (such actions defined by the Customer).
For Customers that request or provide data within support ticket(s):
Contents of requests in support tickets might also contain Personal Data from those types included within the services.
Responses to ticket requests may involve collection or reporting of Personal Data from those types included within the services, necessary to remediate issue notified by customer
Special Categories of Personal Data processed:
None.
Categories of Data Subjects:
Employees and other end users of the customer.
Data Transfers
Nexthink leverages AWS and Microsoft hosting locations across the EU, UK, USA and Bahrain. Customers are free to choose a single region where their data will be stored.
Nevertheless, limited transfers of data processed by Nexthink’s solution may be necessary to provide a customer with continuous support and leverage the services of Nexthink’s carefully selected and monitored sub-processors.
Nexthink’s Support as well as Cloud Operations Teams are spread over different locations in order to provide our customers with continuous support. Both teams may access a customer’s data, but solely for the purpose of addressing tickets submitted by your company. Multi-Factor-Authentication, source IP whitelisting and/or bastion is enforced to control access to the management plane. Access to a customer instance is on demand, is logged, requires a justification, and is limited in time. Creation of and changes to privileged accounts in production environments follow formal change control processes.
Effective and efficient performance of Nexthink's services also requires the use of sub-processors. Nexthink’s Data Processing Schedule contains a detailed overview of Nexthink’s sub-processors. All sub-processors are carefully selected and monitored in accordance with Nexthink’s certified security and compliance controls.
Regulatory Framework
The following laws and practices of the applicable third-country destinations were identified by Nexthink to be mainly relevant with regard to an assessment in accordance with Clause 14 of the Standard Contractual Clauses:
United States:
Electronic Communications Privacy Act
Foreign Intelligence Surveillance Act
EO 12333
India:
Information Technology Act, 2000
Information Technology Rules, 2011
Under certain circumstances, the above-mentioned laws and practices may allow authorities of non-EU countries to intercept or request the disclosure of Personal Data processed by Nexthink or its sub-processors on behalf of a customer. The regulatory framework within the respective jurisdictions may not equip data subjects with substantially the same or stronger rights and means to defend any such data access as the GDPR. Therefore, effective technical measures are necessary to prevent unauthorized access to Personal Data as well as a structured process to exploit all legal means to challenge any access requests. Both has been implemented by Nexthink, as demonstrated in this Factsheet.
Transfer Mechanisms
Nexthink relies on adequacy decisions of the EU Commission and the 2021 set of Standard Contractual Clauses for transfers of customer Personal Data to its non-EEA sub-processors and affiliates, together with a variety of legal, technical and operational safeguards, and based on comprehensive transfer impact assessments carried out in line with the requirements of EU law and the current EDPB Recommendations.
Previous Access Requests
To date, Nexthink has never received any data access requests of law enforcement and intelligence authorities. Nexthink’s transparency report is available here.
Nexthink Government Access Procedure
If Nexthink ever receives a disclosure request, such request will be handled in accordance with Nexthink’s Government Access Request Procedure which is part of its ISO 27701 certified Privacy Information Management System. In particular, Nexthink will use its best efforts to challenge any disclosure request and, to the extent legally permitted, redirect the disclosure request to the affected customer. However, due to the nature of our services, it is actually unlikely that Nexthink would receive such requests.
Supplementary Measures
Nexthink’s Information Security Addendum provides a comprehensive overview of Nexthink’s state of the art technical and organizational measures. Nexthink’s technical and organizational measures are certified in accordance with ISO 27001, 27017, 27018 and 27701. These certifications demonstrate an Information Security Management System (ISMS) as well as a Privacy Information Management System (PIMS) aligned with the highest standards.
In addition, Nexthink regularly undergoes external audits to receive updated SOC 2 Type II reports. SOC 2 defines criteria for managing customer data based on five trust service principles— security, availability, processing integrity, confidentiality and privacy. The detailed reports are available upon request and under NDA.
A key measure to prevent unauthorized access is strong data encryption. Nexthink encrypts all customer data as follows:
At Rest: all customer data is encrypted at rest in AWS using AES-256 key encryption.
In Transit: all customer data in transit over public networks is encrypted through the industry standard HTTPS/TLS (TLS 1.2 or higher).
Summary
Some portions of Nexthink's solutions may fall under the US definition of a "Communication Service Provider," so that measures under FISA 702 cannot be excluded. This also applies to measures under PO 12.333.
However, in October 2022, President Biden issued EO 14086 which introduced new safeguards for US signals intelligence activities. EO 14086 is intended to address the concerns raised by the Schrems II ruling and serves as the basis of an adequacy decision by the European Commission for the new EU-US Data Privacy Framework which was ultimately adopted by the European Commission on 10 July 2023. The European Data Protection Board has confirmed that the safeguards enacted through EO 14086 are not limited to transfers made through the EU-US Data Privacy Framework and that when assessing the effectiveness of other transfer tools (e.g. the SCCs and BCR), data exporters should take into account the assessment conducted by the Commission in the adequacy decision. In its adequacy decision, the Commission considers that on the basis of its review of information about the US legal order, "any interference in the public interest, in particular for criminal law enforcement and national security purposes, by US public authorities with the fundamental rights of the individuals whose personal data are transferred from the Union to the United States under the EU-US Data Privacy Framework, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists. Therefore, in the light of the above findings, it should be decided that the United States ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679".
Moreover, the likelihood and success of such measures towards Nexthink and the data processed by Nexthink’s affiliates and sub-processors is rather doubtful. As per the guidance provided directly in the Standard Contractual Clauses, an important indicator is our own experience. Nexthink has never received a request for information by any public authority. Nexthink's transparency register is publicly available.
In addition, authorities which rely on these or similar laws seem to be mainly interested in content, i.e. content written by users, such as emails. On this point, Microsoft's Transparency Register provides a very good point of reference which needs also to be considered, as explained directly in the Standard Contractual Clauses. Nexthink processes almost exclusively technical data, even if a few of the processed data sets may constitute Personal Data, such as IP addresses. The only content communication conducted through Nexthink’s services is the exchange between a customer's IT admins and Nexthink and it is related to support requests, i.e. if there are questions about Nexthink’s service or in the event that a malfunction occurs.
All customer data is protected by the security measures described in Nexthink’s Information Security Addendum, which comply with stringent ISO standards. Data encryption in transit makes it almost impossible to intercept data during the transfer or to make any use of it. In the unlikely case that a foreign authority was to be interested in data processed by Nexthink, the latter would only be able to submit a request for information to Nexthink or to Nexthink's sub-processors. Our response to such requests is described in Nexthink's ISO 27701 certified Government Access Request Procedure; we would use our best efforts to prevent any disclosure of data and to inform the customer without undue delay. Substantially the same technical protection measures and processes also apply to all other relevant Nexthink sub-processors.
In light of the so-called Schrems II decision, this summary focuses mainly on the laws and practices of United States authorities. Nevertheless, the same processes and security measures set forth in this Factsheet apply to all data transfers, irrespective of their destination.
Last updated