Privacy

Certifications and security reports

Nexthink maintains a set of policies and standard operating procedures which build together with Nexthink’s state-of-the-art technical security controls a stringent and certified Security and Privacy management framework in accordance with ISO 27001, 27017, 27018 (“ISMS”) and 27701 (“PIMS”). This framework addresses Security and Privacy requirements pertaining to Nexthink’s organization as well as specifically the operation of Nexthink’s service and its cloud infrastructure. The implementation of this management framework and its efficiency is annually audited by reputable independent third-party experts.

In addition, Nexthink regularly undergoes external audits to receive updated SOC 2 Type II reports on two trust services principles: security and availability. The detailed reports are available upon request and under a non-disclosure agreement (NDA).

Please also see the Information Security Addendum page which provides a detailed overview of the most important security measures.

Further information about Nexthink’s Privacy Program, including an extensive FAQ section, can be found in the Global Privacy Hub section.

Data collected

Nexthink gives IT unprecedented insight into employees’ daily experience with technology – freeing them to progress from reactive problem-solving to continuous, proactive optimization. With Nexthink, IT teams view their technology from the point of view of employees in a central hub that offers real-time actionable insights.

To provide this value, each endpoint communicates with a web instance provided and operated by Nexthink. Collectors installed on employees' devices report events and metrics. In turn, authorized users can operate Nexthink to apply fixes to employee devices.

Collector and browser extension

Collector

Collector is a lightweight agent based on patented technology. It gathers hardware and software information and monitors system activities and many other properties from employees' devices on which it runs. Collector does not record keystrokes, nor does it report the content of applications being used. For example, Collector reports Microsoft Word executions but does not see details about the documents accessed or their content.

For more detailed information, refer to the Collector overview page.

Browser extension

The browser extension is used to understand the usage and performance of Web applications and software as a service (SaaS). Only business applications as defined by a Nexthink administrator are monitored. The browser extension inspects only URLs, it does not look into the content transferred.

Personal data

Data collected by default

Nexthink collects data on each endpoint in order to fulfill its functions. Some of it is personally identifying information.

Devices	Software and hardware properties of devices Events (boots, connections, crashes, etc.) Performance (CPU and memory usage, etc.)
Users and sessions	User properties (name, username, group, rights, etc.) Session information Events (login, logout, lock, unlock, connect, disconnect and network performance)
Binaries and execution events	Software programs and updates installed Executions Performance (resource consumption, freezes, crashes, etc.)
Applications (desktop and web)	Applications is an expansion product available for the Nexthink solution called Application Experience. Dashboards deliver visibility into employee experience with web and desktop. They help troubleshoot and remediate issues, and drive adoption. To do that it monitors application usage and performance (for applications configured via the administration page or imported via Library packs)
Surveys and their answers	With campaigns, Nexthink users can create employee surveys and store the answers.
Networking and connectivity of the endpoints	Local IP IP of the DNS servers IP of the gateway VPN status SSID of the WiFi network BSSID of the access point
Zoom and Teams call data	Call participants Call time Call duration Video and screen sharing activity

To get a complete understanding of the data Nexthink collects by default, you can check the data model documentation page.

Configuration options and consequences

Username

By default, Collector reports the username of the person logged in to the operating system in a human-readable format. It is possible to configure Collector to report only a hash of the username instead.

Usernames might also be fetched from Microsoft Active Directory or Microsoft Azure Active Directory depending on the configuration.

Focus time

By default, execution events do not contain information about how long the application was in focus. It is possible to enable the tracking of the focus time.

User activity

By default, Collector reports how much time the user spends actively using the device. It is possible to disable the reporting of user activity time in the Collector configuration.

WiFi SSID and BSSID

The SSIDs and BSSIDs of the WiFi hotspots connected to the device are by default not collected. It is possible to configure Collector to get them, find more information on the Configuring Collector level anonymization page.

GDPR self-service features

To help you comply with regulation, the Nexthink solution includes a GDPR-specific section that allows administrators to extract data.

Data Erasure
The GDPR-specific section offers administrators the ability to delete a specific device and its associated data.
Data Retrieval
The GDPR-specific section offers administrators the ability to retrieve all the data associated with a specific user.

Access to the personal data

Customer side

Nexthink users have the right to see and manage content depending on their profile and permissions.

The main administrator is the admin account the system creates during the deployment phase. The main administrator can create user accounts for other administrators who are allowed to manage other users and profiles. The additional administrator accounts have access to all the data.

Other users can access personal data according to their profiles and roles. More information is available on the Profiles and Security and user account management pages.

Nexthink side

Access to personal data is restricted to individuals with a clear business need in accordance with the data processing agreements with a customer and protected by strong access controls. Data attributes and items collected by Nexthink are listed by category and marked as Personal Data, in Nexthink’s data inventory documentation. During periodic design reviews, the Nexthink Security and Privacy Committee sets requirements for how this data may be stored and transmitted, ensuring that proper compartmentalization and access controls are in place. Personal data always remains within the customer's production instance unless the customer exports it.

Security measures to prevent unauthorized access

Nexthink applies tight access controls to its production environment. Authorized Nexthink employees may access a customer's production instance solely for support purposes. Access to production data on Amazon Web Services (AWS) systems is managed through AWS SSO connected to Nexthink Okta identity provider (IdP) relying on role-based access control limited to authorized personnel. In addition, CloudTrail ensures access to data is logged at all times. Access to virtual machines is achieved using the secure shell (SSH) protocol on top of AWS Systems Manager (SSM).

Access to the platform and to customer data are authorized separately. To allow temporary access to the production environment for platform support or troubleshooting, Nexthink has a procedure for engineers who do not have access to production to request temporary access to specific resources in the AWS production environment.

Hosting Locations

Nexthink uses AWS hosting locations across Europe, United Kingdom, United States of America and Bahrain. Customers can choose a single region where their data needs to be stored.

Retention periods for personal data

Data retention periods vary, according to the type of data stored within the product:

Security and audit logs are retained for 180 days.
Customer backup data is retained within AWS for 90 days.
For a Nexthink classic solution that still relies on Portal (classic) and Engine (classic), Collector and event data accessed through Finder (classic) is retained at varying levels, depending on the number of Engine instances, amount of traffic, and other parameters.
For Nexthink Infinity, find more information on the Data resolution and retention page.

Data return

Nexthink customers are able to delete personal data or retrieve a copy using the web interface. This functionality is documented on the Data management and GDPR page.

After the expiration or termination of the agreement, Nexthink deletes all customer’s and end-users’ personal data. A customer may also request Nexthink for a copy of that personal data. In that case, Nexthink will provide a copy within 30 days from the date of the request.

Data deletion

Our procedure to delete customer data removes the whole infrastructure, including operating systems (virtual machines) and storage resources (virtual disks). Regarding the backups, the customer blob containing the backups is kept for 90 days. The daily backup procedure automatically destroys expired backups (older than 90 days). After 90 days, the customer’s storage blob and the remaining backups (if any) are permanently destroyed. To address compliance requirements from customers, the Nexthink Site Reliability Engineering team can erase and destroy customer data before the scheduled date by request of a customer delegate (with written confirmation).