Privacy at Omnissa

“Customer Content” (or “Your Content”) is any content that you, as a customer, or your users upload into a Cloud Service for processing, storage, or hosting in connection with your account. In the context of Support Services, “Customer Content” is any content you provide to Omnissa as a part of Support Services. The definition of “Customer Content” can be found in the Omnissa General Terms. For example, Customer Content includes data that you or your users store in Workspace ONE. Importantly, your account information, including names, usernames, phone numbers, and billing information associated with your account, is not included in the definition of “Customer Content”, nor any information Omnissa collects in connection with your use of its Cloud Services. Rather, Omnissa will handle that information in accordance with its Privacy Notice. 

You always retain ownership of Customer Content. You determine which Omnissa Cloud Services you use to process, store, and host Customer Content, and what information you upload into the Cloud Service as Customer Content. Also, Omnissa will not access or use Customer Content for any purpose except as necessary to provide the Cloud Service to you or as set forth and permitted in its Omnissa General Terms with you. Lastly, Omnissa does not use Customer Content for marketing or advertising.

Omnissa provides enterprise solutions which enable its customers to build, manage, secure and run applications across multiple systems and environments. Although Omnissa believes the nature of the service offerings it provides to its customers won’t generally warrant a direct government access request to Customer Content, Omnissa took the following steps to comply with the Schrems II ruling and to assist customers in their own compliance efforts in relation to data they process as a controller: 

Strengthened Contractual Commitments Regarding Government Access Requests 

Please refer to the ‘Required Disclosure’ section of Omnissa General Terms to learn how Omnissa handles government access requests. 

Where customer notification is not legally prohibited, Omnissa will: 

• Notify the Customer: Notify its customers of any demand for disclosure of customer’s content. 
• Refer Government Agency to the Customer: Inform the relevant government authority that Omnissa is a service provider acting on the customer’s behalf and all requests for access to customer’s content should be directed in writing to the contact person the customer has identified to us, or the customer’s legal department. 
• Limit Access: Only provide access to customer’s content with the customer’s authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any demand.

In the event Omnissa is legally prohibited from notifying the customer, Omnissa will: 

• Evaluate Legal Validity: Omnissa will evaluate the demand for disclosure to determine whether it is legally valid and binding. 
• Challenge Unlawful Requests: Omnissa will challenge the order if it reasonably believes the order does not comply with applicable law. 
• Limit Scope of Disclosure: Omnissa will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law. 

Updated Contracts with Sub-Processors to Ensure Legal Basis for Transferring Personal Data 

To ensure safe, secure and legal data transfers from the EEA, Switzerland or the UK, and to protect any subsequent onward transfers, Omnissa relies on the EEA Standard Contractual Clauses (“EEA SCCs”), UK International Data Transfer Agreement or UK Addendum to EEA SCCs unless another legitimate data transfer mechanism is in place. In its capacity as a data processor, Omnissa relies on EEA SCCs and the UK Addendum to transfer Personal Data outside the EU in connection with the provision of the applicable Omnissa service offerings as set forth in the Omnissa Data Processing Addendum. 

Technical and Organizational Measures 

Omnissa confirms its commitment to implement and maintain appropriate technical and organizational measures as set forth in the Omnissa Data Processing Addendum and Security Addendum. The Omnissa Trust Center outlines the third-party certifications and audits Omnissa maintains in relation to its service offerings. Given the nature of the Omnissa service offerings, customers also have control over how they configure the service offerings and can implement any necessary administrative and technical controls as required to protect the data that is processed in connection with their use of the applicable service offering. In many instances, Omnissa provides both on-premise and hosted solutions for customers to choose from when managing their systems and infrastructure. 

Transparency Regarding the Types of Data processed by Omnissa Service – Datasheets 

The European Data Protection Board (EDPB) in its FAQs on “Schrems II" outlined that it is necessary to consider the types of data transferred as one factor in determining whether there is an adequate level of protection surrounding the transfer of personal data outside the EU, and that controllers should conduct a case-by-case analysis to determine the risks posed by such transfer. To assist customers in understanding the types of data processed in connection with their use of Omnissa service offerings, Omnissa provides an Omnissa Cloud Services Guide and Omnissa Product Guide for each offering, and makes available datasheets for certain service offerings in the Omnissa Trust Center. For Workspace One service offerings, Omnissa also makes available the Workspace One Privacy Disclosure. 

Omnissa engages and uses third parties to perform services on its behalf in connection with the provision of Omnissa service offerings. In connection with the engagement of third parties who process personal data as a sub-processor (as those terms are defined in Data Processing Addendum), Omnissa has implemented the following processes and procedures: 

1. Contractual commitment and international data transfers: Omnissa enters into data processing agreements with all its sub-processors, which require the sub-processors to maintain proper privacy, security, and confidentiality of personal data on terms that are substantially similar to the contractual commitments Omnissa makes to its own customers in the Data Processing Addendum. Omnissa relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place and the sub-processor makes appropriate contractual commitments. 
2. Privacy review process and privacy by design: Omnissa has established a centralized end-to-end third-party vendor management process to onboard new suppliers, including initiating, conducting and tracking third-party privacy and security reviews using centralized tools to assist with its compliance efforts. The Omnissa Privacy Team conducts detailed privacy reviews of the services provided by Sub-processors, including determining the categories of personal data processed and the processing purposes. The reviews include the implementation of privacy controls for mitigating the risks associated with sub-processors’ access to and processing of Personal Data and ensuring regulatory compliance. 
3. Security review process: Omnissa maintains a policy and process for conducting security reviews of sub-processors. The Omnissa Security Team conducts an initial security review of any new subprocessor, and ongoing monitoring based on the identified security risk level. 
4. List of sub-processors and notification of new sub-processors: Omnissa maintains a list of the sub-processors used by individual service offerings and in relation to the Support & Subscription Services. Omnissa provides prior notice of any new engagement of a sub-processor to customers that have subscribed to receive notification for a specific service. 

Omnissa has an internal process for tracking, analyzing and assessing new laws, regulations, binding guidance and case law that may apply to Omnissa whether in its provision of its services or in the operation of its business. The Privacy Team relies on outside counsel, external privacy research tools and law firm news alerts to understand when new laws and regulations are enacted. 

Once it is determined that a specific privacy law applies to Omnissa, Omnissa tracks the legal requirements and implements a project plan to ensure compliance. As part of the implementation process, the Omnissa Privacy Team engages relevant internal stakeholders, and identifies the processes and controls that need updating to comply with the new legal requirements. 

The Omnissa Privacy Team also leverages its standard privacy training and other company trainings to ensure all its employees and contractors are properly trained on any new legal requirements that may impact their business function.

Security of its Cloud Services is of the utmost importance to Omnissa. For more information on how Omnissa secures its Cloud Services, see the Trust Center Security page. Omnissa maintains an information security management program that is aligned with the ISO 27001 standard, and reviewed at least annually to ensure appropriate controls, practices and procedures are in place. 

In using Omnissa Cloud Services, you are responsible for configuring and implementing the necessary technical, organizational, and administrative controls to enable you to comply with any laws applicable to your use of the Cloud Service, which may depend on the types of data you choose to process using the service. Your responsibilities relating to the security of your Customer Content are set forth in the applicable agreement and include (a) controlling access you provide to your users, (b) configuring the Cloud Service appropriately, (c) ensuring the security of Customer Content while it is in transit to and from the Cloud Service, (d) using encryption technology to protect Customer Content as you deem necessary, and (e) backing up Customer Content.