What data does Red Canary process?
The Red Canary platform ingests telemetry and alerts from supported third-party endpoint sensors, Red Canary Linux EDR sensors, and supported third-party security products. Whether that data includes any personal or confidential information depends on the customer’s own configurations.
Red Canary does not require access to any personally identifiable information or other sensitive data to provide our services. Our customers’ own security configurations will determine whether, and to what extent, such data is included in the telemetry and alerts that are transmitted to the Red Canary platform.
For more information on specific product integrations and the data processed for each, see https://help.redcanary.com/hc/en-us/categories/360003867473-Integrations.
Where does Red Canary process and store customer data?
Currently, Red Canary processes and stores all customer data in the United States.
How does Red Canary comply with data privacy laws?
Recognizing that customer data may include some personally identifiable information, Red Canary has implemented a robust data privacy program certified under ISO 27701. Customers may add a Data Protection Addendum to their agreement with Red Canary to document compliance with the data privacy laws of the U.S., Canada, EU, UK, Australia, New Zealand, and Switzerland such as GDPR, UK GDPR, CCPA, CPRA, PIPEDA, FDPA, Privacy Act (1998) (Australia), and Privacy Act 2020 (New Zealand).
To address transfers of personally identifiable information to the U.S., Red Canary is certified under the Data Privacy Framework Program administered by the U.S. Department of Commerce in conjunction with the European Commission, UK government, and Swiss Federal Administration. In addition, the Red Canary DPA includes the necessary standard contractual clauses to cover transfers of any personally identifiable information from the EU, UK, or Switzerland to the extent they are not covered by the Data Privacy Framework Program.
Who are Red Canary’s subprocessors?
Red Canary uses some third-party services to provide its services (e.g., cloud hosting, logging, and external notifications). Depending on what data our customers provide to us, the data processed by those third-party tools could contain personal information (in its broadest legal definition). Accordingly, Red Canary conservatively classifies those third-party tools as “subprocessors.” However, those subprocessors are unable to access the contents of the customer data they process as it is encrypted and Red Canary controls the encryption key.
The current list of Red Canary’s subprocessors is available in the Red Canary portal. For security reasons Red Canary does not make that list publicly available, but we will share it with prospective customers under an NDA.