Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Recherche Ressources - BlogRessources - WebinaireRessources - RapportRessources - Événementicons_066 icons_067icons_068icons_069icons_070

Tenable GDPR Alignment

Nous contacter

Nous accueillons avec plaisir vos commentaires et questions concernant la présente Politique. You may contact us in writing at [email protected] if you have any additional questions.

On May 25th, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect. GDPR gives individuals greater access to their personal information and control over how it is used. This new standard gives all EU residents a consistent approach to the protection of their data. GDPR applies to all organizations that collect, process, or store Personal Data about EU residents and to organizations that transfer or receive such information outside of the EU.

Tenable provides a suite of products for Cyber Exposure (including Vulnerability Management, Audits, and Policy Compliance assessments) which are hosted on the Tenable.io platform. Our role as a “Data Processor” as defined by GDPR is focused on Tenable.io; we do not store your Scan Data when you use our on-premise offerings such as SecurityCenter and Nessus Professional. The term “we” herein refers to “Tenable Network Security Ireland Limited”, “Tenable, Inc.”, or “Tenable Public Sector LLC” (depending on your jurisdiction).

Tenable is committed to safeguarding our customers’ data, regardless of where in the world the customers may reside. With specific regard to GDPR, we’ve updated our Privacy Policy to make it easier to understand two things: 1) your rights to manage and control the Personal Data we process on your behalf and 2) how to control our use of your data. In addition, we provide details about your choices in how we process data on your behalf.

Data collected by customer and processed by Tenable

Tenable processes several types of data from customers to both manage customer relationships and satisfy contractual obligations. We also use this data to support the functionality of our product suite. We process information about you when you provide it to us and when you use our Services.

You (the customer) are the “Data Controller” as defined by GDPR for the Personal Data relating to Data Subjects (typically, your employees) which resides on your networks. When you initiate a Scan on your data, you collect Scan Data based on what resides on your networks. You are the only one who knows (or is capable of knowing) to what extent Personal Data may or may not reside on your networks.

If you collect Personal Data during a Scan and then store the Scan Data in Tenable.io through your use of our services, we act as a “Data Processor” as defined by GDPR. We only process Personal Data on your behalf when it satisfies a legitimate interest, such as providing customer support, feature personalization, or protecting the safety and security of our services.

You have the option at any time to request that Personal Data not be collected when you use Tenable for vulnerability scans, audits, and policy compliance assessments. We refer to this as “Light Collection Mode”, described below.

Types of Data We Process on Your Behalf

Tenable processes three primary types of data:

  1. User Information
  2. Telemetry Data
  3. Analyser les données

User Information

Tenable processes personal data from customers about their Admin Users subsequent to the initial account setup and configuration, where you collect and provide us with such information. We do the same for any subsequent Admin Users that you create. Ces informations incluent :

  • Business contact information - first name, last name, work phone number (for two-factor authentication), work email address, and an optional secondary email address
  • Username (typically an email address) and a password (which is anonymized for Tenable)

In addition, Tenable logs the IP address every time an Admin User logs into Tenable.io.

How Tenable uses User Information

Business contact information is used only by Tenable for essential customer service and support purposes.

We take protecting your data seriously and we only use this Personal Data to satisfy our contractual obligations to you. We do not sell or disclose this information to any third party.

How Tenable uses Telemetry Data

Tenable collects Product Usage Telemetry data about how you interact with the Tenable.io Service. We analyze this data to troubleshoot technical issues and to improve or optimize our product design.  

Examples of Product Usage Telemetry Data include:  

  • What screens a customer looks at
  • The length of time a customer spends on a screen  
  • What functions a customer clicks on
  • What features a customer uses and how
  • What web browser and browser version a customer uses

Product Usage Telemetry Data does not contain Personal Data as defined by GDPR.

Analyser les données

When you initiate a scan – for example,  asset discovery, vulnerability assessment, audit, or Policy Compliance scans – you also generate Scan Data . You conduct these scans using a “Scanner” situated within your environment. We store your Scan Data in the Tenable.io Cloud Service. Only your Admin Users can access your Scan Data.   

The Nessus plugins you select determine the scope of your Scan Data. The return values of all plugins are aggregated and constitute the resulting “Scan Data”.

Scan Data generally includes information about your:

  • Computer assets
  • Computer networks
  • Network and system architecture
  • Computer hardware
  • Computer operating system and software types, versions, and and associated configuration data

Scan Data is confidential because it contains information about to your assets, their configuration and policy settings, and potential vulnerabilities. It is possible that a subset of your Scan Data may contain Personal Data -- such as IP-addresses, usernames, and email addresses -- as necessary to help you with remediation.

In this case, Tenable stores this Personal Data in Tenable.io. As such, we act as a Data Processor and our Data Protection Addendum (DPA) applies.  

You are the only party that knows or is capable of knowing what Personal Data resides in your environment and what could be included in the Scan Data.

Scan Data Usage

Solution Functionality

You collect Scan Data for your own use. Tenable stores it and makes it available to you via Tenable.io. We process Scan Data on your behalf to provide reports on topics such as  vulnerability management, analysis, audits, and policy compliance.

Research and Development

We anonymize and aggregate a subset of the Scan Data to generate insights about product usage, end user behavior, vulnerability prevalence, and general service and product trends.  We may use Scan Data to generate aggregated, anonymized benchmarking metrics to eventually provide new service features, research white papers, and studies. None of these metrics can be directly linked back to a specific customer and do not include any Personal Data.

How we secure your data

Data storage and security

We take securing and protecting your data very seriously and follow industry leading practices to safeguard it.

Infrastructure security

Amazon AWS

We use Amazon Web Services (AWS) Cloud for Tenable.io service delivery. AWS provides rich security measures and capabilities that we use to protect our infrastructure. These include:

  • DDoS mitigation
  • Web application firewalls
  • Network firewalls
  • Encryption in transit across all services
  • Inventory and configuration management
  • Identify and access control

Tenable Security

We designed our information security management program with one goal in mind -- to safeguard our customers’ data. Our mature program includes:

  • Threat & Vulnerability Management
  • Patch Management
  • Security Monitoring
  • 2-Factor Authentication
  • Role-based access
  • Penetration Testing

Data Security

We deploy multiple layers of data security measures including, but not limited to, Amazon’s Data encryption capabilities - specifically, Amazon Server Site encryption and Amazon’s Key Management Service.

What if there is a Data Breach?

While we follow industry leading practices and implement safeguards and measures designed to protect your information, no security system is impenetrable. We cannot guarantee that your data is absolutely safe from intrusion by others. That’s why we have implemented an Incident Response Program, and in the case of any potential breach that has implications for GDPR, we follow the GDPR Data Breach Notification regulations to ensure that your rights are protected.

How long do we retain your data

Our data retention policies vary across the the various data types and the purpose for which they are processed. Read on for more detail.

Customer User Information

We retain the information for your Admin Users for as long as you remain a Tenable customer or until you remove selected Admin User accounts. If you sever your customer relationship with Tenable, we delete the entire Tenable.io container with both your Scan Data and Admin User data. We make exceptions for certain Customers to resolve disputes, enforce contractual agreements, support business operations or fulfil legal obligations.

Customer Scan Data

For your use and to meet regulatory requirements, we retain your Scan Data for the default time periods outlined  below.

Data Retention Periods for Scan Data

Scan Data Type Retention period

*this is the minimum required retention period for PCI Scan Data

Access & control of Personal Data

The GDPR defines an individual’s rights for the access to and control of their Personal Data. We will assist you in exercising the following rights on behalf of your EU-based data subjects  whose data we may process:

  • The right to request a copy of their Personal Data
  • The right to correct their Personal Data
  • The right to delete their Personal Data

Admin User Data Subject

Primary Admin Users can add, delete, and correct Personal Data about themselves or other Admin Users in the Tenable.io user configuration.

Individual Data Subjects

You control your organization’s data and may receive requests from data subjects who wish to exercise their rights under GDPR. Tenable can help you fulfill requests to confirm, correct, or delete such Personal Data upon request. We are also developing self-service capabilities so you can handle these requests autonomously.

Light Collection Mode

As mentioned above, Tenable offers customers the option to use our Light Collection Mode to minimize the Personal Data collected by Plug-ins during Scans. In Light Collection Mode, our plugins anonymize Personal Data so that it is not collected or stored in Tenable.io.

Details of the Anonymization Process

Plugins return data as necessary to describe the state or configuration of the asset for during various types of scans. In some cases, Personal Data is critical information for subsequent assessments and/or remediation. Anonymization permanently and irreversibly modifies elements of Personal Data when you collect them. This means Tenable never processes the original value of the Personal Data.

Customer Provided Data

In certain circumstances, you may introduce Personal Data to Tenable.io without our knowledge. Should this happen, we will not anonymize such data and you will be responsible for such data.

Scan Data from Customer Developed Plug-Ins

You can develop your own Plug-ins for Scans. When running your own Plug-ins, the Scan Data results are stored in Tenable.io. This Scan Data may contain Personal Data.

Customer Imported Data

You may import external data through APIs from third parties into Tenable.io containing Personal Data.

How we use Data Sub-Processors

We share certain information with third-party service providers such as hosting services, storage, or virtual infrastructure vendors. These companies help us to operate and process your data to improve and customize your user experience. Any third-party service provider that is required to process your information must do so under our instruction. We require all of these vendors to be GDPR compliant and to protect your information through the appropriate policies and procedures. We will share the current list of our Sub-Processors upon request.

Third Party Data Sub-processors

Tenable engages select third parties as Data Sub-processors as defined by the GDPR. We are committed to transparency and ensuring that all parties that participate with Tenable in the processing of Personal Data on your behalf are GDPR compliant and employ the requisite security technology and processes to protect your data.

The following third parties either process data collected directly from our customers or provide services to Tenable as part of our role as a Data Processor.

For more information about Third Party Data Sub-processors or general questions about GDPR, please contact us at [email protected].

Party Use case Personal Data Types Comments / Justification
SendGrid Email Notifications Admin User Information Used when a customer signs up for trials or requests a password reset. Serves as verification for valid email address.
Essayez gratuitement Achetez dès maintenant

Essayez Tenable.io Vulnerability Management

GRATUIT PENDANT 60 JOURS

Bénéficiez d’un accès complet à une plateforme moderne de gestion des vulnérabilités sur le cloud, qui vous permet de voir tous vos actifs et d’en assurer le suivi avec une précision inégalée. Inscrivez-vous maintenant et lancez votre premier scan en 60 secondes.

Achetez Tenable.io Vulnerability Management

Bénéficiez d’un accès complet à une plateforme moderne de gestion des vulnérabilités sur le cloud, qui vous permet de voir tous vos actifs et d’en assurer le suivi avec une précision inégalée. Achetez votre abonnement annuel dès aujourd'hui.

65 assets

Essayez Nessus Professional gratuitement

GRATUIT PENDANT 7 JOURS

Nessus® est, de nos jours, le scanner de vulnérabilité le plus complet sur le marché. Nessus Professional aide à automatiser le processus d’analyse des réseaux, à gagner du temps dans vos cycles de conformité et vous permet d’éveiller l’intérêt de votre équipe informatique.