.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
.png?width=1024&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Legal: Banner with Media - Background")
Product Privacy Information
- Overview: Product Privacy Information
- Sophos UTM Privacy Data Sheet
- Sophos AV Privacy Data Sheet
- Sophos Central Device Encryption (CDE) Privacy Data Sheet
- Sophos Central
- Sophos Central Endpoint and Server Privacy Data Sheet
- Sophos Cloud Optix Privacy Data Sheet
- Sophos Cloud Products
- Sophos Privacy Data Sheet – Email & Phish Threat
- Sophos Firewall
- Sophos Home and Sophos Home Premium (consumer products)
- Sophos Managed Detection and Response (MDR) Privacy Data Sheet
- Sophos Managed Risk Privacy Data Sheet
- Sophos Mobile Privacy Data Sheet
- Sophos Intercept X for Mobile
- Sophos Sandstorm
- Sophos XDR Privacy Data Sheet
- SophosLabs Intelix Privacy Data Sheet
- Sophos Capsule8 Protect Data Privacy Sheet
- HitmanPro and HitmanPro.Alert
- Sophos Privacy Data Sheet – Sophos Protected Browser
Sophos Protected Browser Privacy Data Sheet
The purpose of this datasheet is to provide Sophos customers with information on how our offerings affect their privacy considerations. In this document, we provide information on Sophos Protected Browser's data handling practices, including the collection, use, and storage of personal information.
Product Summary
Sophos Protected Browser, part of the Sophos Workspace Protection bundle, integrates all the security functions you need into a hardened Chromium browser. In partnership with Island.io and building on their strong foundation as a leader in the enterprise browser market, the Sophos Protected Browser integrates key Sophos technologies and threat intelligence, along with Sophos Central management, to provide the ideal workspace protection platform for our customers and partners.
Information Processed by the Sophos Protected Browser
Sophos Protected Browser processes the following types of information:
- Username
- User’s full name
- Email address of the user
- Sophos Central login username
- Tenant ID
- URL or site visited
- User Group names
- Hostname and Session Username
- Weblogs and Browser Activity
- Search history and user preferences
- Web analytics, Web history
- System events and logs
- Username of remote SSH/RDP account
Purpose of Information Processed by the Sophos Protected Browser
Sophos Protected Browser processes personal information to enable secure, policy driven web access and application usage. This processing supports the following purposes (non exhaustive):
- Providing visibility and governance over SaaS application usage, including the application of data boundary controls.
- Enforcing comprehensive web security policies through the integrated Secure Web Gateway (SWG), leveraging Sophos AI-based threat intelligence.
- Supporting integrated in browser functionality such as RDP and SSH access, as well as device posture evaluation.
Information processed by Protected Browser is available to the customer in Sophos Central. Sophos Support teams will have access through defined process, e.g. support enablement process.
Sophos may analyze and process data for the benefit of the customer resulting in threat detection and response, and future innovation.
Sophos processes the information identified above for the purpose of performing the service(s) to you in accordance with the Sophos End User Terms of Use.
Sub-processors
Sophos partners with Island.io to help deliver the Sophos Protected Browser experience. Configuration settings you create in Sophos Central are applied to the browser through Island’s existing framework, ensuring policies are enforced consistently and securely. In addition, reporting and monitoring data generated by the browser is transported back to Sophos Central through the pipeline managed by the Island control plane. Throughout this process, Sophos ensures that your data is handled securely and in line with our privacy commitments.
The browser services run in the AWS regions that Island uses. The table below explains how Island management traffic is processed depending on the customer’s Sophos Central region.
| Sr No | Sophos Region | Corresponding Island Region |
| 1 | Oregon (us-west-2) | US (us-east-1) |
| 2 | Ohio (us-east-2) | US (us-east-1) |
| 3 | Ireland (eu-west-1) | United Kingdom (eu-west-2) |
| 4 | Frankfurt (eu-central-1) | Frankfurt (eu-central-1) |
| 5 | Canada (ca-central-1) | Canada (ca-central-1) |
| 6 | Sydney (ap-southeast-2) | Australia (ap-southeast-2) |
| 7 | Tokyo (ap-northeast-1) | Australia (ap-southeast-2) |
| 8 | Mumbai (ap-south-1) | Australia (ap-southeast-2) |
| 9 | Brazil (sa-east-1) | US (us-east-1) |
| 10 | UAE (me-central-1) | Frankfurt (eu-central-1) |
Sophos may engage other sub-processors as set forth in the Sub-processor list.
Retention
Sophos applies its retention policies to delete and purge data that is no longer needed for the purpose for which the personal data was originally collected.
Sophos Protected Browser data is stored for up to 90 days, unless such data is needed in order for Sophos to provide the services to the customer.
- Configuration data configured at setup is retained until the service is no longer required (Not deleted)
- Logs age out after 90 days (Central)
- Telemetry data is stored for 6 months
- troubleshooting logs are retained for 30 days
Security
Sophos secures customer information by authenticating access via username and password based on managed Active Directory group membership coupled with multi-factor authentication.
Sophos data centres have achieved SOC2 Type II certification to demonstrate its strong security practices, policies and internal controls environment.
For information about the security protections used in the data centers where customer data resides, visit the AWS Security Documentation Center.
Our Commitment to Privacy
Sophos is committed to complying with data protection rules and protection of personal data processed by the Sophos Protected Browser. Sophos will access data to the extent necessary to provide the services you have signed up for, enhance features and services that bring benefits to the customer, and for R&D innovation of future capabilities.
Access
Customer Access
Customers with access to Sophos Protected Browser can query that data using the Live Discover functionality in Sophos Central or via APIs. The tables and fields for Protected Browser data in the Data Lake can be found here. Customers with access to Sophos Protected Browser can also access reports and screens on Sophos Central that detail campaigns and users.
Sophos Access
Sophos Engineering monitors telemetry for planning future roadmap strategy and requirements, product development and enhancement, troubleshooting, and generating statistics and reports.
Sophos Labs or Sophos AI teams may access data for analysis, threat detection, research purposes and continuous improvement and evolution of our products and threat detections. Suspicious files that may contain personal information are treated as follows: a) If these files are convicted as malicious, it is treated as malware and will be blocked globally going forward, b)If these files are not convicted and are cleared as non-malicious, they are permanently deleted within sixty (60) days.
The manual escalations and automatic telemetry are stored in SophosLabs HUB located in UK. Data on manual escalations is retained for six months whilst data collected on telemetry is retained for up to one year. In some rare scenarios when test cases around an email is created, we retain the attached files (which may sometimes include the e-mails) indefinitely.
Disclaimer
The information contained in this privacy data sheet may change at any time and is only meant for general awareness. This Sophos Protected Browser Data Sheet is not meant to constitute legal advice, warranty of fitness for a particular purpose or compliance with any applicable laws.
Last updated February 2026