This is the data retention policy for the Skyhigh Security Cloud Platform, including all products and components.
The data retention policy for web access log data is set by Skyhigh Security. Collected data is kept in the databases for 100 days. Customers can purchase the SSE Data Retention option to restore the data for 365 days. It is deleted immediately after this retention period or, prior to this, upon receiving written instruction from a customer.
The data in the Skyhigh CASB for Shadow IT cloud infrastructure is aggregated on a daily, weekly, and monthly basis. Aggregation keeps daily data for 45 days, weekly data for 13 weeks, and monthly data for 14 months. Daily data is rolled up to weekly, and weekly is rolled up to monthly. Any data older than 14 months is deleted by default. Sanctioned data is set at 100 days unless the Skyhigh SSE Data Retention option is purchased which extends the data retention for a full year (10% of the price of the applicable Skyhigh Security Service Edge subscriptions being sold or renewed. The 10% applies for all deals $200K or above. For deals under $200K, the addon is a flat charge of $20K).
Skyhigh CASB's data retention policy applies to Sanctioned and Shadow data differently.
The Sanctioned Data is governed by the total count of incident number per incident type. By default, the maximum number of incidents per incident type is 2M. If you have purchased the Extended Sanctioned Data Plan, your data retention period for Sanctioned Data is 12 months instead of 100 days, and the maximum number of incidents per incident type is 7M.
If you would like to extend your data retention, contact Skyhigh Security Sales.
For details about Data Retention for GDPR, see About the GDPR.
Web policy data retention time is not determined by Skyhigh Security. This retention time is under the control of the customers.
Infrastructure/operational logs and telemetry data retention times depend on operational needs and legal requirements.
Skyhigh SSE allows tenants to specify which of Skyhigh regional POPs are used for which cloud services. This allows our customers to control which geographic locations their data is allowed to traverse into/out of. This capability addresses the requirements of customers with strict data residency requirements, which require data to be inspected, blocked or protected, prior to leaving the country.
When Skyhigh SSE enforces policies such as DLP or encryption, no data is persisted in Skyhigh SSE. All data passing through Skyhigh SSE for the purposes of DLP inspection is transient, meaning it is located in-memory for the duration of the DLP inspection, and then erased. So, Skyhigh SSE does not write any data to disk during its DLP inspection. If Skyhigh SSE is working in tandem with an existing enterprise DLP solution, it does not even access the contents of the file, which is sent on-premises for inspection. If the DLP inspection is happening on-premises, the Skyhigh SSE Enterprise Connector (EC) receives the location of the file and passes this information to the on-premises DLP solution via ICAP. In all of the above cases, Skyhigh SSE does not store any customer data after the DLP inspection is complete, ensuring customer data privacy and compliance. Additionally, Skyhigh SSE is ISO 27001 certified, ensuring policies and procedures are in place to protect Skyhigh SSE records from loss, destruction and falsification. Skyhigh SSE is also ISO 27018 certified, ensuring the privacy of individual PII data is preserved in the cloud.
Skyhigh Security’s Data Privacy Page is posted on our Legal Homepage. In addition to the Privacy Notice, Skyhigh’s standard Customer Data Processing Agreement and Cloud Services Agreement are also posted on the homepage.
Termination of Contract and Return of Stored Data
Musarubra (Skyhigh Security) agrees to negotiate terms upon your decision to pursue the Musarubra (Skyhigh Security and Trellix) solution. Musarubra (Skyhigh Security and Trellix) will meet the options defined in the termination of a service contract. Musarubra (Skyhigh Security and Trellix) acknowledges that returning/erasing customer data upon termination of an agreement is a requirement as per the GDPR.