How can you deploy Sophos Sandstorm in a GDPR-compliant manner?

Unfortunately, it is undisputed that the Sophos Sandstrom function protects your network much better than normal virus definitions. Like other manufacturers, Sophos relies on a cloud service that is used to scan and analyse unknown threats. For example, email attachments are mirrored in the Sophos Cloud, where they are analysed. The great advantage here is that a behaviour-based analysis takes place and therefore unknown threats for which there are no current signatures are also detected with a very high probability. Office documents in particular, which are unfortunately still very popular as file attachments, contain unwanted malicious code more and more often.

From our point of view, the Sophos Sandstorm license, which is part of the FullGuard Plus or Enterprise Protection Plus license, is a very useful addition for the best possible protection of your IT infrastructure. Even the German Federal Office for Information Security describes a sandbox functionality as "defacto" state of the art.

What was the GDPR again?

In May 2018, a new European data protection directive called the General Data Protection Regulation (GDPR) came into force. This regulation affects data protection laws on the ground in all countries of the European Union and the European Economic Area. It applies to all companies that sell products to European citizens or businesses and store their personal data, including companies on other continents. The new directive gives EU and EEA citizens more control over your personal data and ensures that their information is protected across Europe.
According to the GDPR, personal data is any data about an individual, such as names, photos, email addresses, bank details, social media posts, residence details, medical data or IP addresses. The data of your employees and your customers also fall under this regulation. Accordingly, if you send file attachments of e-mails to a cloud, you cannot exclude the possibility that you are forwarding personal data here. So that you do not have to obtain consent from each of your business partners, the legislator has created commissioned processing.

Cloud and GDPR - Can both coexist?

One does not have to exclude the other. It is only important that you comply with some framework conditions. In order to be able to use a cloud sandbox in compliance with the local data protection regulations, you should conclude a so-called "contract for commissioned processing" between you and Sophos, as well as include and document this service in your data protection documentation.
And where can I conclude a commissioning agreement now?
You can conclude a commissioning agreement at Sie hier ganz bequem online abschließen. Here, the contract is concluded for an indefinite period of time and a list of "technical and organisational measures" is also attached to this contract. You will not incur any further costs in this regard.