Cisco Public Privacy Data Sheet

Cisco SD-WAN Cloud

This Privacy Data Sheet describes how Cisco’s SD-WAN Cloud processes personal data.

1. Overview of SD-WAN Capabilities

The Cisco SD-WAN solution is a software defined wide area network (SD-WAN) solution that allows customers
to (i) orchestrate network policies and manage their network from a centralized console, and (ii) segregate the
management, control, and orchestration layers from the device transport layer. This enables network policy,
control, and orchestration to be performed across the entire network of compatible Cisco routers (physical or
virtual) in a secure and extensible manner.

SD-WAN data is stored based on how the solution is deployed. As a result, Cisco only stores data from SD-WAN
when a Customer deploys SD-WAN in a Cisco-Hosted Cloud. If a Customer deploys SD-WAN on a private or
third party cloud, SD-WAN data is not accessible to Cisco unless the Customer specifically opts to share such
data with Cisco, for example, for troubleshooting or support purposes.

Other than the personal data described in this Privacy Data Sheet, the data collected by the Cisco SD-WAN
Cloud consists of network traffic metadata and non-personal telemetry data (i.e., configuration data, logs, device
health, application usage data, edge usage data, license compliance data). Network traffic information remains
at the routing transport layer and is not sent to Cisco’s Cloud.

2. Personal Data Processing

The table below describes how Cisco may process and store personal data when a Customer uses the Cisco
SD-WAN Cloud.

Personal Data Types of Personal Data Purpose of Processing

Category

System • Sys Admin Username, Email, and • Provision of the service (i.e.,
Administrator Password authenticate authorized users of
Log-In Information the solution), audit logs,
or troubleshooting, and support.

• Cisco Single Sign-on (i.e., Note: Except where required by

SmartAccount), pursuant to which law or enabled by Customer,
any personal data is processed this data is stored locally and
through the Smart Account service. not accessible by Cisco.
(For more information, see
https://www.cisco.com/c/dam/en_us
/about/doing_business/trust-
center/docs/cisco-smart-software-
license-privacy-data-sheet.pdf)

©2020 Cisco and/or its affiliates. All rights reserved. Version 2.0, November 2020
 Cisco Public Privacy Data Sheet

End User Device • Source IP address • Provision of services such as

Identifiers the optional deep packet
inspection and vAnalytics
services meant to offer insights
into network and application
behavior.

Note: End User Device IP

address data collected by SD-
WAN is dynamic, not fixed, and
not associated with End User
personal information. As a
result, such data is not
identifiable by Cisco and cannot
be associated with any
host/user information unless
provided by Customer.

3. Cross-Border Transfers
Cisco has invested in a number of transfer mechanisms to enable the lawful use of data across jurisdictions. In
particular:

• Binding Corporate Rules

• EU-US Privacy Shield Framework
• Swiss-US Privacy Shield Framework
• APEC Cross Border Privacy Rules
• APEC Privacy Recognition for Processors
• EU Standard Contractual Clauses

Cisco SD-WAN leverages third party cloud services. The following table shows where these data centers are
located, for reference purposes only. Please note that specific data center locations may change over time
and this Privacy Data Sheet will be updated to reflect those changes if they occur.

Destination Country

• For the Cisco-Hosted SD-WAN Cloud, Customers choose one of the following region-specific data centers
appropriate for their environment: Australia, Brazil, Germany, India, Ireland, Japan, Singapore, US.

• For the vAnalytics feature, the data center is located in the US.

4. Access Control
Personal Data Category Who has access Purpose of the access

System Administrator Cisco • Upon customer providing access, provide

Log-In Information troubleshooting and technical support for the service
• Provision of the service
• Communicate service and product updates to customer

©2020 Cisco and/or its affiliates. All rights reserved. Version 2.0, November 2020
 Cisco Public Privacy Data Sheet

Customer • Use the service (i.e., authenticate authorized users of the

solution)

End User Device Cisco • Providing the optional vAnalytics service (i.e., analytics
Identifiers and insights to network and application performance)

Customer • Use of the optional vAnalytics service (i.e., analytics and

insights to network and application performance)

5. Data Portability
Customer (or a managed service provider (MSP) in the MSP context) is able to download and transfer audit logs and network
statistic data.

6. Data Deletion & Retention

Personal Data Category Retention Period Reason for Retention
System Administrator • During customer’s • Customer’s use the service
Log-In Information active Cisco SD- • Provide troubleshooting and technical support for the service
WAN subscription, • Provide troubleshooting and technical support for the service
plus 3 years • Insights and analytics
thereafter

End User Device • During customer’s • Customer’s use of the services

Identifiers active Cisco SD- • Insights and analytics
WAN subscription,
plus 1 year thereafter

Note: Any data retained longer than stated above is anonymized and used for product improvement purposes only.

7. Personal Data Security

Personal Data Category Type of Encryption
System Administrator Log-in Encrypted at rest with AES-256 algorithm. Encrypted in transit with TLS 1.2.
Information

End User Device Identifiers Encrypted at rest with AES-256 algorithm. Encrypted in transit with TLS 1.2.

8. Third Party Service Providers (Sub-Processors)

Cisco partners with service providers who contract to provide the same level of data protection and information security that
you can expect from Cisco. A current list of sub-processors for the service is below:

Sub-processor Personal Data Service Type Location of Data

Center
AWS • Sys Admin Username Hosting infrastructure services Customers choose
and Password the region-specific
data center

©2020 Cisco and/or its affiliates. All rights reserved. Version 2.0, November 2020
 Cisco Public Privacy Data Sheet

appropriate for
their environment
(Australia, Brazil,
Germany, India,
Ireland, Japan,
Singapore, USA).
Microsoft Azure • Sys Admin Username Hosting infrastructure services Customers choose
and Password the region-specific
data center
appropriate for
their environment
(Australia, Brazil,
Germany, India,
Ireland, Japan,
Singapore, USA).
Okta • Sys Admin Email and Authentication USA, Europe
Password

Walkme • Sys Admin Username Interactive help guide for SD-WAN admins. USA
and Hostname Note: Subprocessor will collect data if
customer uses this optional feature.

9. Information Security Incident Management

Breach and Incident Notification Processes
The Data Protection & Privacy team within Cisco’s Security & Trust Organization coordinates the Data Incident
Response Process and manages the enterprise-wide response to data-centric incidents. The Incident
Commander directs and coordinates Cisco’s response, leveraging diverse teams including the Cisco Product
Security Incident Response Team (PSIRT), the Cisco Security Incident Response Team (CSIRT), and the
Advanced Security Initiatives Group (ASIG).

PSIRT manages the receipt, investigation, and public reporting of security vulnerabilities related to Cisco
products and networks. The team works with Customers, independent security researchers, consultants,
industry organizations, and other vendors to identify possible security issues with Cisco products and networks.
The Cisco Security Center details the process for reporting security incidents.

The Cisco Notification Service allows Customers to subscribe and receive important Cisco product and
technology information, including Cisco security advisories for critical and high severity security vulnerabilities.
This service allows Customers to choose the timing of notifications, and the notification delivery method (email
message or RSS feed). The level of access is determined by the subscriber's relationship with Cisco. If you
have questions or concerns about any product or security notifications, contact your Cisco sales representative.

10. Certifications and Compliance with Privacy Laws

The Security and Trust Organization and Cisco Legal provide risk and compliance management and
consultation services to help drive security and regulatory compliance into the design of Cisco products and
services. Cisco and its underlying processes are designed to meet Cisco’s obligations under the EU General
Data Protection Regulation and other privacy laws around the world.

Cisco leverages the following privacy transfer mechanisms related to the lawful use of data across jurisdictions.
See Section 3, above.

©2020 Cisco and/or its affiliates. All rights reserved. Version 2.0, November 2020
 Cisco Public Privacy Data Sheet

In addition to complying with our stringent internal standards, Cisco also maintains third-party validations to
demonstrate our commitment to information security.

11. General Information and GDPR FAQ

For more general information and FAQs related to Cisco’s Security Compliance Program and Cisco’s GDPR
readiness please visit The Cisco Trust Center.

Cisco Privacy Data Sheets are reviewed and updated on an annual, or as needed, basis. For the most current
version, go to the Personal Data Privacy section of the Cisco Trust Center.

©2020 Cisco and/or its affiliates. All rights reserved. Version 2.0, November 2020