Product Privacy Statement

Effective Date: June 1, 2021

This Product Privacy Statement (the “Product Privacy Statement” or “Statement”) explains how Wazuh, Inc. and its subsidiaries and affiliates (“Wazuh”, “we”, “us”, and “our”) collect, use, and share information, including information relating to an identified or identifiable natural person (“Personal Data”) from our customers or users (“you” and “your”) when you use or demo our Wazuh products, but also including any other services maintained by Wazuh for use by our users, such as support services (together “the Products”).

Product Privacy Statement: Contents

Scope & Responsibilities
Information We Collect From the Products
How We Use the Information We Collect from the Products
How We Share the Information We Collect from the Products
How We Use Cookies and Automatic Data Collection Tools
Legal Basis for Processing Information We Collect from the Products
User Privacy Rights and Choices
Security
International Data Transfers
California Privacy Rights
Other Information
How to Contact Us

Scope & Responsibilities

This Statement applies only to the information we collect automatically in connection with your use of the Products and for which we determine the means and purpose of processing (i.e., as a “data controller”). This information includes Product Usage Data (defined below) and Operations Data (defined below), which are generally technical and aggregated but may include limited Personal Data such as the IP/MAC address of the user’s device and identifiers.

Our legal basis for processing such information in the European Economic Area (EEA) is our legitimate interest in performing, improving, maintaining, and securing our Products, providing support for users of our Products, and operating our business efficiently and appropriately. We have assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals.

This Product Privacy Statement does not cover:

Personal Data processed according to our General Privacy Statement, such as Personal Data collected through: our websites, such as https://wazuh.com, (together the “Sites”); product feedback or surveys; the sales and provisioning process; and in connection with Wazuh events, sales, and marketing activities. Please, see our General Privacy Statement for details on how this information is processed.
Personal Data processed according to our Applicant Privacy Statement when an individual applies for a role with Wazuh through our Site or otherwise.
Customer Content. Wazuh Products permit customers to ingest, or upload and submit, content to the Products (“Customer Content”). This Statement does not cover Customer Content, including any Personal Data contained in Customer Content, because the Customer, rather than Wazuh, controls how Customer Content is processed. Any questions about the processing of Customer Content should be addressed to the Customer directly.
Organizational Users. When you use the Products on behalf of an organization (e.g., your employer), your use is administered and provisioned by your organization per its own policies regarding the use and protection of Personal Data. If you have questions about how your data is being accessed or used by your organization, refer to your organization’s privacy policy and direct your inquiries to your organization’s system administrator.

Please, contact privacy@wazuh.com with any questions about this Statement.

Information We Collect from the Products

Wazuh automatically collects “Operations Data” and “Product Usage Data” from your use of the Products. Operations Data is information we use to facilitate the delivery of the Products, manage and monitor infrastructure, and provide support. Product Usage Data is information we use for product analytics and improvement. This information is generally technical and aggregated but may include limited Personal Data such as IP/MAC addresses and identifiers (including cookies). Depending on the Product, the information may include:

Products and System Data: this is information about the Products you are using and about the systems and related environment from which you access the Service. Examples include Product type and version, license information, installed plug-ins, UUID, and third-party systems used in connection with the Product.
Cluster Data: this is information about your Wazuh Cluster. Examples include statistics related to uptime, node count, node types, indexes, shards, and segments.
Performance Data: this is information about the performance of the Products. Examples include metrics on the performance and scale of the Products, and response times.
Feature Usage Data: this is information about how the Products are used. Examples include details about which features are used and user interface metrics.
Endpoint Security Data: for endpoint security Products, this is information on and from the endpoints on which endpoint security software is installed. Examples include information on sensor performance and configuration and detection events.

How We Use the Information We Collect from the Products

Wazuh uses the information automatically collected from the Products to support our customers and improve the Products; more detailed information is provided below. Wazuh strives to collect only the minimum amount of information needed to achieve these purposes. As between Operations Data and Product Usage Data, the same data may be used for both purposes.

How we use Product Usage Data

Wazuh uses Product Usage Data to improve our Products, support our Customers, support business-to-business marketing and sales, comply with legal requirements, and for other legitimate business purposes. More information on each category follows:

Product Improvement: Wazuh may use Product Usage Data to analyze the use of the Products; prioritize testing and development of new features and functionality; improve our support responses; improve forecasting; make pricing and packaging decisions; identify, understand, and anticipate performance issues and the factors that affect them;
Customer Support: Wazuh may use Product Usage Data to provide proactive or reactive support to our customers, such as guidance to help optimize usage; identify product improvement opportunities; prioritize future product features; personalize your experience, suggest other Wazuh Products, and increase engagement and adoption of our features (e.g., by providing product suggestions).
Business to Business Marketing and Sales: Where permitted by law, Wazuh may use Product Usage Data to market additional Products to our customers and to inform sales discussions.
Legal Requirements. Wazuh may be required to access Personal Data contained in Product Usage Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect or defend our rights or property of Wazuh or users of the Products, protect the safety of others, to investigate fraud, or respond to government requests, including public and government authorities outside a user’s country of residence, for national security or law enforcement purposes.
Other Legitimate Business Purposes: Wazuh may use Product Usage Data when it is necessary for other legitimate purposes.

How we use Operations Data

Wazuh uses Operations Data for purposes such as facilitating Product delivery, administering accounts, providing support, maintaining security, detecting fraud, complying with legal requirements, and for other legitimate business purposes. More information on each category follows:

Facilitate the delivery of the Products: Wazuh may use Operations Data to facilitate the delivery of the Products.
Conduct account administration and similar Products related activities: Wazuh may use Operations Data to provide the Products and for account management. Examples include managing product downloads, updates and fixes, and sending other administrative or account-related communications, including release notes and billing information.
Provide support: Wazuh processes Operations Data when users or other individuals contact Wazuh via one of our support channels to be contacted by us about the relevant support request. In some cases, users may need to send us copies of any affected files, logs, or other information to enable us to assist with the support request. In such cases, we will use such information to respond to, troubleshoot, and otherwise resolve the support request.
Maintain the security of our infrastructure and Products: Wazuh may use Operations Data to maintain the security and operational integrity of the Wazuh IT infrastructure and our Products for the purposes of security monitoring and incident management, managing the performance and stability of the Products, and addressing technical issues.
Administer our disaster recovery plans and policies: Wazuh may use Operations Data to operate our backup disaster recovery plans and policies.
Detect fraud: Wazuh may use Operations Data to help monitor, prevent, and detect fraud, enhance security, monitor and verify identity or access, and combat spam or other malware and security risks.
Confirm customer compliance with contractual obligations: Wazuh may use Operations Data to confirm compliance with contractual and other terms of use and obligations in connection with the relevant Products.
Comply with legal obligations: Wazuh may use any of the Operations Data to comply with applicable laws and regulations and to operate our business, to comply with legally mandated reporting, disclosure, or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting, and in the context of dispute resolution.
Other legitimate business purposes: Wazuh may use Operations Data when it is necessary for other legitimate purposes.

How We Share Information We Collect from the Products

We take care to ensure that the Product Usage and Operations Data, including any Personal Data contained therein, is accessed internally only by individuals that require access to perform their tasks and duties, and externally only by service providers with a legitimate purpose for accessing it. Such service providers are required by contract to safeguard any Personal Data from us and are prohibited from reusing the Personal Data for any purpose other than to perform the services as instructed by Wazuh. We will not sell your Personal Data or allow a third party to use your Personal Data for its own commercial purpose. See the section titled How We Share the Information in our General Privacy Statement for more information.

How We Use Cookies and Automatic Data Collection Tools

Depending on the Product you use, we may use cookies or other tracking technologies in furtherance of the purposes described in this Statement. The types of technology we use may change over time. Some of these technologies are essential for the provision of the Products, such as account access and authentication; others assist with the performance and functionality of the services, such as recognizing returning users or remembering preferences; and others enable us to analyze and customize the Products.

Legal Basis for Processing Information We Collect from the Products

Our legal basis for processing Personal Data contained in the information we collect from the Products in the European Economic Area (EEA) is our legitimate interest in performing, improving, maintaining, and securing our Products and operating our business efficiently and appropriately. We have assessed that these legitimate interests are not overridden by the data protection interests or fundamental rights of any individuals.

If you have questions about this or need further information concerning the legal basis on which we collect and use Personal Data, contact us at privacy@wazuh.com.

User Privacy Rights and Choices

We only collect a limited amount of Personal Data to fulfill the purposes outlined in this Statement. To the extent provided under applicable laws, users may request to access, correct, update, or delete such Personal Data, or otherwise exercise their choices with regards to such Personal Data by contacting us at privacy@wazuh.com.

Residents of the European Economic Union (EEA) have the right to complain to a data protection authority about our collection and use of their Personal Data. For more information, please contact your local data protection authority.

Security

Wazuh is committed to protecting the security of Personal Data. We use appropriate technical and organizational measures to protect Personal Data from unauthorized access, use, or disclosure. Despite these measures, Wazuh cannot eliminate security risks associated with Personal Data and mistakes, and security breaches may happen. If there are any questions about security, contact us at privacy@wazuh.com.

International Data Transfers

Personal Data of an individual may be transferred to, and processed in, countries other than the country in which the individual resides. These countries may have data protection laws that are different from the laws of the individual’s country of residence.

Specifically, if an individual resides in the EEA, such individual should note that their Personal Data may be accessed by employees or suppliers, transferred, or stored outside the EEA, to countries, including the US, which have different data protection laws than in the EEA.

For the transfer of Personal Data to Wazuh entities outside of the European Union, we have agreed on respective EU Model Clauses between the Wazuh entities. We have taken appropriate safeguards to ensure that such Personal Data will remain protected under this Products Privacy Statement, and we put in place adequacy mechanisms to protect your Personal Data in our agreements with our service providers.

California Privacy Rights

See our California Privacy Rights Statement for information about California Privacy Rights, and other required disclosures, if any.

Other Information

Data Retention. We retain information collected in connection with the Products for so long as necessary to fulfill the purposes outlined in this Statement or where we have an ongoing legitimate business need to do so (for example, to provide a user with a service that was requested or to comply with applicable legal, tax or accounting requirements).

Changes to this Product Privacy Statement. This Statement is subject to occasional revision. We will provide notice of any material changes if and where required by applicable data protection laws.

The date of the most recent update to this Statement can be found by checking the “effective” date displayed at the top of this Statement.

How to Contact Us

If you have any questions or concerns regarding this Statement, you may contact us via email at privacy@wazuh.com.

If we are unable to resolve your concerns, you have the right to contact your local data privacy supervisory authority or seek a remedy through the courts if you believe your requests to exercise your rights have not been honored.