Frequently Asked Questions

Privacy and Security questions

We process personal data that is necessary to administer and provide cybersecurity products and services in accordance with our customer agreements – including telemetry data from sensors used to detect cybersecurity threats and vulnerabilities. In the vast majority of cases, the data we process is anonymized and/or not directly identifiable. But in some cases, personal data associated with potentially malicious activity may be collected and quarantined for further analysis.

Personal data we may collect includes information about our customer end users’ computers, devices, applications, and networks, including internet protocol (IP) address, cookie identifiers, mobile carrier, Bluetooth device IDs, mobile device ID, mobile advertising identifiers, MAC address, IMEI, Advertiser IDs, and other device identifiers that are automatically assigned to computers or devices of customer end users. We also collect customer contact information (e.g., username, user email, phone number) to administer our contracts.

For more information about our personal data processing practices, see our Customer Data Processing Agreement, Data Transfer Addendum, Technical and Organizational Measures, List of Subprocessors, Privacy Notice, and Privacy Data Sheets.

We process personal data for purposes of monitoring, detecting, and responding to cybersecurity incidents and protecting against fraudulent or illegal activity, in accordance with our customers’ written instructions.

For more information about our purposes of processing, see our Customer Data Processing Agreement, Data Transfer Addendum, Privacy Notice, and Privacy Data Sheets.

To deliver our cybersecurity products and services, we use our own data centers as well as third-party infrastructure providers, which are located in a variety of locations in the United States and throughout the world. For a list of the third party hosting and co-location providers that we engage, including their locations, see our List of Subprocessors. For information about the data center locations used for specific Trellix products and services, including configuration choices that customers may have to select local data centers, see our Privacy Data Sheets.

We use a variety of data transfer mechanisms to comply with personal data transfer restrictions worldwide. For example, to comply with EU requirements under GDPR, we generally use EU Standard Contractual Clauses as approved by the European Commission (which are incorporated into our Data Transfer Addendum), and/or other legal mechanisms recognized by EU data protection laws.

For more information about our data transfer mechanisms, see our Data Transfer Addendum and other resources regarding Transfer Impact Assessment.

Customer data is strictly limited to authorized individuals who require access in connection with the delivery of relevant Trellix products and services. For more information about who may access customer data for specific Trellix products and services (and for what purposes), see our Privacy Data Sheets.

Trellix retains personal data in connection with the use of our products and services only as long as necessary to fulfill the purpose(s) for which it was collected, which varies from product to product, and depends on customer configuration. We further retain data as necessary for purposes of satisfying legal, accounting, reporting and contractual requirements, resolving disputes, establishing legal defenses, conducting audits, pursuing legitimate business purposes, enforcing our agreements, and complying with applicable law.

For more information about retention and deletion of customer data for specific Trellix products and services, see our Privacy Data Sheets.

Protecting customer data is of utmost importance at Trellix. For information about specific controls we have in place, see our Technical and Organizational Measures, which are incorporated contractually into our Customer Data Processing Agreement.

Trellix is aligned with the ISO/IEC international standard to manage information security and is ISO27001, ISO 27017, and ISO 27018 certified. This certificate can be viewed and downloadable within the Trellix Trust Center site.

Selectively, by product. Trellix has completed a number of SOC 2 Type 2 audits and reports are available on the Trellix Trust Center site.

Trellix utilizes a minimum of AES-256-bit encryption for information that is deemed to be highly sensitive data for data at rest. A minimum of TLS v1.2 is utilized for data in transit.

Yes, Trellix regularly performs Penetration Testing on our own systems, to strengthen and protect our systems. Trellix also engages with accredited third-party vendors to perform Penetration Testing on our systems.

Yes, Trellix conducts quarterly vulnerability scans on individual products to self-evaluate security control states.

Yes, the Trellix CISO is Harold Rivas, who leads a dedicated Information Security team, including Governance, Risk & Compliance.

Security policies are developed based on security standards such as ISO 27001. The security policies are reviewed at least annually by the Information Security team and approved by the Chief Information Security Officer (CISO). These policies include, but are not limited to, information handling, system management, incident response, access control, employee accountability, and data retention.

Trellix has a Business Continuity Plan in place. There is a designated team in place to handle all BC and DR responsibilities.

Customers can subscribe to the Trellix Support Notification Service (SNS) as a means to receive Trellix product alerts, notifications, news and best practices to help increase functionality and protection capabilities of their Trellix products and services.

If you have any questions about our products and services, please complete this form, and we will contact you shortly.