Two years into the global pandemic, video conferencing has not only become part of our daily routines, but it has also become the way we do business, how we learn, and the way we stay close to friends and family. It has gone from being a useful tool, to becoming mission critical.
Moving a large part of our lives online and embarking on the hybrid work journey also brings up questions: such as which video conference system is most suited to an organization’s or individual’s needs, and what level of data protection and privacy is offered. Customers, users, and data protection authorities across Europe want to make sure personal data is safe – and rightfully so.
To help organizations make these important decisions, ahead of International Privacy Day, we wanted to address five key topics relating to Webex by Cisco and privacy.
Cisco Webex: compliance with the GDPR
Webex was engineered with data protection by design and default, and can be used by customers in compliance with the GDPR and similar privacy laws around the world.
Webex has been declared adherent to the EU Cloud Code of conduct (EU Cloud CoC), demonstrating it can be used in compliance with the GDPR. The EU Cloud CoC solidifies the legal requirements of Article 28 of the GDPR for its practical implementation within the cloud market. The European Data Protection Board (EDBP), which includes all EU Member State Data Protection Authorities, has reviewed and approved the EU Cloud CoC. SCOPE Europe, an independent monitoring body, confirmed Webex meets all the requirements of the EU Cloud CoC.
For more information about Webex and the EU Cloud CoC, see Webex by Cisco earns adherence to the EU Cloud Code of Conduct.
EU data residency: ahead of schedule
Localized data processing in the EU is not an explicit regulatory requirement – GDPR allows for international data transfer mechanisms, derogations, and exceptions. Still, we provide customers with an appropriate level of choice and control over their data, including where data is stored and processed.
In July 2021, we opened a new data center in Frankfurt, Germany. For our EU customers, this means that all user-generated content (like messages, recordings, and files), for Webex alongside user profiles, and analytics are stored in the EU, in our data center in Frankfurt, with a back-up in Amsterdam, Netherlands. We are on track to deliver data residency for any remaining data as well in the EU in 2022.
Read more about EU data residency on our Webex Blog, Celebrating major strides towards full EU data residency for Webex customers.
Webex: a 360-degree approach to security
Security and privacy are core to Cisco. Protecting customer data is an ongoing priority and we continuously invest in compliance capabilities and in meeting international security and privacy standards.
Webex has a 360-degree approach to security, including strong encryption, highly secure search, device and browser protection, and retention and archiving defined by customers’ policy. Only authenticated users can view messages and files in Webex spaces.
We integrate security and privacy from the earliest stages of development, making sure they are built in by design, not bolted on after the fact. The Cisco Secure Development Lifecycle (CSDL) follows a secure-by-design philosophy from product ideation, through operation, to end-of-life. Privacy Impact Assessments (PIAs) are a required step in the CSDL process and must be completed before products are approved for launch.
In addition, Cisco has a longstanding “no backdoor” policy. We prohibit undisclosed product features that are designed to allow unauthorized device or network access, expose sensitive device information, or bypass security features or restrictions.
Webex was built to follow highly recognized privacy frameworks such as:
- EU Binding Corporate Rules – Controller
- C5 certification by the German BSI (defining security level for cloud computing)
- ISO 27001 (information security management)
- ISO 27017 (implementing information security processes)
- ISO 27018 (protecting personally identifiable information in public clouds)
- ISO 27701 (privacy information management)
- SOC 2 Type II (controls for safeguarding customer data)
- APEC Cross Border Privacy Rules
- APEC Privacy Recognition for Processors
Safeguard measures in line with the Schrems II ruling
The processing of personal data across international borders by Webex complies with the requirements of the Court of Justice of the European Union’s (CJEU) Schrems II ruling. We use approved transfer mechanisms listed in the GDPR, such as Binding Corporate Rules (BCR)–Controller and the new Standard Contractual Clauses (SCCs) together with additional technical, contractual and organizational measures. These additional safeguards follow the EDPB’s Recommendations for international data transfers in light of the Schrems II decision.
Read more about our response to Schrems II.
Note that the GDPR does not prohibit cross-border data transfers. It supports and promotes the safe and secure, global free flow of personal data, as long as the processing adheres to the EU standard of care. As the CJEU clarified in Schrems II, GDPR transfer mechanisms with additional safeguards can be used to legally transfer and process EU personal data outside of the EU.
Webex, Third Parties and our Principled Approach
We do not sell, monetize, or share customer personal data with third parties for marketing or advertising purposes.
In some cases, Cisco engages with service providers to assist in offering services for Webex. As sub-processors, these service providers operate only upon written instructions from Cisco and maintain the same level of security and privacy as we do. We are transparent with our customers about how their data is processed via our Privacy Data Sheets.
All Cisco sub-processors undergo a rigorous security and privacy assessment to confirm their compliance with our requirements. They are further bound by a data processing agreement which incorporates the EU Standard Contractual Clauses and places strict limits on their use and processing of any data provided by us or our Webex customers and users. Our Supplier Data Protection Agreement templates were part of the submission package for our BCR-Controller approval and Webex’s adherence to the EU Cloud Code of Conduct verification. EU regulators and independent assessors have confirmed our compliance.
Finally, if any government requests access to customer data, such as in case of a law enforcement process, we apply our ‘Principled Approach’. This states that, if we were to receive a government request to access data, Cisco does not automatically hand over data in response. First, we will seek to notify the customer and redirect the request to them as the data controller. We have publicly declared these commitments as a signatory to the Trusted Cloud Principles and included them in our customer contracts.
Twice a year, we publish transparency reports and publicly disclose information about the number and types of government demands for customer data we received for the relevant time period, and our responses.
We are committed to protect data, respect privacy, and deliver secure technologies and solutions to meet our customers’ needs. We welcome a conversation on privacy and security with customers, users, and data protection authorities alike. We hope our answers above help clarify our approach, our commitment to privacy and security, and the concrete actions we take to support that commitment.
For more information, visit the Webex Trust Center or get in touch with us.