Data Retention Policy

Protecting sensitive customer data is a core aspect of the Forcepoint ONE SSE solution. Forcepoint ONE SSE only sits in front of applications that house or assist in the transfer of corporate data. Forcepoint ONE SSE provides IT with visibility and control over these applications.

This section outlines what types of data are retained in the Forcepoint ONE SSE portal, the level of detail of that data, and who at Forcepoint ONE SSE can have access for special use cases (e.g. customer support, bug analysis).

Event logs are generated as traffic passes through Forcepoint ONE SSE based the activity which is occurring. Audit logs are generated as a user uses a secured applications which provide the following details:

Detail

Access Dashboard

(Proxy related data)

Cloud Dashboard

(API related data)

Web Proxy Logs (SecureEdge Agent)

People

(Data manually entered or synced via AD agent)

Time - Timestamp of when the access or transaction occurred (stored in GMT). X X X
User - the users email address and the users Forcepoint ONE account name. X X X X
User Group - The group(s) the user belongs to in Forcepoint ONE. X X X
Device - the device utilized during the event. X X X (Lists all users mobile devices)
Device GUID - The GUID of the users device. X X
Application - the app used which generated the event. X X X
App Instance Name - Name of the app instance event occurred in. X
Salesforce OrgID - The OrgId of the Salesforce tenant the event occurred in. X
IP address - gathered from the network layer which may not be the actual end users IP X X
Location - based on a reverse lookup of the IP address with granularity to the city/region level X X
Activity - One or more tags indicating the specific user behavior associated with the transaction. X X
Action - This represents the policy action that Forcepoint ONE SSE took for the transaction. X X X
User Agent - Detailed information about the device being used. X X X
Transaction ID - Transaction ID of the event X
Cloud File ID - ID of the cloud file in the event. X
Tags - event based identifiers based on the activity performed (e.g. Access, Email) X
Information - the URL, GET/POST request, user-agent string, MIME type, file name X X
Name - File name. X X
Type - Type of file. X
Size - Size of the file. X
Owner - User account who owns the file. X
Team - Slack team the file owner belongs to. X
Status - One or more tags indicating specific user behavior associated with the file X
ID - ID number of the file. X
Path - Path to the location of the file. X
Link - Link to view the item. X
Shared With - Users who the file is shared with. X
DLP Match Locations - Locations where a DLP pattern was matched. X
Attachments - If the file is an email, if it contained any attachments. X
DLP - DLP pattern matched. X
First Name X X
Last Name X X
Secondary Email X
NetBios Domain X
SAMAccountName X
User Principal Name X
Object-GUID X
Custom Attribute(s) X
Forcepoint ONE SSE Categories - Category of app or site X
Forcepoint ONE SSE Cloud Score - Cloud Risk score given to the app X
Custom Categories - Defined by customer X
Company ID X
Policy ID X X X
Destination IP X
Classify Request X
Internal Network Device IP X
Device Host name X
File Download Markers X
File Upload Markers X
Gateway IP X
Latitude Based on Gateway IP X
Longitude Based on Gateway IP X
App Protocol (request port and app layer protocol) X
Received Bytes (download) X
Region Code based on gateway IP X
Request ID - GUID per request assigned X
Sent Bytes (upload) X
Request URI X
Webroot Category X
Webroot attribute Classification X
Webroot Reputation X

Files transferred as email attachments or app upload/download can be configured to be watermarked. Forcepoint ONE SSE will proxy the file, insert watermark tracking information and/or check for regex matches for DLP patterns, generate a watermarked log containing the file name, and send the file onward. The file or content of the file is not retained by Forcepoint ONE SSE in any way. The watermark log generated contains information as in a standard event log as described above.

Customer support personnel are sometimes necessary to help walk admin from the customer through configuration or help debug a problem with the system. This process sometimes involves visibility of the customers event logs and configuration settings. During this process no customer data is extracted or retained for debugging purposes without necessity and approval by the customer.

Other than the stated timeframe, all other data is kept and only deleted upon request or customer contract termination (then subject to customer deprovision).

Data Type Primary Storage Secondary Archive Notes
Payload data. e.g. email contents, attachments, files, etc. Stored temporarily on encrypted volumes during processing. This occurs on the dataplane the user is routed through during the session Never stored AWS Encrypted EBS

Proxy, API, and Admin Logs which includes:

  • Proxy Access Logs
  • Cloud API Audit Logs
  • Forcepoint ONE SSE Admin portal Logs
  • Analytics meta-data derived from logs

Logs include IP location, user name, time, filenames, URL, device type, activities, actions, etc.

Stored for 30 days on US East Datacenter. Stored in customer isolated encrypted archives [Opt out optional] Encrypted archives stored 6 years for compliance, deleted upon request
SWG Logs which include: SmartEdge agent web proxy audit and DLP logs (Web Proxy and Web DLP Dashboards). Stored for 30 days on US East Datacenter.
  • 00-30 days: Data is stored and viewable in your Forcepoint ONE tenant.

  • 30-45 days: Data is no longer available in your tenant, but can still be accessed via REST API for log pulling.

  • 45 days - 6 months: Data is frozen offline storage. Data can be retrieved upon request.

  • After 6 Years: Data that has been stored for longer than 6 years is automatically deleted.

It is recommended that customers wishing to store log data indefinitely pull the log data via Log Export. Log Data storage is as follows on a continuous sliding window:
Cloud API file meta-data and IaaS configuration setting metadata (for CSPM) Stored in customer isolated DB and read-replicas, deleted upon request. API calls originate from US East datacenter Database backups to customer isolated encrypted store Data deleted upon request
Policy Stored in shared primary DB and synced globally across all dataplanes for read-replicas Database backups to encrypted store Data deleted upon request
People (Data manually entered or synced via AD agent) Stored in shared primary DB and synced globally across all dataplanes for read-replicas Database backups to encrypted store Data deleted upon request
Key vaults (Master Keys on AWS Key Management Service) Stored in shared encrypted DB deleted upon request. Keys are only ever stored in memory on dataplane the user is passing through for use in encryption/decryption. Database backups to encrypted store Data deleted upon request
Encrypted Salesforce data and metadata Stored encrypted in shared primary DB and read-replicas on either US East or US-West datacenter (customer choice) deleted upon request Database backups to encrypted store Data deleted upon request.
  • Global Public Cloud Deployments: Data may be processed or stored in the country of usage, e.g if you are a US based company, but your users travel to or connect from outside the US, data processing will occur at the AWS data center nearest the user, which may be outside the US. Forcepoint ONE SSE utilizes AWS for media destruction and decommissioning of devices that contain data noted above. AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
  • Geo-specific Public Cloud deployments: Data is stored and processed only in the Forcepoint ONE SSE AWS Data center regions specified. e.g EU, Canada.
  • Private cloud deployments: Data is stored and processed within the private cloud data centers.
  • MilCloud & GovCloud deployments: Contact your Forcepoint ONE SSE representative for more information.