Last Updated: April 26, 2023
Trellix safeguards the personal data our customers entrust us to process when we must transfer that data to a third country — whether for the purposes of support, security, or sub-processing.
Trellix transfers Personal Data (as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement) outside the United States or the European Union as necessary to provide Trellix products and services to you. For example, we have offices around the world, and in some of those offices, our employees may need to access personal data. In addition, we may have vendors outside the United States, or our vendors may be in the United States but have operations in other countries.
The transfer impact assessments below identify and describe the risks associated with data transfers of Customer Data to third countries, as well as any supplementary measures we have taken - or have required our vendors to take - to safeguard personal data. Please see our Customer Data Processing Agreement for any details, such as the nature of the processing or the retention period of the data, that are not specific to onward transfer. In all cases, the categories of data subjects are Trellix customers and their end users. Please see our list of Sub-processors to see where we transfer data to our vendors outside the United States.
Table of Contents
Q: What is a transfer impact assessment?
A: Trellix’s Customer Data Processing Agreement now incorporates the 2021 versions of the Standard Contractual Clauses (SCCs). In response to the heightened requirements created by the Schrems II decision, these new SCCs require a data importer (such as Trellix) to provide specific information about data transfers it undertakes, and requires importers to conduct a transfer impact assessment to evaluate risks involved with the transfer of personal data to countries outside the EEA. The SCCs also require a data importer to consider any supplemental technical and organizational security measures and additional assessments may be required to mitigate risks before transferring any personal data across borders.
Q: Is Trellix taking supplementary measures in order to protect personal data??
A: If you are performing your own Transfer Impact Assessment and are interested in information about Trellix’s own supplementary measures, please take a look at our Supplemental Measures to Protect Customer Personal Data statement and at Exhibit B of our Customer Data Processing Agreement, which sets out our supplementary measures in detail. We are currently in the process of implementing additional supplementary measures and will continue to watch for additional guidance from our Data Protection Authorities and from the EDPB.
Q: Can I continue to transfer data to the US?
A: Yes. In response to Schrems II, the European Data Protection Board (EDPB) has made clear that Standard Contractual Clauses remain valid data transfer mechanisms. As the EDPB states in its guidance, however, transfer mechanisms do not operate in a vacuum, and may need to be paired with supplementary measures that enhance protection of personal data.
Purpose for transfer and any further processing: |
Internal transfer: Trellix has offices in Australia, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. Transfer to sub-processor: Trellix uses a sub-processor who stores data in Australia. Please see our list of Sub-processors for specific information. |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. Transfer to sub-processor: Data is transferred as directed by the controller. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to Australia, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Each Trellix sub-processor has a law enforcement request policy in place and will notify Trellix, where permitted by law, before disclosing information in response to a request. Each Trellix sub-processor has shared their technical and organizational security measures to protect Trellix data and have agreed to retain data for a maximum of 60 days. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Each Trellix sub-processor has agreed to contractual measures that are at least as restrictive as those Trellix has agreed to with our controllers. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. Transfer to sub-processor: Data is transferred externally to our subprocessor. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has an office in Columbia, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to Columbia, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has an office in India, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to India, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has offices in Japan, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. Transfer to sub-processor: Trellix uses a sub-processor who stores data in Japan. Please see our list of Sub-processors for specific information. |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. Transfer to sub-processor: Data is transferred as directed by the controller. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to Japan, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Each Trellix sub-processor has agreed to contractual measures that are at least as restrictive as those Trellix has agreed to with our controllers. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. Transfer to sub-processor: Data is transferred externally to our subprocessor. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processor. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has an office in Malaysia, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to Malaysia, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has an office in Mexico, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. |
The frequency of the transfer (e.g., whether the data is transferred on a oneoff or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to Mexico, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has an office in Singapore, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. |
The frequency of the transfer (e.g., whether the data is transferred on a oneoff or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to Singapore, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix has an office in the UAE, and Trellix employees may need to access Personal Data for purposes such as support, anti-fraud, or security. |
The frequency of the transfer (e.g., whether the data is transferred on a oneoff or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. |
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to the UAE, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. |
Purpose for transfer and any further processing: |
Internal transfer: Trellix stores all personal data in the United States. Trellix’s headquarters and many Trellix offices are located in the United States, and Trellix employees located in the United States need to access Personal Data for purposes such as support, anti-fraud, or security. Transfer to sub-processor: Trellix uses several sub-processors who store data in the United States and whose employees may access personal data in the United States. Please see our list of Sub-processors for specific information. |
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): |
Internal transfer: Data is transferred on a continuous basis. Transfer to sub-processor:
|
Categories of personal data transferred: |
Internal transfer: Personal Data, as defined in Trellix’s Privacy Notice and Customer Data Processing Agreement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about the categories of personal data sent to this country. |
Sensitive data transferred (if applicable): |
We do not intentionally transfer any sensitive data to the United States, unless directed to by the controller. |
Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: |
Internal transfer: Trellix’s applied security measures for Internal transfers are available in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Each Trellix sub-processor has a law enforcement request policy in place and will notify Trellix, where permitted by law, before disclosing information in response to a request. Each Trellix sub-processor has shared their technical and organizational security measures to protect Trellix data and have agreed to retain data for a maximum of 60 days. |
Supplemental Security Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures. |
Supplemental Organizational Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Please see our list of Sub-processors for specific information about individual sub-processors’ technical and organizational security measures. |
Supplemental Contractual Measures: |
Internal transfer: Please see an overview of the supplementary measures we take to safeguard personal data in our Supplemental Measures to Protect Customer Personal Data statement. Transfer to sub-processor: Each Trellix sub-processor has agreed to contractual measures that are at least as restrictive as those Trellix has agreed to with our controllers. |
Length of processing chain: |
Internal transfer: Data is transferred internally within Trellix. Transfer to sub-processor: Data is transferred externally to our subprocessors. |
Applicable transfer mechanism: |
Internal transfer: Intracompany Agreement. Transfer to sub-processor: Standard Contractual Clauses for onward transfer to our sub-processors. |
Have more questions? Submit a request