Axon Cloud Services Privacy Policy

Last Updated: August 23, 2019

This Axon Cloud Services Privacy Policy (“Policy”)applies only to the information that Axon Enterprise, Inc. (“Axon”) collects and you or your employer (collectively, “Customer”) provide to Axon in connection with Customer’s use of Axon Cloud Services (as defined below). Axon's marketing sites and other public websites are governed by the Axon Privacy Policy. Usage of Axon Citizen is governed by the Axon Citizen Privacy Policy.

Unless otherwise provided in this Policy, this Policy is subject to the terms of the Master Services Purchasing Agreement, or other similar agreement, if any, between Axon and Customer (“Agreement”). To the extent this Policy contains terms and conditions that differ from those contained in the Agreement, the Agreement shall control. A concept or principle covered in this Policy shall apply and be incorporated into all other provisions of the Agreement in which the concept or principle is also applicable, notwithstanding the absence of any specific cross-reference thereto. All capitalized and defined terms referenced, but not defined, in this Policy shall have the meanings assigned to them in the Agreement.

Axon complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States (collectively, “Privacy Shield”). Axon has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view Axon's certification, please visit https://www.privacyshield.gov/.

By using Axon Cloud Services, Customer acknowledges that Customer has read and understand this Policy and Customer agrees to be bound by its terms and conditions. Axon may occasionally update this Policy. When Axon posts changes, Axon will revise the "last updated" date at the top of this page. Customer’s continued use of Axon Cloud Services will signify Customer’s agreement and acceptance to any such changes.

Définitions

  • Axon Cloud Services” means Axon’s web services hosted on evidence.com (“Axon Evidence”) and other related offerings, including, without limitation, interactions between Axon Evidence and Axon Products (as defined below).
  • Axon Products” means:
    (1) Axon Cloud Services;
    (2) devices sold by Axon (including, without limitation, conducted energy weapons, cameras, sensors, and docking systems) (collectively, “Axon Devices”);
    (3) other software offered by Axon (including, without limitation, Axon Capture, Axon Evidence SYNC, Axon Device Manager, Axon View, Axon Interview, Axon Commander, Axon Uploader XT, and Axon View XL) (collectively, “Axon Client Applications”); and
    (4) ancillary hardware, equipment, software, services, cloud-based services, documentation, and software maintenance releases and updates. Axon Products do not include any third-party applications, hardware, warranties, or the 'my.evidence.com' services.
  • Customer Data” means:
    (1) “Customer Content”, which means data uploaded into, ingested by, or created in Axon Cloud Services within Customer’s tenant, including, without limitation, media or multimedia uploaded into Axon Evidence by Customer (“Evidence”); and
    (2) “Non-Content Data”, which means:
    (a) “Customer Entity and User Data”, which means Personal Data and non-Personal Data regarding Customer’s Axon Cloud Services tenant configuration and users;
    (b) “Customer Entity and User Service Interaction” Data which means data regarding Customers' interactions with Axon Cloud Services and Axon Client Applications;
    (c) “Service Operations and Security Data”, which means data within service logs, metrics and events and vulnerability data, including, without limitation: (i) application, host, and infrastructure logs; (ii) Axon Device and Axon Client Application logs; (iii) service metrics and events logs; and (iv) web transaction logs;
    (d) “Account Data”, which means information provided to Axon during sign-up, purchase, or administration of Axon Cloud Services, including, without limitation, the name, address, phone number, and email address Customer provides, as well as aggregated usage information related to Customer’s account and administrative data associated with the account; and (e) “Support Data”, which means the information Axon collects when Customer contacts or engages Axon for support, including, without limitation, information about hardware, software, and other details gathered related to the support incident, such as contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error-tracking files.

    For purposes of clarity, Customer Content does not include Non-Content Data, and Non-Content Data does not include Customer Content.
  • “Data Controller” means the natural or legal person, public authority, or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data (as defined below).
  • “Data Processor” means a natural or legal person, public authority or any other body which processes Personal Data on behalf of the Data Controller.
  • “Data Exporter” means the Data Controller who transfers the Personal Data.
  • “Data Importer” means the Data Processor who agrees to receive from the Data Exporter Personal Data intended for processing on Data Exporter's behalf after the transfer in accordance with the Agreement and who is not subject to a third country’s system ensuring adequate protection with in the meaning of the General Data Protection Regulation (EU) 2016/679 of the European Parliament (“GDPR”)
  • “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Processing”means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Sub-processor”means any processor engaged by the Data Importer or by any other sub-processor of the Data Importer who agrees to receive from the Data Importer or from any other sub-processor of the Data Importer Personal Data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract.

Axon's Role

Axon is a Data Processor of Customer Content. Customer controls and owns all right, title, and interest in and to Customer Content and Axon obtains no rights to the Customer Content. Customer is solely responsible for the uploading, sharing, withdrawal, management and deletion of Customer Content. Customer grants Axon limited access to Customer Content solely to provide and support Axon Cloud Services to and for Customer and Customer’s end-users. Customer represents and warrants to Axon that: (1) Customer owns Customer Content; (2) and Customer Content, and Customer’s end-users’ use of Customer Content and Axon Cloud Services, does not violate this Policy or applicable data protection laws and regulations.

Axon may also collect, control, and process Non-Content Data. Axon is a Data Controller for Non-Content Data. Axon collects, controls, and processes Non-Content Data to provide Axon Cloud Services and to support the overall delivery of Axon Products including business, operational, and security purposes. With Non-Content Data, Axon may analyze and report anonymized and aggregated data to communicate with external and internal stakeholders.

Data Collection and Processing Activities

Customer Content

Axon will only use Customer Content to provide Customer Axon Cloud Services. Axon will not use Customer Content for any advertising or similar commercial purposes.

Axon periodically upgrades or changes Axon Cloud Services to provide customers with new features and enhancements in alignment with the Axon Evidence Maintenance Schedule. Axon communicates such upgrades or changes to customers one week prior to release via mechanisms outlined in the Maintenance Schedule. Changes to Axon Cloud Services may increase the capabilities of the service and ways in which Customer Content will be utilized.

Non-Content Data

Non-Content Data includes data, configuration, and usage information about customer's Axon Cloud Services tenant, Axon Devices, Axon Client Applications, and users that is transmitted or generated when using Axon Products. Non-Content Data is comprises the following:

Customer Entity And User Data

Customer Entity and User Data includes personal and non-personal data regarding Customers' Axon Cloud Services tenant configuration and users. Axon uses Customer Entity and User Data to: (1) provide Axon Cloud Services, including, without limitation, user authentication and authorization functionality; (2) improve the quality of Axon Products or provide enhanced functionality and features; and (3) contact Customer to provide information about its account, tenant, subscriptions, billing, and updates to Axon Cloud Services, including, without limitation, information about new features, security and other technical issues. Customer cannot unsubscribe from these non-promotional communications.

Customer Entity and User Service Interaction Data

Customer Entity and User Service Interaction Data includes data regarding Customers' interactions with Axon Cloud Services and Axon Client Applications. Axon uses Customer Entity and User Service Interaction Data to improve the quality of Axon Products and provide enhanced functionality and features.

Service Operations and Security Data

Axon uses Service Operations and Security Data to provide service operations and monitoring.

Account Data

Axon uses Account Data to provide Axon Cloud Services, manage Customer's accounts, and to communicate with Customers.

Support Data

Axon uses Support Data to resolve Customer’s support incident, and to operate, improve, and personalize Axon Products. If Customer shares Customer Content to Axon in a support scenario, the Customer Content will be treated as Support Data but will only be used for resolving support incidents.

Axon may provide support through phone, email, or online chat. With Customer’s permission, Axon may use Guest Access (“GA") to temporarily navigate Customer’s Axon Cloud Service's tenant to view data in order to resolve a support incident. Phone conversations, online chat sessions, or GA sessions with Axon support professionals may be recorded and/or monitored.

Server and Data Location

Customer Content

Axon offers Axon Cloud Services in numerous geographic regions. Before creating an account in Axon Cloud Services, Customer determines where Axon will store Customer Content by designating one of the economic areas listed below.

Code régionZone économique 3rd Party Infrastructure Sub-processors Emplacement(s) du ou des centre(s) de données
AU

Asie du Sud-Est

Microsoft Azure® and Amazon Web Services®

Canberra, Sydney, Victoria & New South Wales, Australia

BR

Amérique du Sud

Amazon Web Services

Sao Paulo, Brésil

CA

Canada

Microsoft Azure et Amazon Web Services

Toronto, Québec et Montréal

UE

Union européenne

Amazon Web Services

Irlande

RU

Royaume-Uni

Microsoft Azure et Amazon Web Services

Londres et Durham, Angleterre et Cardiff, Pays de Galles

É.-U.

États-Unis

Microsoft Azure et Amazon Web Services

Texas et Virginie, États-Unis

É.-U.

États-Unis (région fédérale)

Microsoft Azure

Texas et Virginie, États-Unis

Axon ensures that all Customer Content in Axon Cloud Services remains within the selected economic area, including, without limitation, all backup data, replication sites, and disaster recovery sites. Customer selected economic areas can be determined through review of Customer's Axon Evidence URL. Customer URLs conform to the <youragency>.<regioncode>.evidence.com scheme with the exception of US customers where the scheme may exclude the region code and is <youragency>.evidence.com. US Federal customers conform to the scheme <youragency>.us.evidence.com

Non-Content Data

Customer Entity and User Data

Customer Entity and User Data is located in Customer's selected economic area for Customer Content. Customer Entity and User Data may be copied or transferred to the United States.

Customer Entity and User Service Interaction Data

Customer Entity and User Service Interaction Data is located in Customer's selected economic area for Customer Content and the United States.

Service Operations and Security Data

Service Operations and Security Data is located in Customer's selected economic area for Customer Content and the United States.

Account Data and Support Data

Account and Support data is located is in the United States and may be located in Customer's selected economic area for Customer Content.

Partage d'informations

Axon may transfer data with its direct and indirect subsidiaries and Sub-processors, including, without limitation, service providers and other partners to support the overall delivery of Axon Products as described in “Data Collection and Processing Activities” section of this Policy.

Axon exercises commercially reasonable efforts in connection with contractual obligations to ensure its Sub-processors are compliant with all applicable data protection laws and regulations surrounding the Sub-processors access and scope of work in connection with Customer Content.

Customer consents to the transfer of Customer Content to Axon's Sub-processors for the purpose of storing Customer Content. Such Sub-processors responsible for storing Customer Content are contracted by Axon for data storage services. Ownership of Customer Content remains with Customer.

Axon may hire Sub-processors to provide or enhance Axon Products on its behalf. Axon will only permit any such Sub-processors to obtain Customer Content from Axon Cloud Services to deliver services to Axon and will be prohibited from using Customer Content for any other purpose. Axon may engage new Sub-processors. Axon will give Customer notice (by updating the website) of any new Sub-processor.

Prior to onboarding Sub-processors, Axon conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to its access to data and scope of services.

Under Privacy Shield's “Onward Transfer Principle”, Axon remains responsible for personal data that may be shared with Axon's Sub-processors.

Customer can transfer data from Axon Cloud Services to third parties. Customer must ensure data sharing agreements are in place with third parties to protect data throughout its lifecycle.

Axon Sub-processors

Sub-processor Data Processed Location Function(s) Performed
Microsoft Corporation

Customer Content, Personal Data

See: Server and Data Location

Infrastructure and Platform Services

Amazon Web Services

Customer Content, Personal Data

See: Server and Data Location

Infrastructure and Platform Services

Cylance, Inc.

Non-Content Data

États-Unis

Security Investigations

SignalSciences Corp.

Non-Content Data, Personal Data

États-Unis

Web Security Monitoring

Datadog, Inc.

Non-Content Data

États-Unis

Operational Monitoring

OpsGenie, Inc.

Non-Content Data

États-Unis

Operational Monitoring and Security Investigations

PagerDuty, Inc.

Non-Content Data

États-Unis

Security Investigations

ServiceNow, Inc.

Non-Content Data, Personal Data

États-Unis

Security Investigations

Mixpanel, Inc.

Non-Content Data, Personal Data

États-Unis

User Analytics

Google LLC (Crashlytics)

Non-Content Data, Personal Data

États-Unis

Service Support

Mapbox, Inc.

Non-Content Data, Personal Data

États-Unis

Geolocation services in Services

Twilio Inc.

Non-Content Data, Personal Data

États-Unis

User Authentication

Salesforce.com, inc.

Non-Content Data, Personal Data

États-Unis

Account Management, Email Communications, Corporate Services

Slack Technologies

Non-Content Data

États-Unis

Corporate Services

Atlassian Pty Ltd

Non-Content Data

États-Unis

Corporate Services

Ring Central, Inc.

Non-Content Data, Personal Data

États-Unis

Customer Service

Informations à fournir

Axon will not disclose Customer Content except as compelled by a court or administrative body or required by any law or regulation. Axon will notify Customer if any disclosure request is received for Customer Content so Customer may file an objection with the court or administrative body.

Customer's Access and Choice

Customer Content
Customer can access to manage Customer Content.

Non-Content Data
Within the scope of Axon's authorization to do so, and in accordance with Axon's commitment under the Privacy Shield, Axon will work with Customers to provide access to Personal Data about Customer that Axon or Sub-processors holds. Axon will also take reasonable steps to enable Customers to correct, amend, or delete Personal Data that is demonstrated to be inaccurate.

Customers can opt-out of tracking on Axon Cloud Services by disabling cookies or preventing Customer's browser from accepting new cookies. To prevent data collected specifically by Mixpanel, users can visit https://mixpanel.com/optout/ to opt out. To opt out of mapping and geolocation functionality, users can block network or device access to *.mapbox.com. To opt out of Axon Client Application crash reporting, users can block network or device access to *.crashlytics.com.

Mesures de sécurité des données

Axon is committed to help protect the security of Customer Data. Axon has established and implemented policies, programs, and procedures that are commercially reasonable and in compliance with applicable industry practices, including administrative, technical and physical safeguards to protect the confidentiality, integrity and security of Customer Content and Non-Content Data against unauthorized access, use, modification, disclosure or other misuse.

Axon will take appropriate steps to ensure compliance with the data security measures by its employees, contractors and Sub-processors, to the extent applicable to the respective scope of performance.

Confidentialité

Customer Content and Non-Content Data is encrypted in transit over public networks. Customer Content is encrypted at rest in all Axon Cloud Service regions.

Axon protects all Customer Content and Non-Content Data with strong logical access control mechanisms to ensure only users with appropriate business needs have access to data. Third-party specialized security firms periodically validate access control mechanisms. Access control lists are reviewed periodically by Axon.

Intégrité

As Evidence is ingested into Axon Cloud Services, a Secure Hash Algorithm (“SHA”) checksum is generated on the upload device and again upon ingestion into Axon Cloud Services. If the SHA checksum does not match, the upload will be reinitiated. Once upload of Evidence is successful, the SHA checksum is retained by Axon Cloud Services and is made viewable by users with access to the Evidence audit trail for the specific piece of Evidence. Tamper-proof audit trails are created automatically by Axon Cloud Services upon ingestion of any Evidence.

Disponibilité

Axon takes a comprehensive approach to ensure the availability of Axon Cloud Services. Axon replicates Customer Content over multiple systems to help to protect against accidental destruction or loss. Axon Cloud Services systems are designed to minimize single points of failure. Axon has designed and regularly plans and tests its business continuity planning and disaster recovery programs.

Isolement

Axon logically isolates Customer Content. Customer Content for an authenticated customer will not be displayed to another customer (unless Customers explicitly create a sharing relationship between their tenants or shared data between themselves). Centralized authentication systems are used across an Axon Cloud Service region to increase uniform data security.

Additional role-based access control is leveraged within Customer’s Axon Cloud Service tenant to define what users can interact with or access Customer Content. Customer solely manages the role based access control mechanisms within its Axon Cloud Services tenant.

Within the Axon Cloud Services supporting infrastructure, access is granted based on the principle of least privilege. All access must be approved by system owners and undergo at least quarterly user access reviews. Any shared computing or networking resource will undergo extensive hardening and is validated periodically to ensure appropriate isolation of Customer Content.

Non-Content Data is logically isolated within information systems such that only appropriate Axon personnel have access.

Personnel

Axon personnel are required to conduct themselves in a manner consistent with applicable law, the company’s guidelines regarding confidentiality, business ethics, acceptable usage, and professional standards. Axon personnel must complete security training upon hire in addition to annual and role-specific security training.

Axon personnel undergo an extensive background check process to the extent legally permissible and in accordance with applicable local labor laws and statutory regulations. Axon personnel supporting Axon Cloud Services are subject to additional role-specific security clearances or adjudication processes, including Criminal Justice Information Services background screening and national security clearances and vetting.

Atteinte à la protection des données

Notification

If Axon becomes aware that Customer Data has been accessed, disclosed, altered, or destroyed by an unlawful or unauthorized party, Axon will notify relevant authorities and affected customers.

Within 48 hours of an incident confirmation, Axon will notify Customer administrators registered on Axon Cloud Services. Authorities will be notified through Axon's established channels and timelines. The notification will reasonably explain known facts, actions that have been taken, and make commitments regarding subsequent updates. Additional details are available in the Axon Cloud Services Security Incident Handling and Response Statement.

Portabilité des données, migration des données et assistance au retour de transfert

Portabilité des données

Evidence uploaded to Axon Cloud Services is retained in original format. Evidence may be retrieved and downloaded by Customer from Axon Cloud Services to move data to an alternative information system. Evidence audit trails and system reports may also be downloaded in various industry-standard, non-proprietary formats.

Migration de données

In the event Customer’s access to Axon Cloud Services is terminated, Axon will not delete any Customer Content during the 90 days following termination. During this 90-day period, Customer may retrieve Customer Content only if Customer has paid all amounts due (there will be no application functionality of the Axon Cloud Services during this 90-day period other than the ability for Customer to retrieve Customer Content). Customer will not incur any additional fees if Customer downloads Customer Content from Axon Cloud Services during this 90-day period. Axon has no obligation to maintain or provide any Customer Content after the 90-day period and will thereafter, unless legally prohibited, delete all Customer Content stored in Axon Cloud Services. Upon written request, Axon will provide written proof that all Customer Content has been successfully deleted and removed from Axon Cloud Services.

Assistance après la résiliation

Axon will provide Customer with the same post-termination data retrieval assistance that is generally made available to all customers. Requests for additional assistance to Customer in downloading or transferring Content will result in additional fees and Axon cannot warrant or guarantee data integrity or readability in the external systems.

Conservation, restitution et suppression des données

Axon maintains internal disaster recovery and data retention policies in accordance with applicable laws and regulations. The disaster recovery plan relates to Axon's data and extends to Axon Cloud Services and Customer Content stored within. Axon's data retention policies relate to Axon's Non-Content data. Axon's data retention policies instruct for the secure disposal of Non-Content Data when such data is no longer necessary for the delivery and support of Axon product and services and in accordance with applicable regulations. As outlined below, Customer is responsible for adhering to its own retention policies and procedures.

Evidence Retention

Customer defines Evidence retention periods pursuant to Customer’s internal retention policies and procedures. Customer can establish its retention policies within Axon Cloud Services. Therefore, Customer controls the retention and deletion of its Evidence within Axon Cloud Services. Axon Cloud Services can automate weekly messages summarizing upcoming agency-wide deletions to all customer Axon Cloud Services administrators. Customer users can receive a weekly message regarding Evidence uploaded within their user account to protect against accidental deletions. Customer can recover Evidence up to 7 days after Customer queues such Evidence for deletion. After this 7-day grace period, Axon Cloud Services initiates deletion of Evidence. Data deletion processing may occur asynchronously across storage systems and data centers. During and after data deletion processing, Evidence will not be recovered or recoverable by any party.

Responsabilisation

As outlined herein, Axon is committed to maintaining compliance with relevant security and privacy standards to ensure the continued security, availability, integrity, confidentiality, and privacy of Axon Cloud Services and Customer Data stored within.

In addition to the security efforts outlined herein, Axon will maintain its ISO/IEC 27001:2013 certification or comparable assurances for Axon Cloud Services. Customers may review the certificate.

Assurance

Axon will maintain, during the term of the Agreement, a cyber-insurance policy and will furnish certificates of insurance following Customer's written request.

How to Contact Us

Axon commits to resolve complaints about Customer privacy and use of Axon Products. Complaints surrounding this Policy can be directed to Customer's local Axon representative or privacy@axon.com. If Customer has any questions or concerns regarding privacy and security of Customer Content or Axon's handling of Customer's Personal Data under Privacy Shield, please contact privacy@axon.com.

If Customer is an EU citizen and we are unable to satisfactorily resolve any complaint relating to the Privacy Shield, or if Axon fails to acknowledge Customer's complaint in a timely fashion, Customer can contact the relevant EU Data Protection Authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner (FDPIC). In certain circumstances, the Privacy Shield provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles in each of the Privacy Shield Frameworks. Axon is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.