Data Protection Impact Assessment (DPIA) Guidance for Axon Cloud Services

PROCESSING OPERATION CONSIDERATIONS

RELEVANT INFORMATION ABOUT AXON CLOUD SERVICES


A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person

Axon Cloud Services is not specifically designed to perform these types of automated processing of data.


Processing on a large scale of special categories of data referred to in GDPR Article 9(1), or of personal data relating to criminal convictions and offences referred to in GDPR Article 10

Axon Cloud Services provides capabilities to process on a large-scale special categories of data relating to criminal convictions and offenses. Data controllers should determine the applicability of this consideration based on their usage of Axon Cloud Services.


A systematic monitoring of a publically available area on a large scale

Axon Cloud Services is not specifically designed to perform systematic monitoring of a publicly available area on a large scale. However, customers can use Axon Cloud Services to process data collected through such monitoring. Data controllers should determine the applicability of this consideration based on their usage of Axon Cloud Services.


GDPR DPIA ELEMENT

LED DPIA ELEMENT

RELEVANT INFORMATION ABOUT AXON CLOUD SERVICES


A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller

A general description of the envisaged processing operations

The data controller is responsible for implementing, configuring, and using Axon Cloud Services. As such, the data controller shall determine the categories of data processed and the purpose of processing Axon Cloud Services.

The controller can upload, ingest, or create Customer Content* in their instance of Axon Cloud Services for processing. Customer Content can be any data, including text, sound, video, and image files.

As specified in the Axon Cloud Services Privacy Policy, Axon, as a data processor, is processing Customer Content as instructed by the data controller. The data controller determines the processing operation when using Axon Cloud Services.

Information relating to Axon Cloud Services' data retention,transfers and sharing with third parties is available in the Axon Cloud Services Privacy Policy.


An assessment of the necessity and proportionality of the processing operations in relation to the purposes

N/A

The data controller shall determine the necessity and proportionality of the processing operations in relation to the purposes when processing their content through Axon Cloud Services.

With regard to the processing carried out by Axon, such processing is necessary and proportional for the purpose of providing the services to the data controller as detailed in the Axon Cloud Services Privacy Policy.


An assessment of the risks to the rights and freedoms of data subjects referred to in GDPR Article 35(1)

An assessment of the risks to the rights and freedoms of data subjects

The key risks to the rights and freedoms of data subjects from the use of Axon Cloud Services will be a function of how and in what context the data controller implements, configures, and uses Axon Cloud Services. The risks shall be determined by the data controller.

As with any service, the risks associated with personal data held in a service include risk of unauthorized access or inadvertent disclosure. Axon has taken measure to address such risks as detailed in the Axon Cloud Services Privacy Policy.


The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned

The measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Directive taking into account the rights and legitimate interests of the data subjects and other persons concerned

Axon Cloud Services has implemented many security mechanisms to protect the confidentiality, integrity, availability, and privacy of Customer Data*. These include data encryption, security monitoring, service resiliency, access control, evidence integrity, and many more.

Axon maintains comprehensive compliance programs to demonstrate our commitment to providing trustworthy products and services. These include ISO/IEC 27001:2013 certification,ISO/IEC 27017:2015certification,ISO/IEC 27018:2019certification, SOC 2+ Reporting, Cloud Security Alliance - CSA Star Attestation (Level Two), Cyber Essentials Certification.

Information about Axon Cloud Services security and compliance is available at Axon Trust page and in the Axon Cloud Services Privacy Policy.


SUPPLEMENTAL INFORMATION ABOUT AXON CLOUD SERVICES


Data Retention

Evidence retention periods are defined by the data controller within their internal retention policies and procedures. The data controller has the ability to establish Evidence retention policies within Axon Cloud Services. Additional information about Customer Data Retention is available in the Axon Cloud Services Privacy Policy.


Data Location and Transfers

Axon Cloud Services is offered in numerous geographic regions. The data controller determines which regional deployment of Axon Cloud Services it wishes to utilize prior to tenant creation in Evidence.com. The data controller's selection determines where its Content will be stored. Axon's commitments to data location and transfer are available in the Axon Cloud Services Privacy Policy.


Information Sharing

Axon may transfer data with its subsidiaries and Sub-processors including service providers and other partners to support the overall delivery of Axon products and service. Axon exercises commercially reasonable efforts in connection with contractual obligations to ensure its Sub-processors are compliant with all applicable data protection laws and regulations surrounding the Sub-processors access and scope of work in connection with Customer Content. Prior to onboarding Sub-processors, Axon conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to its access to data and scope of services. Axon remains responsible for all data that may be shared with Axon's Sub-processors. Customers can subscribe to receive email notifications for changes to Axon Cloud Services Sub-processor(s) by submitting a request here: https://go.axon.com/l/636291/2020-09-11/42s1s9 For a complete list of Axon Sub-Processors, Customers should see: https://axon-2.cdn.prismic.io/axon-2/689d659b-3dc0-49b3-851a-81d4c63597b1_Axon.pdf   More details about information sharing with Axon subsidiaries and Sub-processors are available in the Axon Cloud Services Privacy Policy. Axon Cloud Services also enables customers to share data between their tenants. Customers are required to ensure appropriate data sharing agreements are in place to support sharing data. Such agreements should align with regulatory requirements and define data ownership, responsibilities, and liabilities. Axon and the Axon Cloud Services sharing mechanisms do not define data ownership, responsibilities, and liabilities.


Audit Trail

Axon Cloud Services provides an Evidence audit trail that logs the when, who, and what for interactions with Evidence. The audit trail logs cannot be edited or changed, even by tenant administrators.


Data Subject Rights

Within the scope and Axon's authorization to do so, Axon will work with data controllers in fulfilling data subject requests when they exercise their rights under GDPR, LED, and CCPA/CPRA. If Axon receives a request from the customer's data subjects to exercise one or more of its rights under GDPR, LED or CCPA/CPRA, the request will be redirected to the data controller. Additionally, Axon will not disclose Customer Content or any information about customers or customer's data subjects except as compelled by a court or administrative body or required by any law or regulation. Information about required disclosures is available in the Axon Cloud Services Privacy Policy.