Last Updated: May 23, 2023
Unless otherwise provided in this Policy, this Policy is subject to the terms of the Master Services Purchasing Agreement, or other similar agreement, if any, between Axon and Customer (“Agreement”). To the extent this Policy contains terms and conditions that differ from those contained in the Agreement, the Agreement shall control. A concept or principle covered in this Policy shall apply and be incorporated into all other provisions of the Agreement in which the concept or principle is also applicable, notwithstanding the absence of any specific cross-reference thereto. All capitalized and defined terms referenced, but not defined, in this Policy shall have the meanings assigned to them in the Agreement.
By using Axon Cloud Services, Customer acknowledges that Customer has read and understand this Policy and Customer agrees to be bound by its terms and conditions. Axon may occasionally update this Policy. When Axon posts changes, Axon will revise the "last updated" date at the top of this page. Customer’s continued use of Axon Cloud Services will signify Customer’s agreement and acceptance to any such changes.
- “Axon Cloud Services” means Axon’s web services hosted on evidence.com including Axon Evidence, Axon Records, and Axon Dispatch, and other related offerings, including, without limitation, interactions between Axon Cloud Services and Axon Products (as defined below).
- “Axon Products” means:
(1) Axon Cloud Services;
(2) devices sold by Axon (including, without limitation, conducted energy weapons, cameras, sensors, and docking systems) (collectively, “Axon Devices”);
(3) other software offered by Axon (including, without limitation, Axon Capture, Axon Evidence SYNC, Axon Device Manager, Axon View, Axon Interview, Axon Commander, Axon Uploader XT, and Axon View XL) (collectively, “Axon Client Applications”); and
(4) ancillary hardware, equipment, software, services, cloud-based services, documentation, and software maintenance releases and updates. Axon Products do not include any third-party applications, hardware, warranties, or the 'my.evidence.com' services.
- “Customer Data” means:
(1) “Customer Content”, which means data uploaded into, ingested by, or created in Axon Cloud Services within Customer’s tenant, including, without limitation, media or multimedia uploaded into Axon Cloud Services by Customer (“Evidence”); and
(2) “Non-Content Data”, which means:
(a) “Customer Entity and User Data”, which means Personal Data and non-Personal Data regarding Customer’s Axon Cloud Services tenant configuration and users;
(b) “Customer Entity and User Service Interaction” Data which means data regarding Customer's interactions with Axon Cloud Services and Axon Client Applications;
(c) “Service Operations and Security Data”, which means data within service logs, metrics and events and vulnerability data, including, without limitation: (i) application, host, and infrastructure logs; (ii) Axon Device and Axon Client Application logs; (iii) service metrics and events logs; and (iv) web transaction logs;
(d) “Account Data”, which means information provided to Axon during sign-up, purchase, or administration of Axon Cloud Services, including, without limitation, the name, address, phone number, and email address Customer provides, as well as aggregated usage information related to Customer’s account and administrative data associated with the account; and
(e) “Support Data”, which means the information Axon collects when Customer contacts or engages Axon for support, including, without limitation, information about hardware, software, and other details gathered related to the support incident, such as contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error-tracking files.
For purposes of clarity, Customer Content does not include Non-Content Data, and Non-Content Data does not include Customer Content.
- “Data Controller” means the natural or legal person, public authority, or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data (as defined below).
- “Data Processor” means a natural or legal person, public authority or any other body which processes Personal Data on behalf of the Data Controller.
- “Data Exporter” means the Data Controller who transfers the Personal Data.
- “Data Importer” means the Data Processor who agrees to receive from the Data Exporter Personal Data intended for processing on Data Exporter's behalf after the transfer in accordance with the Agreement and who is not subject to a third country’s system ensuring adequate protection with in the meaning of the General Data Protection Regulation (EU) 2016/679 of the European Parliament (“GDPR”)
- “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Sub-processor” means any processor engaged by the Data Importer or by any other sub-processor of the Data Importer who agrees to receive from the Data Importer or from any other sub-processor of the Data Importer Personal Data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract.
Axon is a Data Processor of Customer Content. Customer controls and owns all right, title, and interest in and to Customer Content and Axon obtains no rights to the Customer Content. Customer is solely responsible for the uploading, sharing, withdrawal, management and deletion of Customer Content. Customer grants Axon limited access to Customer Content solely to provide and support Axon Cloud Services to and for Customer and Customer’s end-users. Customer represents and warrants to Axon that: (1) Customer owns Customer Content; (2) and Customer Content, and Customer’s end-users’ use of Customer Content and Axon Cloud Services, does not violate this Policy or applicable data protection laws and regulations.
Axon may also collect, control, and process Non-Content Data. Axon is a Data Controller for Non-Content Data. Axon collects, controls, and processes Non-Content Data to provide Axon Cloud Services and to support the overall delivery of Axon Products including business, operational, and security purposes. With Non-Content Data, Axon may analyze and report anonymized and aggregated data to communicate with external and internal stakeholders. In regard to Customer Entity & User Data, Axon is a Data Controller and Customer is an independent Data Controller, not a joint Data Controller with Customer.
Data Collection and Processing Activities
Axon will only use Customer Content to provide Customer Axon Cloud Services. Axon will not use Customer Content for any advertising or similar commercial purposes.
Axon periodically upgrades or changes Axon Cloud Services to provide customers with new features and enhancements in alignment with the Axon Evidence Maintenance Schedule. Axon communicates such upgrades or changes to customers one week prior to release via mechanisms outlined in the Maintenance Schedule. Changes to Axon Cloud Services may increase the capabilities of the service and ways in which Customer Content can be processed.
Non-Content Data includes data, configuration, and usage information about customer's Axon Cloud Services tenant, Axon Devices, Axon Client Applications, and users that is transmitted or generated when using Axon Products. Non-Content Data includes the following:
Customer Entity And User Data
Customer Entity and User Data includes personal and non-personal data regarding Customer's Axon Cloud Services tenant configuration and users. Axon uses Customer Entity and User Data to: (1) provide Axon Cloud Services, including, without limitation, user authentication and authorization functionality; (2) improve the quality of Axon Products or provide enhanced functionality and features; (3) contact Customer to provide information about its account, tenant, subscriptions, billing, and updates to Axon Cloud Services, including, without limitation, information about new features, security and other technical issues; and (4) market our products or services to Customer via email, by sending promotional communication including targeted advertisements, or presenting a Customer with relevant offers.
Customer cannot unsubscribe from non-promotional communications but may unsubscribe from promotional communications at any time.
Customer Entity and User Service Interaction Data
Customer Entity and User Service Interaction Data includes data regarding Customers' interactions with Axon Cloud Services and Axon Client Applications. Axon uses Customer Entity and User Service Interaction Data to improve the quality of Axon Products and provide enhanced functionality and features.
Service Operations and Security Data
Axon uses Service Operations and Security Data to provide service operations and monitoring.
Axon uses Account Data to provide Axon Cloud Services, manage Customer's accounts, market to, and communicate with Customer. Customer may unsubscribe from promotional communications at any time.
Axon uses Support Data to resolve Customer’s support incident, and to operate, improve, and personalize Axon Products. If Customer shares Customer Content to Axon in a support scenario, the Customer Content will be treated as Support Data but will only be used for resolving support incidents.
Axon may provide support through phone, email, or online chat. With Customer’s permission, Axon may use Guest Access (“GA") to temporarily navigate Customer’s Axon Cloud Service's tenant to view data in order to resolve a support incident. Phone conversations, online chat sessions, or GA sessions with Axon support professionals may be recorded and/or monitored.
International Data Transfers
Personal Data may be subject to international data transfers outside the European Economic Area (EEA), United Kingdom, and Switzerland, which will be regulated in accordance with the mechanisms set out in the GDPR, UK-GDPR, and the Swiss DPA respectively, to safeguard the rights and freedoms of the data subject and ensure a level of protection equivalent to that required by European, United Kingdom, and Switzerland regulations. In particular, the Standard Contractual Clauses (SCC) issued by the European Commission shall apply for International transfers of Personal Data from the EEA or Switzerland. The International Data Transfer Agreement (IDTA) issued by the United Kingdom Information Commissioner shall apply for international transfers of Personal Data from the United Kingdom.
Axon does not rely on the Privacy Shield for international transfers of Personal Data from the EEA, UK, or Switzerland. Nevertheless, Axon still adheres to the Privacy Shield as a matter of good practice and maintains our certification. Please review our Privacy Shield Statement.
For more information about the international transfer of Personal Data by Axon, please contact firstname.lastname@example.org.
Server and Data Location
Axon offers Axon Cloud Services in numerous geographic regions. Before creating an account in Axon Cloud Services, Customer determines where Axon will store Customer Content by designating an economic area.
Axon ensures that all Customer Content in Axon Cloud Services remains within the selected economic area, including, without limitation, all backup data, replication sites, and disaster recovery sites. Customer selected economic areas can be determined through review of Customer's Axon Cloud Services URL. Customer URLs conform to the <youragency>.<regioncode>.evidence.com scheme with the exception of US customers where the scheme may exclude the region code and is <youragency>.evidence.com. US Federal customers conform to the scheme <youragency>.us.evidence.com
Customer Entity and User Data
Customer Entity and User Data is located in Customer's selected economic area for Customer Content. Customer Entity and User Data may be copied or transferred to the United States.
Customer Entity and User Service Interaction Data
Customer Entity and User Service Interaction Data is located in Customer's selected economic area for Customer Content and the United States.
Service Operations and Security Data
Service Operations and Security Data is located in Customer's selected economic area for Customer Content and the United States.
Account Data and Support Data
Account and Support data is located is in the United States and may be located in Customer's selected economic area for Customer Content.
Axon may transfer data with its direct and indirect subsidiaries and Sub-processors, including, without limitation, service providers and other partners to support the overall delivery of Axon Products as described in “Data Collection and Processing Activities” section of this Policy.
Axon exercises commercially reasonable efforts in connection with contractual obligations to ensure its Sub-processors are compliant with all applicable data protection laws and regulations surrounding the Sub-processors access and scope of work in connection with Customer Content.
Customer consents to the transfer of Customer Content to Axon's Sub-processors for the purpose of storing Customer Content. Such Sub-processors responsible for storing Customer Content are contracted by Axon for data storage services. Ownership of Customer Content remains with Customer.
Axon may hire Sub-processors to provide or enhance Axon Products on its behalf. Axon will only permit any such Sub-processors to obtain Customer Content from Axon Cloud Services to deliver services to Axon and will be prohibited from using Customer Content for any other purpose. Axon may engage new Sub-processors. Axon will give Customer notice (by updating the website) of any new Sub-processor.
Prior to onboarding Sub-processors, Axon conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to its access to data and scope of services.
Customer can transfer data from Axon Cloud Services to third parties. Customer must ensure data sharing agreements are in place with third parties to protect data throughout its lifecycle.
Understand the server locations, data processed, and functions performed.
Axon maintains an up-to-date list of the names and locations of all Sub-processors. This list is below.
If you are a current Axon Cloud Services customer with a data processing agreement in place with Axon, you may subscribe to receive notifications of a new Sub-processor(s) before Axon authorizes any new Sub-processor to process personal data in connection with the provision of your service.
You can subscribe to receive email notifications for changes to Axon Cloud Services Sub-processor(s) by submitting a request here.
For a complete list of Axon Sub-Processors, click here.
Axon Body 3 includes embedded cellular technologies used to connect to telecommunication networks in order to provide connectivity between Axon Body 3 and Axon Cloud Services. Cellular technologies enable Axon Aware services. Customer’s Axon Body 3 cameras will send data to the respective Axon Cloud Services region selected telecommunications providers as needed to enable cellular connectivity. Data includes Personal Data, such as location data. For Axon Body 3, Axon manages all cellular registration and account management associated to the cellular subscription. Personal Data of Customers is not collected by Axon or telecommunications providers for the purposes of cellular account management.
Outlined below is the telecommunication sub-processors. In regions where there are more than one telecommunication sub-processor, Axon will manage customers’ Axon Body 3 cellular registration.
Customer URLs conform to the <youragency>.<regioncode>.evidence.com scheme with the exception of US customers where the scheme may exclude the region code and is <youragency>.evidence.com. US Federal customers conform to the scheme <youragency>.us.evidence.com
Axon will not disclose Customer Content except as compelled by a court or administrative body or required by any law or regulation. Axon will notify Customer if any disclosure request is received for Customer Content so Customer may file an objection with the court or administrative body.
Customer's Access and Choice
Customer can access Customer's tenant to manage Customer Content.
Axon will work with Customers to provide access to Personal Data about Customer that Axon or Sub-processors holds. Axon will also take reasonable steps to enable Customers to correct, amend, or delete Personal Data that is demonstrated to be inaccurate.
If at any time after registering an account on Axon Cloud Services you desire to update Personal Data you have shared with us, change your mind about sharing Personal Data with us, desire to cancel your Customer account, or request that Axon no longer use provided Personal Data to provide you services, please contact us at email@example.com. We will retain and use Personal Data for as long as needed to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements.
Certain data processing is determined by Customer based on Axon Product usage, Customer network or device configuration, and administrative settings made available with Axon Cloud Services or Axon Client Applications:
Axon Body 3 WiFi Positioning
Client Push Notifications
Axon Products leverage push notification services made available by mobile operating system providers (i.e. Google’s Cloud Messaging and Apple’s Push Notification Service to deliver functional notifications to client applications. Push notification services can be managed by leveraging notification settings made available in both mobile applications and the mobile operating system.
Customers can opt-out of user analytics tracking on Axon Cloud Services by disabling cookies or preventing Customer's browser or device from accepting new cookies. To prevent data from being collected by Mixpanel, network or device access to *.mixpanel.com should be blocked
Mobile client application crash analytics are used provide Axon personnel insight to crashes when using Axon client applications. To opt out of crash reporting, network or device access to *.crashlytics.com should be blocked.
Geolocation services are critical to proper user functionality of many of Axon products. However, customers can chose to opt out of mapping and geolocation functionality by blocking network or device access to *.mapbox.com and *.arcgisonline.com
Data Security Measures
Axon is committed to help protect the security of Customer Data. Axon has established and implemented policies, programs, and procedures that are commercially reasonable and in compliance with applicable industry practices, including administrative, technical and physical safeguards to protect the confidentiality, integrity and security of Customer Content and Non-Content Data against unauthorized access, use, modification, disclosure or other misuse.
Axon will take appropriate steps to ensure compliance with the data security measures by its employees, contractors and Sub-processors, to the extent applicable to the respective scope of performance.
Customer Content and Non-Content Data is encrypted in transit over public networks. Customer Content is encrypted at rest in all Axon Cloud Service regions.
Axon protects all Customer Content and Non-Content Data with strong logical access control mechanisms to ensure only users with appropriate business needs have access to data. Third-party specialized security firms periodically validate access control mechanisms. Access control lists are reviewed periodically by Axon.
As Evidence is ingested into Axon Cloud Services, a Secure Hash Algorithm (“SHA”) checksum is generated on the upload device and again upon ingestion into Axon Cloud Services. If the SHA checksum does not match, the upload will be reinitiated. Once upload of Evidence is successful, the SHA checksum is retained by Axon Cloud Services and is made viewable by users with access to the Evidence audit trail for the specific piece of Evidence. Tamper-proof audit trails are created automatically by Axon Cloud Services upon ingestion of any Evidence.
Axon takes a comprehensive approach to ensure the availability of Axon Cloud Services. Axon replicates Customer Content over multiple systems to help to protect against accidental destruction or loss. Axon Cloud Services systems are designed to minimize single points of failure. Axon has designed and regularly plans and tests its business continuity planning and disaster recovery programs.
Axon logically isolates Customer Content. Customer Content for an authenticated customer will not be displayed to another customer (unless Customers explicitly create a sharing relationship between their tenants or shared data between themselves). Centralized authentication systems are used across an Axon Cloud Service region to increase uniform data security.
Additional role-based access control is leveraged within Customer’s Axon Cloud Service tenant to define what users can interact with or access Customer Content. Customer solely manages the role based access control mechanisms within its Axon Cloud Services tenant.
Within the Axon Cloud Services supporting infrastructure, access is granted based on the principle of least privilege. All access must be approved by system owners and undergo at least quarterly user access reviews. Any shared computing or networking resource will undergo extensive hardening and is validated periodically to ensure appropriate isolation of Customer Content.
Non-Content Data is logically isolated within information systems such that only appropriate Axon personnel have access.
Axon personnel are required to conduct themselves in a manner consistent with applicable law, the company’s guidelines regarding confidentiality, business ethics, acceptable usage, and professional standards. Axon personnel must complete security training upon hire in addition to annual and role-specific security training.
Axon personnel undergo an extensive background check process to the extent legally permissible and in accordance with applicable local labor laws and statutory regulations. Axon personnel supporting Axon Cloud Services are subject to additional role-specific security clearances or adjudication processes, including Criminal Justice Information Services background screening and national security clearances and vetting.
If Axon becomes aware that Customer Data has been accessed, disclosed, altered, or destroyed by an unlawful or unauthorized party, Axon will notify relevant authorities and affected customers.
Within 48 hours of an incident confirmation, Axon will notify Customer administrators registered on Axon Cloud Services. Authorities will be notified through Axon's established channels and timelines. The notification will reasonably explain known facts, actions that have been taken, and make commitments regarding subsequent updates. Additional details are available in the Axon Cloud Services Security Incident Handling and Response Statement.
Data Portability, Migration, and Transfer Back Assistance
Evidence uploaded to Axon Cloud Services is retained in original format. Evidence may be retrieved and downloaded by Customer from Axon Cloud Services to move data to an alternative information system. Evidence audit trails and system reports may also be downloaded in various industry-standard, non-proprietary formats.
In the event Customer’s access to Axon Cloud Services is terminated, Axon will not delete any Customer Content during the 90 days following termination. During this 90-day period, Customer may retrieve Customer Content only if Customer has paid all amounts due (there will be no application functionality of the Axon Cloud Services during this 90-day period other than the ability for Customer to retrieve Customer Content). Customer will not incur any additional fees if Customer downloads Customer Content from Axon Cloud Services during this 90-day period. Axon has no obligation to maintain or provide any Customer Content after the 90-day period and thereafter, unless legally prohibited, may delete Customer Content upon termination as part of normal retention and data management instructions from customers. Upon written request, Axon will provide written proof that all Customer Content has been successfully deleted and removed from Axon Cloud Services.
Axon will provide Customer with the same post-termination data retrieval assistance that is generally made available to all customers. Requests for additional assistance to Customer in downloading or transferring Content will result in additional fees and Axon cannot warrant or guarantee data integrity or readability in the external systems.
Data Retention, Restitution, and Deletion
Axon maintains internal disaster recovery and data retention policies in accordance with applicable laws and regulations. The disaster recovery plan relates to Axon's data and extends to Axon Cloud Services and Customer Content stored within. Axon's data retention policies relate to Axon's Non-Content data. Axon's data retention policies instruct for the secure disposal of Non-Content Data when such data is no longer necessary for the delivery and support of Axon product and services and in accordance with applicable regulations. As outlined below, Customer is responsible for adhering to its own retention policies and procedures.
Customer defines Evidence retention periods pursuant to Customer’s internal retention policies and procedures. Customer can establish its retention policies within Axon Cloud Services. Therefore, customer controls the retention and deletion of its Evidence within Axon Cloud Services. Axon Cloud Services can automate weekly messages summarizing upcoming agency-wide deletions to all customer Axon Cloud Services administrators. Customer users can receive a weekly message regarding Evidence uploaded within their user account to protect against accidental deletions. Customer can recover Evidence up to 7 days after Customer queues such Evidence for deletion. After this 7-day grace period, Axon Cloud Services initiates deletion of Evidence. Data deletion processing may occur asynchronously across storage systems and data centers. During and after data deletion processing, Evidence will not be recovered or recoverable by any party.
As outlined herein, Axon is committed to maintaining compliance with relevant security and privacy standards to ensure the continued security, availability, integrity, confidentiality, and privacy of Axon Cloud Services and Customer Data stored within.
In addition to the security efforts outlined herein, Axon will maintain its ISO/IEC 27001:2013 certification or comparable assurances for Axon Cloud Services. Customers may review the certificate.
Social Media Publishing
- Google LLC, (YouTube API Services): Axon uses YouTube's API services in connection with our Publish to Social Media Feature. When Users link, connect, or login (“Connect”) their Google account(s) with Axon Evidence, they are agreeing to be bound by the YouTube Terms of Service (https://www.youtube.com/t/terms). In addition, they are directing Google to send Axon data as controlled by Google or as authorized by the User via their privacy settings at Google. Through YouTube's API services, Axon only accesses, collects, and stores a token which Axon uses to Connect the associated Google account(s) with Axon Evidence. The token is only used to enable a user to upload a video to YouTube and is not shared with external parties. Axon does not obtain or store the associated Google account(s) login credentials, through YouTube's API services.
Google has settings that list which apps can connect to a Google account(s). When Users Connect an associated Google account(s) to Axon Evidence, Axon Evidence gets authorized in these settings as a connected site or app. If Users remove Axon Evidence from these settings, its access to the account is revoked. Users may revoke this access at any time by following the instructions here: https://help.axon.com/hc/en-us/articles/360052689392-Removing-Axon-Evidence-Access-to-Your-YouTube-Account. Revoking Axon Evidence access will prevent Users from publishing videos to YouTube from Axon Evidence.
Axon will maintain, during the term of the Agreement, a cyber-insurance policy and will furnish certificates of insurance following Customer's written request.
How to Contact Us
Axon commits to resolve complaints about Customer privacy and use of Axon Products. Complaints surrounding this Policy can be directed to Customer's local Axon representative or firstname.lastname@example.org. If Customer has any questions or concerns regarding privacy and security of Customer Content or Axon's handling of Customer's Personal Data, please contact email@example.com.
If Customer is an European Union citizen, an United Kingdom citizen, or a citizen of Switzerland and we are unable to satisfactorily resolve any complaint or if Axon fails to acknowledge Customer's complaint in a timely fashion, Customer can contact the relevant European Union Data Protection Authorities (DPAs), United Kingdom Information Commissioners Office (ICO), or the Switzerland Federal Data Protection and Information Commissioner (FDPIC).