Axon recognizes that customers place great trust in us to secure data. We know our customers and the communities they serve deeply care about the security and privacy of data stored within Axon's systems. We are committed to maintain this trust.
With the global adoption and trending focus on expansive data protection and privacy regulation, Axon believes that the need for secure and thoughtful data collection, management, and sharing functionality within public safety has never been stronger. Many traditional solutions and technologies were not designed to uphold modern data protection practices and have fundamentally become obstacles in adhering to the data protection and privacy norms in the 21st century.
Axon is confident that Axon Cloud Services and Axon Products enable customers to implement governance over the collection, handling, management and sharing of data to adhere to their applicable data protection and privacy requirements.
Axon is committed to continuing to develop and enhance Axon's products to ensure customers can meet data protection and privacy expectations from their communities and regulatory environment when using Axon products. Many of these commitments are supported by Axon's Compliance programs, such as ISO 27018:2014 certification. As a cloud service provider, Axon will work to maintain a continued partnership with our customers and communities to enable a fair and effective justice system.
Axon Data Classification
Customer Data means Customer Content and Non-Content Data.
Customer Content is data uploaded into, ingested by, or created in Axon Cloud Services within a Customer’s tenant. For clarity, Customer Content includes Evidence but does not include Non-Content Data.
Evidence is media or multimedia uploaded into Axon Evidence as 'evidence' by a Customer. Evidence is a subset of Customer Content.
Considerations for Data Sharing Partners
Axon is proud to lead the way in developing Artificial Intelligence (AI) technology for the public safety community. Axon has developed the Axon AI Data Sharing program to enable machine learning based technology advancements within public safety. Within the program, enrolled agencies enable Axon to securely access Customer Data to train AI models.
Using machine learning enables Axon to develop advanced technologies to enhance the effectiveness of public safety. Any such data sharing is supported on a contractual basis and opted into by each individual customer. Axon extends its commitment to security, privacy and compliance to data within this program. Currently, the program is only open to customers based in the United States.
Additional detail about the Axon AI Data Sharing program is available here: Data Sharing Reference Guide.
We also encourage a review of our commitments to ethical application AI technologies here
Frequently Asked Questions:
What are some examples of privacy and data protection features in Axon products?
Axon has prepared the following document to highlight a selection of privacy-focused features available in Axon products. This is not an exhaustive listing. Axon Products & EU Data Protection Reform 2018-11-19.pdf
Can Axon help me determine privacy or data protection impacts when using Axon Products?
Yes, Axon is available to assist in a privacy impact assessment or data protection impact assessment, including providing response to common considerations when using Axon Cloud Services. Axon has prepared an impact assessment template Data Protection Impact Assessment Guidance for Axon Cloud Services to assist customers. Additionally, customers can contact firstname.lastname@example.org for additional assistance and discussion.
Does Axon respond to government requests for data?
If a government, domestic or foreign, demands Customer Data residing within Axon Evidence.com, it must follow the applicable legal process, serving Axon with a court order for content or a subpoena for information. Axon would redirect such requests to the customer that owns the data. If compelled to disclose data, Axon would notify the customer and provide a copy of the demand, unless legally prohibited from doing so. Axon is also willing to work with the customer if the customer desires to apply for a protective order or motion to quash.
Where is Customer Content data stored and processed?
Can Axon personnel access Customer Content?
Axon contractually commits that customers control and own all right, title, and interest in and to their Customer Content. Axon obtains no rights to such content and commits to not accessing Evidence data without the explicit authorization from the customer. The only exception to accessing Evidence data without explicit customer authorization would be in the event of a system emergency where access may be utilized to ensure the operability and continuity of the service. Only a small team of Axon system administrators have the potential to execute such access and must be authenticated using 2 factors prior to gaining system access. These system administrators have undergone and are continually subject to background check procedures and system usage monitoring. Any Evidence data access by Axon personnel is closely logged, monitored and correlated to appropriate business need by the Axon Information Security team.
Axon personnel will have access to Customer Content for customer who are enrolled and share data with Axon as part of the Axon AI Data Sharing Program. Additional detail about the Axon AI Data Sharing program is available here: Data Sharing Reference Guide
Is data transmitted to/from Axon Cloud Services remain in my country or region?
By default, Axon Cloud Services are delivered over the public internet. Due to the nature of the public internet, Axon cannot guarantee that data transmitted remains in the Customer's selected region. However, all data transmitted to and from Axon Cloud Services is encrypted (more details on Axon's encryption protocols are located here)
If a Customer desires to not communicate with Axon Cloud Services over the public internet, Axon can support customers that leverage private connections from a Customer to Axon's underlying infrastructure provider in their region. Restrictions can be implemented within Axon Cloud Services to ensure data transfer only occurs over such connection. To further evaluate private connection options and considerations, please contact your Axon Sales Representative or Sales Engineer.
How would Axon handle a data breach or security incident?
Axon has implemented security monitoring and incident response policies and practices for Axon Cloud Services, including Evidence.com, which follows industry best practice standards. Incident Management policies and procedures are tested and meet Axon's comprehensive compliance program requirements including ISO/IEC 27001:2013, SOC 2+ Reporting, FedRAMP Moderate, and the U.S. FBI CJIS Security Policy. Learn more about Axon's approach to incident handling in the Axon Cloud Services Security Incident Handling and Response Statement.
How the EU’s Court of Justice decision in "Schrems II" on July 16, 2020 impacts Axon Customers.
To comply with EU data protection laws around international data transfer mechanisms, Axon self-certifies under the EU-US Privacy Shield framework. This framework was developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and the United Kingdom to the United States.
In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses (SCCs), as another appropriate mechanism for these types of transfers.
The EU’s Court of Justice decision in "Schrems II" on July 16, 2020, invalidated the EU-US Privacy Shield framework. Although this ruling invalidated the use of the EU-US Privacy Shield framework moving forward, we can still rely on other transfer mechanisms including the SCCs.
As an additional layer of protection, our agreements may have overlapping protections under both the Standard Contractual Clauses and the EU-US Privacy Shield framework.
Since each of our agreements are specific to each customer, we ask customers to review their agreement to determine if it relies on the EU-US Privacy Shield framework or the Standard Contractual Clauses or both. If it relies on the Standard Contractual Clauses or both, rest assured no update will be required to the agreement. If it only relies on the EU-US Privacy Shield framework, then we ask that they reach out to their Sales Manager/Customer Success Manager and they will work with each customer to execute the Standard Contractual Clauses, if necessary.
We will continue to monitor the evolution of international data transfer mechanisms under the GDPR & LED, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.