AXON CLOUD SERVICES PRIVACY POLICY
Last Updated: April 1, 2024
This Axon Cloud Services Privacy Policy (“Policy”) applies only to the information that Axon Enterprise, Inc. (“Axon”) collects and you or your employer (collectively, “Customer”) provide to Axon in connection with Customer’s use of Axon Cloud Services (as defined below). Axon's marketing sites and other public websites are governed by the Axon Privacy Policy. Usage of Axon Citizen is governed by the Axon Citizen Privacy Policy.
Unless otherwise provided in this Policy, this Policy is subject to the terms of the Master Services Purchasing Agreement, or other similar agreement, if any, between Axon and Customer (“Agreement”). A concept or principle covered in this Policy shall apply and be incorporated into all other provisions of the Agreement in which the concept or principle is also applicable, notwithstanding the absence of any specific cross-reference thereto. All capitalized and defined terms referenced, but not defined, in this Policy shall have the meanings assigned to them in the Agreement.
By using Axon Cloud Services, Customer acknowledges that Customer has read and understands this Policy. Axon may occasionally update this Policy. When Axon posts changes, Axon will revise the "last updated" date at the top of this page. Customer’s continued use of Axon Cloud Services will signify Customer’s acknowledgement, and to the extent allowed by law agreement and acceptance to any such changes.
Definitions
“Axon Cloud Services” means Axon’s web services hosted on evidence.com including Axon Evidence, Axon Records, and Axon Dispatch, and other related offerings, including, without limitation, interactions between Axon Cloud Services and Axon Products (as defined below).
“Axon Products” means:
(1) Axon Cloud Services;
(2) devices sold by Axon (including, without limitation, conducted energy weapons, cameras, sensors, and docking systems) (collectively, “Axon Devices”);
(3) other software offered by Axon (including, without limitation, Axon Investigate, Axon Capture, Axon Evidence SYNC, Axon Device Manager, Axon View, Axon Interview, Axon Commander, Axon Uploader XT, and Axon View XL) (collectively, “Axon Client Applications”); and
(4) ancillary hardware, equipment, software, services, cloud-based services, documentation, and software maintenance releases and updates. Axon Products do not include any third-party applications, hardware, warranties, or the 'my.evidence.com' services.
“Customer Data” means:
(1) “Customer Content”, which means data uploaded into, ingested by, or created in Axon Cloud Services within Customer’s tenant, including, without limitation, media or multimedia uploaded into Axon Cloud Services by Customer (“Evidence”); and
(2) “Non-Content Data”, which means:
(a) “Customer Entity and User Data”, which means Personal Data and non-Personal Data regarding Customer’s Axon Cloud Services tenant configuration and users;
(b) “Customer Entity and User Service Interaction Data” which means data regarding Customer's interactions with Axon Cloud Services and Axon Client Applications;
(c) “Service Operations and Security Data”, which means data within service logs, metrics and events and vulnerability data, including, without limitation: (i) application, host, and infrastructure logs; (ii) Axon Device and Axon Client Application logs; (iii) service metrics and events logs; and (iv) web transaction logs;
(d) “Account Data”, which means information provided to Axon during sign-up, purchase, or administration of Axon Cloud Services, including, without limitation, the name, address, phone number, and email address Customer provides, as well as aggregated usage information related to Customer’s account and administrative data associated with the account; and
(e) “Support Data”, which means the information Axon collects when Customer contacts or engages Axon for support, including, without limitation, information about hardware, software, and other details gathered related to the support incident, such as contact or authentication information, chat session personalization, information about the condition of the machine and the application when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error-tracking files.
For purposes of clarity, Customer Content does not include Non-Content Data, and Non-Content Data does not include Customer Content.
“Data Controller” means the natural or legal person, public authority, or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data (as defined below).
“Data Processor” means a natural or legal person, public authority or any other body which processes Personal Data on behalf of the Data Controller.
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-processor” means any third party engaged by the Data Processor to assist in data processing activities that the Data Processor is carrying out on behalf of the Data Controller.
Axon's Role
Axon is a Data Processor of Customer Content. Customer is a Data Controller and controls and owns all right, title, and interest in and to Customer Content and Axon obtains no rights to the Customer Content. Customer is solely responsible for the uploading, sharing, withdrawal, management and deletion of Customer Content. Customer grants Axon limited access to Customer Content solely to provide and support Axon Cloud Services to and for Customer and Customer’s end-users. Customer represents and warrants to Axon that: (1) Customer owns Customer Content; (2) and Customer Content, and Customer’s end-users’ use of Customer Content and Axon Cloud Services, does not violate this Policy or applicable data protection laws and regulations. Axon is not responsible for Customer’s privacy practices as a Data Controller. You should consult the Privacy Policy of the relevant customer to review these.
Axon may also collect, control, and process Non-Content Data. Axon is a Data Controller for Non-Content Data. Axon collects, controls, and processes Non-Content Data to provide Axon Cloud Services and to support the overall delivery of Axon Products including business, operational, and security purposes. With Non-Content Data, Axon may analyze and report anonymized and aggregated data to communicate with external and internal stakeholders. In regard to Customer Entity & User Data, Axon is a Data Controller and Customer is an independent Data Controller, not a joint Data Controller.
Data Collection Purposes and Processing Activities
CUSTOMER CONTENT
Axon will only use Customer Content to provide Customer Axon Cloud Services. Axon will not use Customer Content for any advertising or similar commercial purposes.
Axon periodically upgrades or changes Axon Cloud Services to provide customers with new features and enhancements in alignment with the Axon Evidence Maintenance Schedule. Axon communicates such upgrades or changes to customers one week prior to release via mechanisms outlined in the Maintenance Schedule. Changes to Axon Cloud Services may increase the capabilities of the service and ways in which Customer Content can be processed.
NON-CONTENT DATA
Non-Content Data includes data, configuration, and usage information about customer's Axon Cloud Services tenant, Axon Devices, Axon Client Applications, and users that is transmitted or generated when using Axon Products. Non-Content Data includes the following:
Customer Entity And User Data
Customer Entity and User Data includes personal and non-personal data regarding Customer's Axon Cloud Services tenant configuration and users. Axon uses Customer Entity and User Data to: (1) provide Axon Cloud Services, including, without limitation, user authentication and authorization functionality; (2) improve the quality of Axon Products or provide enhanced functionality and features; (3) contact Customer to provide information about its account, tenant, subscriptions, billing, and updates to Axon Cloud Services, including, without limitation, information about new features, security and other technical issues; and (4) market our products or services to Customer via email, by sending promotional communication including targeted advertisements, or presenting a Customer with relevant offers.
Customer cannot unsubscribe from non-promotional communications but may unsubscribe from promotional communications at any time such as by clicking on an unsubscribe button at the bottom of such communications.
Customer Entity and User Service Interaction Data
Customer Entity and User Service Interaction Data includes data regarding Customers' interactions with Axon Cloud Services and Axon Client Applications. Axon uses Customer Entity and User Service Interaction Data to improve the quality of Axon Products and provide enhanced functionality and features.
Service Operations and Security Data
Axon uses Service Operations and Security Data to provide service operations and monitoring.
Account Data
Axon uses Account Data to provide Axon Cloud Services, manage Customer's accounts, market to, and communicate with Customer.
Support Data
Axon uses Support Data to resolve Customer’s support incident, and to operate, improve, and personalize Axon Products. If Customer shares Customer Content to Axon in a support scenario, the Customer Content will be treated as Support Data but will only be used for resolving support incidents.
Axon may provide support through phone, email, or online chat. With Customer’s permission, Axon may use Guest Access (“GA") to temporarily navigate Customer’s Axon Cloud Service's tenant to view data in order to resolve a support incident. Phone conversations, online chat sessions, or GA sessions with Axon support professionals may be recorded and/or monitored for efforts such as training, future support, and evidentiary purposes.
International Data Transfers
Personal Data may be subject to international data transfers outside the European Economic Area (EEA), United Kingdom, and Switzerland, which will be regulated in accordance with the mechanisms set out in the GDPR, UK-GDPR, and the Swiss FADP respectively, to safeguard the rights and freedoms of the data subject and ensure a level of protection equivalent to that required by European, United Kingdom, and Swiss regulations.
Axon complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Axon has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Axon has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
Axon is subject to the investigatory and enforcement powers of the United States Federal Trade Commission regarding compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Axon commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. Under certain circumstances, you may also have the right to invoke binding arbitration. Axon maintains contracts with third parties with whom it shares Personal Data restricting their access, use and disclosure of Personal Data in compliance with Axon’s obligations under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, including the onward transfer provisions. Axon may be liable if we fail to meet those obligations.
If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
We will not rely on the Swiss-US Data Privacy Framework until it enters into force, but we adhere to its required commitments in anticipation of it doing so. The Standard Contractual Clauses (SCC) issued by the European Commission shall apply for international transfers of Personal Data from Switzerland in the meantime.
To the extent the above mechanisms cannot be used to adequately safeguard transfers outside the EEA, United Kingdom, or Switzerland, Axon will put in place alternate safeguards, as appropriate (such as SCCs).
For more information about the international transfer of Personal Data by Axon, please contact privacy@axon.com.
Server and Data Location
CUSTOMER CONTENT
Axon offers Axon Cloud Services in numerous geographic regions. Before creating an account in Axon Cloud Services, Customer determines where Axon will store Customer Content by designating an economic area.
Axon ensures that all Customer Content in Axon Cloud Services remains within the selected economic area, including, without limitation, all backup data, replication sites, and disaster recovery sites. Customer selected economic areas can be determined through review of Customer's Axon Cloud Services URL. Customer URLs conform to the <youragency>.<regioncode>.evidence.com scheme with the exception of US customers where the scheme may exclude the region code and is <youragency>.evidence.com. US Federal customers conform to the scheme <youragency>.us.evidence.com
NON-CONTENT DATA
Customer Entity and User Data
Customer Entity and User Data is located in Customer's selected economic area for Customer Content. Customer Entity and User Data may be copied or transferred to the United States.
Customer Entity and User Service Interaction Data
Customer Entity and User Service Interaction Data is located in Customer's selected economic area for Customer Content and the United States.
Service Operations and Security Data
Service Operations and Security Data is located in Customer's selected economic area for Customer Content and the United States.
Account Data and Support Data
Account and Support Data is located in the United States and may be located in Customer's selected economic area for Customer Content.
Information Sharing
Axon may share data with its subsidiaries, service providers and other partners to help us operate, including for providers to facilitate: (1) user account management, authentication, analytics, and communication, (2) product features, e.g. geolocation services, product development, and error analytics, (3) customer service and support, and (4) security monitoring and investigation.
In addition, Axon shares data with Axon’s sub-processors as described in the “Axon Sub-Processors” section below.
For more information about sharing of Personal Data by Axon, please contact privacy@axon.com.
Axon Sub-Processors
Axon may rely on Sub-processors to provide or enhance Axon Products on its behalf. Axon only permits Sub-processors to use Customer Content to deliver to the Customer services that Axon offers. Axon prohibits Sub-processors from using Customer Content for any other purpose. Ownership of rights, titles and interest in and to Customer Content remain with Customer.
Axon exercises commercially reasonable efforts in connection with contractual obligations to ensure its Sub-processors are compliant with all applicable data protection laws and regulations surrounding the Sub-processors access and scope of work in connection with Customer Content. Prior to onboarding Sub-processors, Axon audits the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to the scope of their services.
Axon maintains an up-to-date list of the names and locations of all Sub-processors for Customer Content here.
Axon will give Customer notice of any new Sub-processor. If you are a current Axon Cloud Services customer with a data processing agreement in place with Axon, you may subscribe here to receive notifications of a new Sub-processor(s) before Axon authorizes any new Sub-processor to process Customer Content in connection with the provision of your service.
TELECOMMUNICATION SUB-PROCESSORS
Axon Body 3 includes embedded cellular technologies used to connect to telecommunication networks in order to provide connectivity between Axon Body 3 and Axon Cloud Services. Cellular technologies enable Axon Aware services. Customer’s Axon Body 3 cameras will send data to the respective Axon Cloud Services region selected telecommunications providers as needed to enable cellular connectivity. Data includes Personal Data, such as location data. For Axon Body 3, Axon manages all cellular registration and account management associated to the cellular subscription. Personal Data of Customer is not collected by Axon or telecommunications providers for the purposes of cellular account management.
Outlined below are the telecommunication sub-processors. In regions where there are more than one telecommunication sub-processor, Axon will manage Customers Axon Body 3 cellular registration.
Customer URLs conform to the <youragency>.<regioncode>.evidence.com scheme with the exception of US customers where the scheme may exclude the region code and is <youragency>.evidence.com. US Federal customers conform to the scheme <youragency>.us.evidence.com
Required Disclosures
Axon will not disclose Customer Content except as required by any law or regulation. If permitted, Axon will notify Customer if any disclosure request is received for Customer Content so Customer may challenge or object.
Customer's Access and Choice
Customer Content
Customer can access Customer's tenant to manage Customer Content.
Axon will work with Customers to provide access to Personal Data that Axon or Sub-processors hold. Axon will also take reasonable steps to enable Customers to correct, amend, or delete Personal Data that is demonstrated to be inaccurate.
Non-Content Data
If at any time after registering an account on Axon Cloud Services you desire to update Personal Data you have shared with us, change your mind about sharing Personal Data with us, desire to cancel your Customer account, or request that Axon no longer use provided Personal Data to provide you services, please contact us at privacy@axon.com.
If you are in the European Economic Area, (“EEA”), United Kingdom or Switzerland, you can consult Your Rights here.
Certain data processing can be adjusted by Customer based on Axon Product usage, Customer network or device configuration, and administrative settings made available with Axon Cloud Services or Axon Client Applications.
Data Security Measures
Axon is committed to help protect the security of Customer Data. Axon has established and implemented policies, programs, and procedures that are commercially reasonable and in compliance with applicable industry practices, including administrative, technical and physical safeguards to protect the confidentiality, integrity and security of Customer Content and Non-Content Data against unauthorized access, use, modification, disclosure or other misuse.
Axon will take appropriate steps to ensure compliance with the data security measures by its employees, contractors and Sub-processors, to the extent applicable to the respective scope of performance.
CONFIDENTIALITY
Customer Content and Non-Content Data is encrypted in transit over public networks. Customer Content is encrypted at rest in all Axon Cloud Service regions.
Axon protects all Customer Content and Non-Content Data with strong logical access control mechanisms to ensure only users with appropriate business needs have access to data. Third-party specialized security firms periodically validate access control mechanisms. Access control lists are reviewed periodically by Axon.
INTEGRITY
As Evidence is ingested into Axon Cloud Services, a Secure Hash Algorithm (“SHA”) checksum is generated on the upload device and again upon ingestion into Axon Cloud Services. If the SHA checksum does not match, the upload will be reinitiated. Once upload of Evidence is successful, the SHA checksum is retained by Axon Cloud Services and is made viewable by users with access to the Evidence audit trail for the specific piece of Evidence. Tamper-proof audit trails are created automatically by Axon Cloud Services upon ingestion of any Evidence.
AVAILABILITY
Axon takes a comprehensive approach to ensure the availability of Axon Cloud Services. Axon replicates Customer Content over multiple systems to help to protect against accidental destruction or loss. Axon Cloud Services systems are designed to minimize single points of failure. Axon has designed and regularly plans and tests its business continuity planning and disaster recovery programs.
ISOLATION
Axon logically isolates Customer Content. Customer Content for an authenticated customer will not be displayed to another customer (unless Customers explicitly create a sharing relationship between their tenants or shared data between themselves). Centralized authentication systems are used across an Axon Cloud Service region to increase uniform data security.
Additional role-based access control is leveraged within Customer’s Axon Cloud Service tenant to define what users can interact with or access Customer Content. Customer solely manages the role based access control mechanisms within its Axon Cloud Services tenant.
Within the Axon Cloud Services supporting infrastructure, access is granted based on the principle of least privilege. All access must be approved by system owners and undergo at least quarterly user access reviews. Any shared computing or networking resource will undergo extensive hardening and is validated periodically to ensure appropriate isolation of Customer Content.
Non-Content Data is logically isolated within information systems such that only appropriate Axon personnel have access.
PERSONNEL
Axon personnel are required to conduct themselves in a manner consistent with applicable law, the company’s guidelines regarding confidentiality, business ethics, acceptable usage, and professional standards. Axon personnel must complete security training upon hire in addition to annual and role-specific security training.
Axon personnel undergo an extensive background check process to the extent legally permissible and in accordance with applicable local labor laws and statutory regulations. Axon personnel supporting Axon Cloud Services are subject to additional role-specific security clearances or adjudication processes, including Criminal Justice Information Services background screening and national security clearances and vetting.
Data Breach
NOTIFICATION
If Axon becomes aware that Customer Data has been accessed, disclosed, altered, or destroyed by an unlawful or unauthorized party, Axon will notify relevant authorities (where required) and affected customers.
Within 48 hours of an incident confirmation, Axon will notify Customer administrators registered on Axon Cloud Services. Authorities will be notified through Axon's established channels and timelines. The notification will reasonably explain known facts, actions that have been taken, and make commitments regarding subsequent updates. Additional details are available in the Axon Cloud Services Security Incident Handling and Response Statement.
Data Portability, Migration, and Transfer Back Assistance
DATA PORTABILITY
Evidence uploaded to Axon Cloud Services is retained in original format. Evidence may be retrieved and downloaded by Customer from Axon Cloud Services to move data to an alternative information system. Evidence audit trails and system reports may also be downloaded in various industry-standard, non-proprietary formats.
DATA MIGRATION
In the event Customer’s access to Axon Cloud Services is terminated, Axon will not delete any Customer Content during the 90 days following termination. During this 90-day period, Customer may retrieve Customer Content only if Customer has paid all amounts due (there will be no application functionality of the Axon Cloud Services during this 90-day period other than the ability for Customer to retrieve Customer Content). Customer will not incur any additional fees if Customer downloads Customer Content from Axon Cloud Services during this 90-day period. Axon has no obligation to maintain or provide any Customer Content after the 90-day period and thereafter, unless legally prohibited, may delete Customer Content upon termination as part of normal retention and data management instructions from customers. Upon written request, Axon will provide written proof that all Customer Content has been successfully deleted and removed from Axon Cloud Services.
POST-TERMINATION ASSISTANCE
Axon will provide Customer with the same post-termination data retrieval assistance that is generally made available to all customers. Requests for additional assistance to Customer in downloading or transferring Content will result in additional fees and Axon cannot warrant or guarantee data integrity or readability in the external systems.
Data Retention, Restitution, and Deletion
Axon maintains internal disaster recovery and data retention policies in accordance with applicable laws and regulations. The disaster recovery plan relates to Axon's data and extends to Axon Cloud Services and Customer Content stored within. Axon's data retention policies relate to Axon's Non-Content Data. Axon's data retention policies instruct for the secure disposal of Non-Content Data when such data is no longer necessary for the delivery and support of Axon product and services and in accordance with applicable regulations. We will retain Non-Content Data for as long as needed to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements. As outlined below, Customer is responsible for adhering to its own retention policies and procedures.
Evidence Retention
Customer defines Evidence retention periods pursuant to Customer’s internal retention policies and procedures. Customer can establish its retention policies within Axon Cloud Services. Therefore, Customer controls the retention and deletion of its Evidence within Axon Cloud Services. Axon Cloud Services can automate weekly messages summarizing upcoming agency-wide deletions to all customer Axon Cloud Services administrators. Customer users can receive a weekly message regarding Evidence uploaded within their user account to protect against accidental deletions. Customer can recover Evidence up to 7 days after Customer queues such Evidence for deletion. After this 7-day grace period, Axon Cloud Services initiates deletion of Evidence. Data deletion processing may occur asynchronously across storage systems and data centers. During and after data deletion processing, Evidence will not be recovered or recoverable by any party.
Accountability
As outlined herein, Axon is committed to maintaining compliance with relevant security and privacy standards to ensure the continued security, availability, integrity, confidentiality, and privacy of Axon Cloud Services and Customer Data stored within.
In addition to the security efforts outlined herein, Axon will maintain its ISO/IEC 27001:2013 certification or comparable assurances for Axon Cloud Services. Customers may review the certificate.
Insurance
Axon will maintain, during the term of the Agreement, a cyber-insurance policy and will furnish certificates of insurance following Customer's written request.
How to Contact Us
Axon commits to resolve complaints about Customer privacy and use of Axon Products. Complaints surrounding this Policy can be directed to Customer's local Axon representative or privacy@axon.com. If Customer has any questions or concerns regarding privacy and security of Customer Content or Axon's handling of Customer's Personal Data, please contact privacy@axon.com.
If Customer is an European Union citizen, an United Kingdom citizen, or a citizen of Switzerland and we are unable to satisfactorily resolve any complaint or if Axon fails to acknowledge Customer's complaint in a timely fashion, Customer can contact the relevant European Union Data Protection Authorities (DPAs), United Kingdom Information Commissioners Office (ICO), or the Switzerland Federal Data Protection and Information Commissioner (FDPIC).