About data provision
Kaspersky Security for Microsoft Office 365 protects Exchange Online mailboxes, OneDrive users and SharePoint Online sites managed through Office 365. To use the full functionality of Kaspersky Security for Microsoft Office 365, you must create a user account on the website of the Right Owner (Kaspersky). You can use an existing Kaspersky Business Hub account or create a new one by providing your email address, company name, and a password.
Kaspersky processes and uses this information only to ensure the functionality of Kaspersky Security for Microsoft Office 365, unless you agree to use the information for other purposes (for example, to receive a news feed about Kaspersky products and services to your email address).
By creating a user account and connecting the application to Office 365, you confirm that you are the sole owner of any data you provide and that you are entitled to provide such data.
Kaspersky Security for Microsoft Office 365 may receive, store, and process the types of data that is described below for the purpose of protecting Exchange Online mailboxes, OneDrive users and SharePoint Online sites.
The data may migrate between Kaspersky Security for Microsoft Office 365 servers within the same data center during technical maintenance or to ensure correct load balancing. Metadata of quarantined items is stored in the same data center. You select the data center when you create a workspace on Kaspersky Business Hub for your company.
Kaspersky protects any information received in this way as prescribed by law and the applicable rules of Kaspersky. Data are transmitted over encrypted communication channels.
The data that is used for protecting Exchange Online mailboxes:
- Office 365 Global Administrator credentials required for authorizing the creation of a Service Account with the necessary permissions in Exchange Online.
The application does not depend on the Global Administrator account after the Service Account has been created, and does not store its credentials for future use.
- Service Account credentials used to connect the application to Exchange Online Quarantine.
- A list of all mailboxes and a list of user display names of the protected Office 365 organization used to promptly connect to Exchange Online after Kaspersky Security for Microsoft Office 365 is restarted.
- Email messages and appointments, message attachments, and X-headers.
The application receives these items for scanning and processes them according to the protection settings. Email messages and items are not stored in the Kaspersky Security for Microsoft Office 365 infrastructure.
- The metadata of email messages (sender, recipient, subject, primary SMTP address of the related mailbox).
- The email address specified during registration and the corresponding IP-address.
This information is required to ensure correct application event logging. The registration email address is also used to notify the Administrator about application events.
- Application settings configured by the Administrator in the Management Console.
- The email address specified for new Administrator of the application.
- Tenant ID for Office 365 organization.
- The flag indicating that mailbox has Exchange Online license.
- Email addresses excluded from scanning.
- Email addresses specified in notification settings.
- Statistics on application operations on email messages (senders, recipients, subjects and scan results).
- Names of Active Directory groups, IDs of the groups, and information about group membership.
- A list of Office 365 plans for users.
The data that is used for protecting OneDrive users:
The data that is used for protecting SharePoint Online sites:
- A list of all SharePoint Online sites under control of the User.
- All SharePoint lists.
- Files that are stored on protected SharePoint Online sites and their complete metadata. The Product receives these files for scanning and processes them according to the protection settings. Files stored on SharePoint Online sites are not stored in the Kaspersky Security for Microsoft Office 365 infrastructure.
- Name and path to file stored on SharePoint Online site.
- Display name of the user, application or device that modified file stored on SharePoint Online site.
- List of versions of file stored on SharePoint Online site.
- Drive identifier from OneDrive and its SharePoint identifiers: ListID, SiteID, SiteURL, WebID.
- Notifications about creation, modification or deletion of file stored on SharePoint Online site with file attributes and performed actions.
- The email address specified during registration and the corresponding IP address.
- Product settings available at Portal.
- The email address specified for new administrator of the Product.
- Tenant ID for Office 365 organization.
- Email addresses specified in notification settings.
- Statistics of Product operations on files stored on SharePoint Online sites (users display names, site names, file names and scan results).
Kaspersky will retain the above-listed data in restricted mode for the specified duration following the license expiration or termination so that you can extract the data related to your Office 365 organization from its databases.
The above-listed data has the following retention period:
- 31 days after expiration of the trial license, if no commercial license has been assigned to the application.
- 181 days after expiration of the commercial license, if it has not been renewed.
Exceptions to this rule are the following types of data:
- Quarantine-related data. The retention period for messages and files moved to Quarantine is 30 days.
- Statistics on application operations. The retention period for statistical data is 92 days.
After the retention period is over, all the data described above are removed from application databases.
Kaspersky Security for Microsoft Office 365 uses Kaspersky Security Network to improve detection of new threats and their sources. The following data will be processed by Kaspersky on a regular basis to protect Exchange Online mailboxes, OneDrive users and SharePoint Online sites from known threats to information security:
- IP address belonging to the sender of the scanned message.
- Checksums (MD5, SHA2-256, SHA1) of the scanned object.
- Web address for which the reputation is being requested.
- Top-level domain names used in web addresses in the scanned messages.
- Checksum (MD5) of the names of files attached to the message.
- Number of IP addresses (v4 and v6) in the message header and a flag indicating the address belonging to the local or external network.
- Irreversible hash function of domain names in the header of the scanned message.
- Message scan result and spam rating.
- Checksum (MD5) of the scanned message sender's email address.
- Web addresses from scanned messages with deleted passwords.
- Checksums (MD5) of graphic objects included in the message.
- Short text signatures composed of message text used for filtering known spam mailings, and application decisions about them (only irreversible text digests that cannot be used to recover the original text are processed; the text itself is not transmitted to Kaspersky).
- IP addresses of the message sender and intermediate mail servers, sender’s mail client version, message ID, information about the completion of message fields, the checksum (CRC32) of message fragments defined by markup language, sender domain names taken from the SMTP session and MIME-header, checksums (CRC23) of the sender name taken from the SMTP-session and MIME-header, checksums (CRC32) of the sender's name and domain taken from the SMTP session.
- Lexical diversity coefficient: a measurable parameter of a set-length text showing vocabulary wealth. It is calculated as a ratio of the number of certain lemmas and the number of their appearance in the text.
- Average sentence length.
- Average word length.
- Number of commas.
- Number of semicolons.
- Number of quotes.
- Number of exclamation marks.
- Number of question marks.
- Number of line breaks.
- Number of brackets.
- Number of links.
- Message time.
- Presence of certain words and the frequency of their usage.
- Web address that was detected by the Anti-Phishing module as relevant to phishing.
- Numerical identifiers of companies with well-known brands that are often used to add credibility to phishing messages and are detected in the scanned email message.
- Numerical values of trust level and weight for phishing detection calculated by the Anti-Phishing module. Status of phishing detection with category of phishing determined by Anti-Phishing module.
- Unique identifier, which indicates that web addresses were detected in the text of the same scanned email message.
- The first IP address from the "Received" message headers that is not reserved for local networks.
The following data will be processed by Kaspersky on a regular basis to ensure uninterrupted operation of the application:
- Message size.
- Scanned object size and type.
- Message subject.
- Message ID.
- Exchange Web Services (EWS) object ID.
- Anonymized mailbox name and anonymized primary SMTP address.
- Name of Office 365 organization.
- Message timestamp.
- Anonymized message sender.
- Anonymized message recipients.
- Message scan result.
- IP address and anonymized email address of the Administrator who modified application settings.
- The list of settings that have been modified, without indicating the actual parameter values.
- Kaspersky Security for Microsoft Office 365 organization ID, date of organization setup, IP address of the computer used to set up the organization.
- License type: trial / commercial / commercial (subscription) / NFR.
- Number of detections with the following statuses assigned: Clean / Infected / Spam / Mass mail / Phishing /Attachment filtering.
- Number of objects in Kaspersky Security for Microsoft Office 365 Quarantine and Exchange Online Quarantine.
- Total number of mailboxes in the organization, number of mailboxes covered by the license, and number of mailboxes selected for protection.
- Anonymized display name of OneDrive user.
- Anonymized display name of the user that modified the file on OneDrive.
- Display name of the application or device that modified the file on OneDrive.
- OneDrive file ID, name and path.
- The checksum of the OneDrive file.
- Date and time of OneDrive file creation or modification.
- OneDrive file size.
- OneDrive file scan result.
- Total number of OneDrive users in the organization, number of OneDrive users covered by the license, number of OneDrive users selected for protection.
- Total number and the list of all SharePoint Online sites in the organization, number and list of SharePoint Online sites selected for protection, number of SharePoint Online sites covered by the license.
- All SharePoint lists.
- Anonymized display name of the user that uploaded or modified the file on the SharePoint Online site.
- Display name of the application or device that modified the file stored on the SharePoint Online site.
- The checksum of the file stored on the SharePoint Online site.
- Creation or modification date and time of the file stored on the SharePoint Online site.
- ID, name, and path to the file stored on the SharePoint Online site.
- The list of versions of the file stored on the SharePoint Online site.
- Size of the file stored on the SharePoint Online site.
- Scan result of the file stored on the SharePoint Online site.
In addition to logging the application activity, Kaspersky tracks changes in the application configuration. These details are recorded in the audit log. The audit log files contain the details on the following actions and procedures:
- Connecting the application to your Office 365 organization.
- Managing the Service Account.
- Specifying the protection scope.
- Modifying the protection and notification settings.
- Managing quarantined items.
- Managing licenses.
The audit log retention period is 180 days.
All the data specified above can also be used to offer the users security solutions that best match their needs.
Upon your request, Kaspersky can extract any data related to your Office 365 organization from Kaspersky databases and submit them for your revision. If necessary, this data can also be deleted from the Kaspersky infrastructure. The service period for such requests is 1 calendar month. However, please note that an automatic retention period of 14 days is set for the following types of data:
- Application activity logs and dump files.
- SQL database backup.
Please note that the backed up messages and files are stored not on Kaspersky servers but in the hidden folders of the corresponding mailboxes in your Exchange Online infrastructure and the corresponding folders in your OneDrive storage. If you do not want to store the quarantined items any longer, remove them manually.
Kaspersky reserves the right to use received data to generate reports on information security risks.
All the data specified above can also be used for considering possibilities of basic services extension.