Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable GDPR Alignment

On May 25th, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect. GDPR gives individuals greater access to their personal information and control over how it is used. This new standard gives all EU residents a consistent approach to the protection of their data. GDPR applies to all organizations that collect, process, or store Personal Data about EU residents and to organizations that transfer or receive such information outside of the EU.

Tenable provides a suite of products for Cyber Exposure (including Vulnerability Management, Audits, and Policy Compliance assessments) which are hosted on the Tenable.io platform. Our role as a “Data Processor” as defined by GDPR is focused on Tenable.io; we do not store your Scan Data when you use our on-premise offerings such as Tenable.sc and Nessus Professional. The term “we” herein refers to “Tenable Network Security Ireland Limited”, “Tenable, Inc.”, or “Tenable Public Sector LLC” (depending on your jurisdiction).

Tenable is committed to safeguarding our customers’ data, regardless of where in the world the customers may reside. With specific regard to GDPR, we’ve updated our Privacy Policy to make it easier to understand two things: 1) your rights to manage and control the Personal Data we process on your behalf and 2) how to control our use of your data. In addition, we provide details about your choices in how we process data on your behalf.

Data collected by customer and processed by Tenable

Tenable processes several types of data from customers to both manage customer relationships and satisfy contractual obligations. We also use this data to support the functionality of our product suite. We process information about you when you provide it to us and when you use our Services.

You (the customer) are the “Data Controller” as defined by GDPR for the Personal Data relating to Data Subjects (typically, your employees) which resides on your networks. When you initiate a Scan on your data, you collect Scan Data based on what resides on your networks. You are the only one who knows (or is capable of knowing) to what extent Personal Data may or may not reside on your networks.

If you collect Personal Data during a Scan and then store the Scan Data in Tenable.io through your use of our services, we act as a “Data Processor” as defined by GDPR. We only process Personal Data on your behalf when it satisfies a legitimate interest, such as providing customer support, feature personalization, or protecting the safety and security of our services.

You have the option at any time to request that Personal Data not be collected when you use Tenable for vulnerability scans, audits, and policy compliance assessments. We refer to this as “Light Collection Mode”, described below.

Types of Data We Process on Your Behalf

Tenable processes three primary types of data:

  1. User Information
  2. Telemetry Data
  3. Scan Data

User Information

Tenable processes personal data from customers about their Admin Users subsequent to the initial account setup and configuration, where you collect and provide us with such information. We do the same for any subsequent Admin Users that you create. This includes:

  • Business contact information - first name, last name, work phone number (for two-factor authentication), work email address, and an optional secondary email address
  • Username (typically an email address) and a password (which is anonymized for Tenable)

In addition, Tenable logs the IP address every time an Admin User logs into Tenable.io.

How Tenable uses User Information

Business contact information is used only by Tenable for essential customer service and support purposes.

We take protecting your data seriously and we only use this Personal Data to satisfy our contractual obligations to you. We do not sell or disclose this information to any third party.

How Tenable uses Telemetry Data

Tenable collects Product Usage Telemetry data about how you interact with the Tenable.io Service. We analyze this data to troubleshoot technical issues and to improve or optimize our product design.  

Examples of Product Usage Telemetry Data include:  

  • What screens a customer looks at
  • The length of time a customer spends on a screen  
  • What functions a customer clicks on
  • What features a customer uses and how
  • What web browser and browser version a customer uses

Product Usage Telemetry Data does not contain Personal Data as defined by GDPR.

Scan Data

When you initiate a scan – for example,  asset discovery, vulnerability assessment, audit, or Policy Compliance scans – you also generate Scan Data . You conduct these scans using a “Scanner” situated within your environment. We store your Scan Data in the Tenable.io Cloud Service. Only your Admin Users can access your Scan Data.   

The Nessus plugins you select determine the scope of your Scan Data. The return values of all plugins are aggregated and constitute the resulting “Scan Data”.

Scan Data generally includes information about your:

  • Computer assets
  • Computer networks
  • Network and system architecture
  • Computer hardware
  • Computer operating system and software types, versions, and and associated configuration data

Scan Data is confidential because it contains information about to your assets, their configuration and policy settings, and potential vulnerabilities. It is possible that a subset of your Scan Data may contain Personal Data -- such as usernames and email addresses -- as necessary to help you with remediation.

In this case, Tenable stores this Personal Data in Tenable.io. As such, we act as a Data Processor and our Data Protection Addendum (DPA) applies.  

You are the only party that knows or is capable of knowing what Personal Data resides in your environment and what could be included in the Scan Data.

Scan Data Usage

Solution Functionality

You collect Scan Data for your own use. Tenable stores it and makes it available to you via Tenable.io. We process Scan Data on your behalf to provide reports on topics such as  vulnerability management, analysis, audits, and policy compliance.

Research and Development

We anonymize and aggregate a subset of the Scan Data to generate insights about product usage, end user behavior, vulnerability prevalence, and general service and product trends.  We may use Scan Data to generate aggregated, anonymized benchmarking metrics to eventually provide new service features, research white papers, and studies. None of these metrics can be directly linked back to a specific customer and do not include any Personal Data.

How we secure your data

Data storage and security

We take securing and protecting your data very seriously and follow industry leading practices to safeguard it.

Infrastructure security

Amazon AWS

We use Amazon Web Services (AWS) Cloud for Tenable.io service delivery. AWS provides rich security measures and capabilities that we use to protect our infrastructure. These include:

  • DDoS mitigation
  • Web application firewalls
  • Network firewalls
  • Encryption in transit across all services
  • Inventory and configuration management
  • Identify and access control

Tenable Security

We designed our information security management program with one goal in mind -- to safeguard our customers’ data. Our mature program includes:

  • Threat & Vulnerability Management
  • Patch Management
  • Security Monitoring
  • 2-Factor Authentication
  • Role-based access
  • Penetration Testing

Data Security

We deploy multiple layers of data security measures including, but not limited to, Amazon’s Data encryption capabilities - specifically, Amazon Server Site encryption and Amazon’s Key Management Service.

What if there is a Data Breach?

While we follow industry leading practices and implement safeguards and measures designed to protect your information, no security system is impenetrable. We cannot guarantee that your data is absolutely safe from intrusion by others. That’s why we have implemented an Incident Response Program, and in the case of any potential breach that has implications for GDPR, we follow the GDPR Data Breach Notification regulations to ensure that your rights are protected.

How long do we retain your data

Our data retention policies vary across the the various data types and the purpose for which they are processed. Read on for more detail.

Customer User Information

We retain the information for your Admin Users for as long as you remain a Tenable customer or until you remove selected Admin User accounts. If you sever your customer relationship with Tenable, we delete the entire Tenable.io container with both your Scan Data and Admin User data. We make exceptions for certain Customers to resolve disputes, enforce contractual agreements, support business operations or fulfil legal obligations.

Customer Scan Data

For your use and to meet regulatory requirements, we retain your Scan Data for the default time periods outlined  below.

Data Retention Periods for Scan Data

Scan Data Type Retention period

*this is the minimum required retention period for PCI Scan Data

Access & control of Personal Data

The GDPR defines an individual’s rights for the access to and control of their Personal Data. We will assist you in exercising the following rights on behalf of your EU-based data subjects  whose data we may process:

  • The right to request a copy of their Personal Data
  • The right to correct their Personal Data
  • The right to delete their Personal Data

Admin User Data Subject

Primary Admin Users can add, delete, and correct Personal Data about themselves or other Admin Users in the Tenable.io user configuration.

Individual Data Subjects

You control your organization’s data and may receive requests from data subjects who wish to exercise their rights under GDPR. Tenable can help you fulfill requests to confirm, correct, or delete such Personal Data upon request. We are also developing self-service capabilities so you can handle these requests autonomously.

Light Collection Mode

As mentioned above, Tenable offers customers the option to use our Light Collection Mode to minimize the Personal Data collected by Plug-ins during Scans. In Light Collection Mode, our plugins anonymize Personal Data so that it is not collected or stored in Tenable.io.

Details of the Anonymization Process

Plugins return data as necessary to describe the state or configuration of the asset for during various types of scans. In some cases, Personal Data is critical information for subsequent assessments and/or remediation. Anonymization permanently and irreversibly modifies elements of Personal Data when you collect them. This means Tenable never processes the original value of the Personal Data.

Customer Provided Data

In certain circumstances, you may introduce Personal Data to Tenable.io without our knowledge. Should this happen, we will not anonymize such data and you will be responsible for such data.

Scan Data from Customer Developed Plug-Ins

You can develop your own Plug-ins for Scans. When running your own Plug-ins, the Scan Data results are stored in Tenable.io. This Scan Data may contain Personal Data.

Customer Imported Data

You may import external data through APIs from third parties into Tenable.io containing Personal Data.

How we use Data Sub-Processors

We share certain information with third-party service providers such as hosting services, storage, or virtual infrastructure vendors. These companies help us to operate and process your data to improve and customize your user experience. Any third-party service provider that is required to process your information must do so under our instruction. We require all of these vendors to be GDPR compliant and to protect your information through the appropriate policies and procedures.

Third Party Data Sub-processors

For a list of our Sub-processors, click here.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try for Free Contact Sales

Try Tenable.cs

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

Buy Tenable.cs

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.