Axon recognizes that customers place great trust in us to secure data. We know our customers and the communities they serve deeply care about the security and privacy of data stored within Axon's systems. We are committed to maintain this trust.

With the global adoption and trending focus on expansive data protection and privacy regulation, Axon believes that the need for secure and thoughtful data collection, management, and sharing functionality within public safety has never been stronger. Many traditional solutions and technologies were not designed to uphold modern data protection practices and have fundamentally become obstacles in adhering to the data protection and privacy norms in the 21st century.

Axon is confident that Axon Cloud Services and Axon Products enable customers to implement governance over the collection, handling, management and sharing of data to adhere to their applicable data protection and privacy requirements.

Axon is committed to continuing to develop and enhance Axon's products to ensure customers can meet data protection and privacy expectations from their communities and regulatory environment when using Axon products. Many of these commitments are supported by Axon's Compliance programs, such as ISO 27018:2014 certification. As a cloud service provider, Axon will work to maintain a continued partnership with our customers and communities to enable a fair and effective justice system.

Axon Data Classification

Foundational in being transparent is to first establish a common set of terms to describe data within a system. In addition to explanation of primary data classifications below, within the Axon Cloud Services Privacy Policy in-depth details are provided regarding these data classifications and associated data processing activities.

Customer Data means Customer Content and Non-Content Data.

Customer Content is data uploaded into, ingested by, or created in Axon Cloud Services within a Customer’s tenant. For clarity, Customer Content includes Evidence but does not include Non-Content Data.

Evidence is media or multimedia uploaded into Axon Evidence as 'evidence' by a Customer. Evidence is a subset of Customer Content.

Non-Content Data is data, configuration, and usage information about customer's Axon Cloud Services tenant, Axon Devices, Axon Client Applications, and users that are transmitted or generated when using Axon Products. Non-Content Data also includes data about customers and users captured during account management and customer support activities. Non-Content Data includes many data classifications described within the Axon Cloud Services Privacy Policy. Non-Content Data does not include Customer Content.

Frequently Asked Questions:

What are some examples of privacy and data protection features in Axon products?
Axon has prepared the following document to highlight a selection of privacy-focused features available in Axon products. This is not an exhaustive listing. Axon Products & EU Data Protection Reform 2018-11-19.pdf

Can Axon help me determine privacy or data protection impacts when using Axon Products?
Yes, Axon is available to assist in a privacy impact assessment or data protection impact assessment, including providing response to common considerations when using Axon Cloud Services. Axon has prepared an impact assessment template Data Protection Impact Assessment Guidance for Axon Cloud Services to assist customers. Additionally, customers can contact privacy@axon.com for additional assistance and discussion.

Does Axon respond to government requests for data?
If a government, domestic or foreign, demands Customer Data residing within Axon Evidence.com, it must follow the applicable legal process, serving Axon with a court order for content or a subpoena for information. Axon would redirect such requests to the customer that owns the data. If compelled to disclose data, Axon would notify the customer and provide a copy of the demand, unless legally prohibited from doing so. Axon is also willing to work with the customer if the customer desires to apply for a protective order or motion to quash.

Where is Customer Content data stored and processed?
Axon Cloud Services are offered in numerous geographic regions. Customers determine which regional deployment of Axon Cloud Services it wishes to utilize prior to agency creation in Evidence.com. Axon ensures that all Customer Content in Axon Cloud Services remains within the selected economic area, including any backup data, replication sites, and disaster recovery sites. Additional details are provided with the Axon Cloud Services Privacy Policy.

Can Axon personnel access Customer Content?
Axon contractually commits that customers control and own all right, title, and interest in and to their Customer Content. Axon obtains no rights to such content and commits to not accessing Evidence data without the explicit authorization from the customer. The only exception to accessing Evidence data without explicit customer authorization would be in the event of a system emergency where access may be utilized to ensure the operability and continuity of the service. Only a small team of Axon system administrators have the potential to execute such access and must be authenticated using 2 factors prior to gaining system access. These system administrators have undergone and are continually subject to background check procedures and system usage monitoring. Any Evidence data access by Axon personnel is closely logged, monitored and correlated to appropriate business need by the Axon Information Security team.

Axon personnel will have access to Customer Content for customers who are enrolled and share data with Axon as part of the Axon Customer Experience Improvement Program (ACEIP). Additional detail about ACEIP is available here: https://www.axon.com/aceip

Is data transmitted to/from Axon Cloud Services remain in my country or region?
By default, Axon Cloud Services are delivered over the public internet. Due to the nature of the public internet, Axon cannot guarantee that data transmitted remains in the Customer's selected region. However, all data transmitted to and from Axon Cloud Services is encrypted (more details on Axon's encryption protocols are located here)

If a Customer desires to not communicate with Axon Cloud Services over the public internet, Axon can support customers that leverage private connections from a Customer to Axon's underlying infrastructure provider in their region. Restrictions can be implemented within Axon Cloud Services to ensure data transfer only occurs over such connection. To further evaluate private connection options and considerations, please contact your Axon Sales Representative or Sales Engineer.

How would Axon handle a data breach or security incident?
Axon has implemented security monitoring and incident response policies and practices for Axon Cloud Services, including Evidence.com, which follows industry best practice standards. Incident Management policies and procedures are tested and meet Axon's comprehensive compliance program requirements including ISO/IEC 27001:2013, SOC 2+ Reporting, FedRAMP Moderate, and the U.S. FBI CJIS Security Policy. Learn more about Axon's approach to incident handling in the Axon Cloud Services Security Incident Handling and Response Statement.

How the EU’s Court of Justice decision in "Schrems II" on July 16, 2020 impacts Axon Customers.

To comply with EU data protection laws around international data transfer mechanisms, Axon self-certifies under the EU-US Privacy Shield framework. This framework was developed to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and the United Kingdom to the United States. 

In addition, we offer European Union Model Clauses, also known as Standard Contractual Clauses (SCCs), as another appropriate mechanism for these types of transfers.  

The EU’s Court of Justice decision in "Schrems II" on July 16, 2020, invalidated the EU-US Privacy Shield framework. Although this ruling invalidated the use of the EU-US Privacy Shield framework moving forward, we can still rely on other transfer mechanisms including the SCCs.

Most importantly, our EU and UK customers can continue to use our services in compliance with European Law. The court’s ruling does not change their services, as most of the data they provide to us (i.e. Customer Content - evidence data uploaded into Axon Cloud) are kept in the European Economic Area. There are some ancillary data, depending on the product used, which may be transferred from Axon’s EU entities to the United States. For these types of transfers, we will continue to ensure they remain compliant. For more detailed information on what types of data are considered Customer Content or what types of data may be transferred to the United States, please review our Axon Cloud Services Privacy Policy.   

As an additional layer of protection, our agreements may have overlapping protections under both the Standard Contractual Clauses and the EU-US Privacy Shield framework. 

Since each of our agreements are specific to each customer, we ask customers to review their agreement to determine if it relies on the EU-US Privacy Shield framework or the Standard Contractual Clauses or both. If it relies on the Standard Contractual Clauses or both, rest assured no update will be required to the agreement. If it only relies on the EU-US Privacy Shield framework, then we ask that they reach out to their Sales Manager/Customer Success Manager and they will work with each customer to execute the Standard Contractual Clauses, if necessary. 

We will continue to monitor the evolution of international data transfer mechanisms under the GDPR & LED, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.