Privacy & Security FAQ

Looking to understand how LogMeIn approaches privacy and security? Here are answers to some of our most frequently asked questions:

Q) What security certifications do you have?
A) LogMeIn maintains robust security and privacy certifications which you can learn more about on our security page here. However they do vary from product to product. If you are looking for a certification tied to a specific product, you can find out more on our product resources page.

Q) How do I request a copy of your SOC3 report?
A) We're happy to share - please visit our security page.

Q) Is LogMeIn compliant with GDPR?
A) Yes. As a global Software-as-a-Service provider, we have many customers and users subject to the GDPR which means that its applicable requirements apply equally to us. To find out more about how LogMeIn meets GDPR and other privacy requirements, please visit the privacy page.

Q) I've read of ‘data controllers’ and ‘data processors’. What’s the difference and which one is LogMeIn?
A) To paraphrase the formal GDPR text: (a) a Data Controller is the owner of their information and decides how that information should be used; and (b) a Data Processor is a person or entity who processes the personal data of the Data Controller and carries out instructions of the Controller regarding this data.

Generally speaking, our customers will be the Controllers of their Content (as the term is defined in our Terms of Service), including any associated personal information they place or generate in our systems and LogMeIn will be the Processor on their behalf. In some limited and disclosed instances, such as when we collect data from a customer to create an account, LogMeIn will be the Controller. Formal definitions from the GDPR full text can be found here.

Q) Does the GDPR stop a company from storing information outside of the EU?
A) No. There is nothing in the current GDPR regulation that prevents or suggests this requirement. The GDPR does outline that Data Processors must protect personal data appropriately, regardless of where it is stored. Further, the GDPR does not invalidate or override the EU Model Clauses (which are part of LogMeIn's GDPR-compliant DPA) or the EU-U.S. Privacy Shield Framework, which are both valid mechanisms to ensure the legal transfer of personal data into and out of the EU.

Q) Where do you store my information?
A) Customer Content storage locations (and geo-residency functionality) will vary from product to product. To find out more about your specific product, please consult the Sub-processor Disclosures available on the applicable product resources page. We strongly encourage you to review our Security and Privacy Organizational Controls, located in the LogMeIn Trust Center to find out more about the specific products features such as data residency.

Note that while GDPR does require certain safeguards and principles be considered when handling personal data, there is no requirement for EEA data or EU data to be stored solely in Europe. Please consult the privacy pages of our Trust Center for further details on how LogMeIn maintains appropriate personal data transfer mechanisms, such as the EU-U.S. and Swiss Privacy Shield.

Q) How can I delete my data from your servers?
A) Many of our products offer self-service options for Content deletion. Our global hosted offerings have defined retention periods after which Content and relevant account information are generally removed following account cancellation, termination/expiration, or, for free products, after inactivity. Please check the relevant Security and Privacy Organizational Controls document, found on the LogMeIn Trust Center, for specific details for each of our global offerings. To the extent self-service is not offered, please contact our Support team for assistance.

Q) How can I receive confirmation that my data has been deleted?
A) We encourage you to check for self-service deletion capabilities which is the quickest way to ensure your data has been deleted. If your product does not offer self-service capabilities and you have sent a request for account deletion to our Support team, you will receive confirmation once that deletion has occurred. Otherwise, deletion will occur per our standard retention periods. Please check the relevant Security and Privacy Organizational Controls document, found on the LogMeIn Trust Center, for more details.

Q) Is a new GDPR-compliant version of my product available?
A) If you are using the current version of our hosted products, GDPR-related changes have already been made available. As a general best practice, checking regularly for updates (or enabling auto-updating, where available) to the extent that there are components or executables on your machine (e.g. LastPass browser extensions) will ensure that you are using the most up-to-date versions of our software.

Q) How long is my data saved?
A) LogMeIn's global hosted product offerings have built-in data retention and deletion periods and some products offer self-service deletion capabilities.  Please check the product-specific Security and Privacy Organizational Controls document, found on the LogMeIn Privacy Page, for more details. As always, you may also request content and account deletion at any time.

Q) Do you offer a data processing agreement?
A) Yes! While May 25, 2018, the “in-force” date of the General Data Protection Regulation (GDPR), was a significant event in data privacy history, the privacy of our customers, users, and end-users was and continues to be a top priority for LogMeIn. In addition to a robust Terms of Service and a Privacy Policy designed to take applicable regulatory requirements and industry standard practices into account, LogMeIn is pleased to offer a comprehensive, global Data Processing Addendum (DPA) to meet the requirements for GDPR and beyond.  The DPA incorporates industry standard privacy and regulatory terms to meet comprehensive data privacy requirements for our global customers, including those required by GDPR: (a) under Article 28 (details of data processing, sub-processor disclosures, etc.); (b) to permit lawful transfer under Chapter 5 of the GDPR through execution of EU Standard Contractual Clauses (also known as the EU Model Clauses) and/or utilization of LogMeIn’s EU-U.S. and Swiss Privacy Shield certification; and (c) LogMeIn's technical and organizational measures.

Q) Where do you store data in the event of a failover?
A) LogMeIn utilizes multiple co-location facilities to ensure optimal service availability and reliability.  For global services utilizing co-location facilities, active-active redundant data centers are typically used within the same geographic region. For specific products, geo-residency functionality may be offered. To learn more, please check the product-specific Security and Privacy Organizational Controls, found on the LogMeIn Trust Center, for more details.

Q) Where can I find "Details of Data Processing" and/or Article 28(3) Disclosures?
A) Please consult Page 8 of the LogMeIn Data Processing Addendum for more information on the subject matter duration nature and purpose of processing as well as the type of personal data and categories of data subjects.

Q) How can I receive updates regarding my product's sub-processors?
A) To meet Article 28 of GDPR, as well as other applicable data privacy and security requirements, we offer our users the ability to receive notice of sub-processor updates via e-mail. To receive sub-processor updates, please subscribe here. To find out more about how we meet our GDPR sub-processor and other applicable privacy requirements, please refer to our Data Processing Addendum.

NOTE: The above information is provided by LogMeIn for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any security, privacy or compliance questions issues or problems.