Introduction
The HP Workforce Experience Platform (WXP) is a cloud-based enterprise solution that helps IT teams reduce digital friction, enhance security, and proactively resolve device issues. It provides centralized visibility and management of an organization’s PC fleet, such as desktops, laptops, and other connected assets, through a secure, scalable platform.
WXP analyzes near real-time telemetry data from devices and applications to identify issues, monitor health, and recommend remediation. IT administrators can view device status, define policies, generate reports, and initiate remote actions to support operational and security needs.
This document outlines WXP’s security and privacy architecture, focusing on managed PC devices. It explains how data is collected, transmitted, stored, and protected, and describes the platform’s compliance with data protection standards. The intended audience includes IT administrators, service providers, and security reviewers assessing the platform’s data handling practices.
WXP Experience Architecture
As a one-stop, cloud-based analytics platform for devices, data, and users, WXP incorporates industry-proven, service-level security across its architecture and development processes. Key services include:
Collecting and analyzing device telemetry across multiple operating systems
Enabling HP customers and managed service providers to generate reports and manage incidents
Integrating various third-party services through a software-as-a-service (SaaS) model
Users and Roles
The dashboard of WXP offers multiple types of users and roles, as shown in the following diagram.
Roles | Scope |
|---|---|
Regional Admin | This account is used by a business operations administrator at HP to create new tenants for both direct customers and partners. Regional root administrator accounts are controlled and have access to manage and navigate direct customer and partner tenants. Typically, separate root admin accounts exist for each region. Currently, WXP operates in two AWS regional data centers:
|
Partners | Partner tenants may include partner admin, service specialist, and sales specialist roles. These tenants can access multiple customer accounts and manage devices, users, and daily operations on their behalf. In addition:
|
HP Support | An HP Support account can access multiple companies simultaneously and manage devices, users, and day-to-day operations on behalf of customers for troubleshooting purposes. These actions are managed by HP’s Business Operations team. There are two types of users under an HP Support account: support admins and support specialists. Support admins can create additional support admin or support specialist accounts. |
Company Owner | When a company is created, a default Company Owner is assigned by root administrators. By default, this user is also given the IT Admin role to manage users and devices within the company. Company Owners can manage users, handle device-related tasks, and access reports and other administrative functions based on their permissions. While Managed Service Providers (MSPs) manage users across multiple companies, Company Owners independently manage users within their own company. |
Company User | In WXP, a user is an individual within an enterprise company tenant who is assigned a role that allows them to take actions. Users can be created in the following ways:
|
IT Admin | The IT Admin role is assigned to users within customer or self-managed companies. It allows users to perform key administrative tasks such as managing users and devices. While similar in function to roles available to MSPs, IT Admin access is limited to their own company. |
Report Admin | By default, Company Owners have access to reports. Any company user can also be granted report access. The Report Admin role is read-only and allows users to view information from WXP reports. |
Connector Admin | This role enables secure, role-based management of integrations within WXP. This role governs access to integration actions across all supported connector. It ensures only authorized users can configure and manage integration widgets and connection settings. |
Key Capabilities
Connector Admins can perform the following actions within WXP:
Configure and manage integration widgets.
Connect and disconnect third-party integrations, including ServiceNow, Teams, Graph API, and more.
View and access associated integration documentation.
The following diagram provides a high-level overview of the Insights functionality and capabilities:
HP Workforce Experience Devices
WXP architecture is designed to help prevent attackers from gaining control of devices. Depending on hardware and operating systems, device software must be installed during the provisioning process.
To add devices, your company’s IT administrator or a Managed Service Provider (MSP) must securely enroll them in WXP using an assigned Company PIN. During enrollment, an asymmetric key exchange occurs between the server and the device. Each device generates a unique key pair when devices are identified, then devices receive an access token that is valid for 24 hours. After this period, devices must send signatures to the server proving their identity for new access tokens.
With enterprise consent, enrolled devices upload telemetry data daily to WXP analytics pipeline. Throughout the day, they also receive commands and control signals from WXP. All communications are protected by the access token mentioned above.
WXP for Microsoft Windows® uses the HTTPS/TLS 1.2 protocol over port 443 for all communications. It does not install certificates or modify the Windows Operating System Certificate Store.
HP Workforce Experience Platform
WXP is hosted in Amazon Web Services (AWS) in two different regions: the United States (AWS-OR) and the European Union (AWS-DE).
Depending on the country of registration, your company tenant is created in the corresponding regional data center. IT administrators access WXP through a web browser, which provides interfaces for device enrollment, authentication, and communication.
The next sections cover design decisions about security.
Identity Management
Currently, the supported identity providers (IdPs) are HP Common Identity System (HPID) and Microsoft Entra ID. For identity managed by HP Common Identity System, password quality is not configurable, and the password policy is set by the HP ID Signup Page. Passwords must contain at least eight characters and include three or more of the following criteria:
One uppercase letter
One lowercase letter
Numbers
Symbols or special characters
Identity managed by Microsoft Entra ID follows the policies set by the administrator of the Entra ID account. This includes, but is not limited to: multi-factor authentication, password complexity, etc.
Session Management
There is no limit to the number of concurrent sessions a user can have. However, each session automatically ends after 30 minutes of inactivity. For devices, sessions expire every 24 hours and renew automatically. Authentication and authorization are implemented using the OAuth 2.0 protocol and managed through session-based mechanisms. This capability uses JSON Web Tokens (JWT). Each WXP microservice enforces JWT verification for signature validity and token expiration.
Authorization
In addition to JWT token verification, tenancy checks occur for all APIs. This ensures appropriate tenant data is passed to the caller. In addition, role checks occur for all critical operations.
For additional information, refer to the Users and Roles section.
Multi-Tenancy
WXP is a cloud-based, multi-tenant solution. Tenant data is logically separated using relational databases and enforced through tenancy entitlement checks. Each tenant is associated with a universally unique identifier (UUID), which ensures data isolation and traceability.
Data-at-Rest
Company information like devices, users, and related data is stored in an AWS Relational Database Service (RDS) MySQL database and a MongoDB data store. Both the AWS RDS MySQL database and MongoDB data stores are encrypted. Sensitive fields like keys and tokens are also encrypted using AWS Key Management Service (KMS). The master key is rotated following HP’s Cybersecurity Guidelines.
Data-in-Transit
All external communication to and from WXP uses the HTTPS/TLS1.2 protocol. Services within the AWS Virtual Private Cloud (VPC) communicate using plaintext.
For additional information, refer to the Operational Security section.
Third-Party Integration
WXP integrates with various third-party services such as ServiceNow, PowerBI, Tableau, EntraID. Server-to-server communication occurs over HTTPS using authentication methods provided by our partners’ systems.
For more information about third-party integration, contact an HP Service Expert.
User Interface (UI) Validation
UI field validation protects input fields in the WXP Agent. Validation is enforced based on data types (e.g., string, date/time, currency) and business rules (e.g., required or recommended fields). Fields may also be secured based on user roles and permitted operations (read/write). Additional validation can be applied through scripting functions.
HP Workforce Experience Analytics Platform
The WXP analytics platform is hosted on AWS and serves as the data processing backbone for WXP. Most components of the analytics platform are internal and not exposed to external access.
Data Collection
The analytics platform provides interfaces for securely uploading data from devices. It uses an authenticated API gateway to receive data. In this transport mode, connections, commands, and policies are neither sent to nor collected from devices—ensuring one-way communication from device to cloud.
Data-at-Rest
Unstructured data-at-rest is kept in AWS S3; however, structured data is stored in AWS RedShift. Both structured and unstructured data are encrypted in the analytics platform.
HP Workforce Experience Operational Security
This section describes how WXP applies Service-Level Security to ensure security at various layers of communications.
Data Center
WXP is hosted by Amazon Web Services (AWS), more specifically Amazon Elastic Compute Cloud (Amazon EC2). Amazon EC2 provides scalable computing capacity in the AWS cloud. WXP maintains data centers in Oregon, United States (AWS-OR) and Frankfurt, Germany (AWS-DE). Data for customers located in European countries can be hosted in the German data center. Data for customers in all other countries can be hosted in the U.S data center.
All data within a single customer “tenant” is hosted in a single data center, although customers who wish to have separate tenants in different data centers to host data for different business units may request this option. By using AWS, WXP leverages Amazon’s fifteen-plus years of experience delivering large-scale, global infrastructure in a reliable, secure fashion. For more information, please refer to the AWS information portal: http://aws.amazon.com/ec2/ .
At the physical layer, it is important to address the controls that are in place to secure facilities and the network. Customer and device data are stored in AWS data centers that are geographically distributed to provide redundancy. AWS is a recognized leader in cloud hosting. By partnering with AWS, WXP inherits a cloud infrastructure that has been architected to be one of the most flexible and secure cloud computing environments available today. Some of its key security characteristics include:
Designed for security
AWS’s cloud infrastructure is housed in AWS data centers which are designed to satisfy the requirements of the most security-sensitive customers.
The AWS infrastructure has been designed to provide high availability while putting in strong safeguards for customer privacy and data segregation.
Device, application, and location data transmitted to the U.S. Analytics Management Datacenter does not include usernames or email addresses. Instead, the data is associated with device serial numbers and system-generated identifiers, and is encrypted at rest in accordance with HP’s data protection standards.
All structured and unstructured data in the WXP is encrypted at rest using AWS-native encryption mechanisms such as AWS KMS, consistent with HP’s Cybersecurity Guidelines Highly Automated
AWS purposefully builds most of its security tools to tailor them for AWS’s unique environment and scale requirements.
These security tools are built to provide maximum protection for data and applications. This means AWS security experts spend less time on routine tasks, making it possible to focus more on proactive measures that can increase the security of the AWS Cloud environment.
Highly Available
AWS builds its data centers in multiple geographic regions as well as across multiple Availability Zones within each region to offer maximum resiliency against system outages.
AWS designs its data centers with significant excess bandwidth connections so that, if a major disruption occurs, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Highly Accredited
Certifications mean that auditors have verified that specific security controls are in place and operating as intended.
You can view the applicable compliance reports by contacting an AWS account representative to help you meet specific government, industry, and company security standards and regulations.
AWS provides certification reports that describe how the AWS Cloud infrastructure meets the requirements of an extensive list of global security standards, including: ISO 27001, SOC, the Payment Card Industry (PCI) Data Security Standard, FedRAMP, the Australian Signals Directorate (ASD) Information Security Manual, and the Singapore Multi-Tier Cloud Security Standard (MTCS SS 584).
For more information about the security regulations and standards with which AWS complies, see the AWS Compliance webpage.
For detailed information on physical and environmental security, AWS access and network security, please check: AWS Best Practices for Security, Identity & Compliance.
Network
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACLs), and configurations to enforce the flow of information to specific information system services.
ACLs, or traffic flow policies, are established on each managed interface, which enforces the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS’s ACL- Management tool, to help ensure that these managed interfaces enforce the most up-to-date ACLs.
Security Enhanced Access Points
AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow HTTP access (HTTPS), which secures communication sessions with storage or compute instances within AWS. In addition, AWS has implemented network devices that are dedicated to managing interfacing communications with Internet service providers (ISPs). AWS employs a redundant connection to more than one communication service at each Internet-facing edge of the AWS network. All connections each have dedicated network devices.
Application, Host & Administrator Security
At the logical layer, various controls are used to secure the host systems, the applications running on those systems, and for administrators who manage the host systems and associated applications.
IT administrators’ access to WXP and customer data is limited and strictly managed. Only those individuals essential to performing a task are permitted access provided they meet the appropriate background checks and account management requirements.
Data Security
Data exchanged with WXP uses the AWS implementation of Transport Layer Security (TLS) v1.2, the newest form of the industry-standard Secure Sockets Layer (SSL) protocol. TLS helps to secure data at several levels, providing server authentication, data encryption, and data integrity. Because TLS is implemented beneath the application layer, it is a passive security mechanism that does not rely on additional steps or procedures from the user. Applications are better protected from attackers even if users have little or no knowledge of secure communications.
These features help secure data from incidental corruption and from malicious attacks and are intended to avoid common web-based threats. In addition to the SSL encryption for network communication between clients and servers, HP encrypts logs and data-at-rest which is saved in our server databases).
WXP devices must have the operating systems and device software outlined in the system requirements. While HP Service Experts can help enforce security policies on devices based on administrative settings, there are no additional security requirements for deploying the WXP software on devices. Login credentials, such as the employee’s email address and password, are only required when accessing WXP.
Independent Verification
Two different threat intelligence modeling techniques are performed on WXP:
WXP undergoes threat intelligence modeling for all new functionalities being released and periodically for all minor enhancements to existing functionality. Before beginning the software development of new features, WXP also undergoes a security architecture review by HP Cyber Security.
Sample of Security Tests Conducted:
On WXP:
Cross-site scripting
Phishing attacks
Authentication token stealing
Input fuzzing
Email spoofing
SQL injection
Cross-site request forgery (CSRF)
Other common web vulnerabilities
On WXP cloud service and the analytics infrastructure (including microservies):
Interface testing for authentication and authorization
Changing the tenant ids to make sure appropriate data goes to only authorized users
SQL injection
Remote code injection
DOS attacks
Input fuzzing
On WXP across operating systems, such as Windows, Android, and MAC:
installation source and application integrity,
privilege escalation
MITM attacks
input fuzzing
command verification with data integrity checks
certificate store poisoning
broken authentication
security configuration, etc.
WXP development team follows a secure software development process. It includes security reviews in addition to regular architecture and code reviews that focus on security, threat modelling, and analysis. Additionally, the WXP team also performs regular infrastructure scanning and mitigation through tools like Nessus agent. All these are independently audited by Coalfire while granting WXP the ISO 27001 certification.
HP Compliance and Security Frameworks
WXP demonstrates HP’s commitment to customers by implementing a robust and accredited information security and risk management program. At the core of all security compliance frameworks is the protection of customer data, which customers entrust to HP. As part of its strategic direction, WXP ensures the implementation of appropriate procedures and security tools to safeguard this data.
Through globally recognized industry accreditations, all customer data, including proprietary, operational, general, and personal information, is rigorously reviewed to confirm that WXP's security controls align with established compliance frameworks.
ISO 27001:2022 Certification
Security of information systems and business-critical information require constant measurement and management. ISO 27001:2022 certification, issued by independent auditor Coalfire, is verification of HP’s commitment to deliver operational continuity and data protection.
The International Organization for Standardization (ISO) is responsible for the development of several internationally recognized standards for products, services, and systems. The ISO 27001:2022 certification is awarded upon the completion of an external audit by an accredited certification body and is asset- based (information, processes, people and technology). HP has achieved ISO certification across the Remote Monitoring and Management Services environment, for both Managed Print and Personal Systems Services.
ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) within the context of an organization. An ISMS is a systematic approach to managing sensitive company information so that information remains secure in accordance with the principles of confidentiality, integrity and availability. The approach encompasses people, processes, and IT systems, and consists of several supporting documents and guidelines defining the implementation and certification path.
The ISO 27001:2022 certification covers the following:
Information security policies
Operations security
Organization of information security
Communications security
Human resources security
System acquisition, development, and maintenance
Asset management
Supplier relationships
Access control
Information security incident management
Cryptography
Information security aspects of business continuity management
Physical and environmental security
Compliance
HP has extended the ISO certification to include:
ISO 27701:2019 (Privacy Information Management Systems PIMS)
ISO 27017:2015 (Cloud Services Information Security Controls)
ISO 27701:2019 Certification
Customers and partners using WXP for continuous monitoring seek assurance that their data is protected when using a cloud service provider. ISO 27017:2015 defines industry-recognized standards for information security controls specifically for cloud service customers and providers.
SOC 2 Type 2
A SOC2 attestation provides customers the assurance of knowing that WXP follows globally recognized standards for security, confidentiality, privacy and availability. SOC 2 provides customers and partners verification in how HP manages, stores, and processes private data of the client on a repeatable and continuous effort. Customers are demanding additional frameworks to support their tolerance for risk. HP began pursuing yearly SOC 2 attestation to continue improving for the future and to meet customer demand.
HP Secure Software Development Lifecycle (SSDL)
Industry approaches to application security have typically been reactive, and industry approaches have failed to apply lessons from the quality field. The two prevalent approaches are:
Bury head in the sand: This is characterised by reactive security patching. This approach relies on common vulnerabilities and exposures (CVEs) with little work to avoid or minimize vulnerability introduction. This is most often seen in industry segments with a minimal security relevant regulatory burden.
Test security in: This is noticeable by the lack of resiliency designed into applications. Instead, effort is applied to find and fix vulnerabilities during testing in combination with security patching. This approach appears more commonly in the public sector, security regulated industries, and healthcare. These segments must show compliance with regulations including the United States’ Federal Information Security Management Act (FISMA), the Payment Card Industry Data Security Standard (PCI-DSS), the Health Information Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health (HITECH). However, security as a quality attribute needs to be applied at every stage of the lifecycle in the same way the quality field learned a half-century ago.
Key tenants include the following:
Quality cannot be tested in; it must be designed and built in, and then tested.
Security defects and vulnerabilities must be found sooner rather than later in the lifecycle in the interest of costs.
HP takes software security very seriously, and HP has adopted a Secure Software Development Lifecycle (SSDL). Several goals are tied to the SSDL process, including the following:
Reduce the cyberattack surface via secure software architecture
Minimize code-induced vulnerabilities
Protect the privacy and security of customer data and identities
HP includes specific security related procedures in its SSDL processes, performs milestone reviews to ensure security processes are successfully completed, and delivers on-going security training to its software architects, developers, test engineers, program managers, and their leadership teams.
The seven stages in the SSDL process are defined below:
Training (Stage 1) – Formal courses covering the SSDL process, security enhanced design, threat modeling, and secure coding.
Requirements (Stage 2) – Planning for security at the very start of software projects, including feature-by-feature security risk assessments.
Design (Stage 3) – Defining and documenting the security architecture; identifying critical security components.
Implementation (Stage 4) – Executing the designed protection scheme and the mitigation approach, along with peer code reviews and validations.
Verification (Stage 5) – Performing dynamic code analysis, fuzz testing (fuzzing), and attack surface reviews.
Release (Stage 6) – Verifying SSDL requirements have been met and no known vulnerabilities exist.
Response (Stage 7) – Executing the response tasks outlined during the Release stage.
Data Collection
The types of data collected by WXP are either provided directly by customers or collected automatically from the cloud-based WXP. Data from devices are collected using WXP Agent s installed on the devices. WXP collects the following data to execute contract services:
Purpose of Data Collection | Data Collected | Description of Data Collected |
Account management | Account data | Information related to customer purchases or sign-up for WXP services, support history with respect to incidents generated by WXP, and anything else relating to the WXP account to perform transaction services like account management. |
Ensure WXP and services work properly | Application data | Includes version number, installation status, and update history of the WXP Agent on each managed device. |
Account setup, identity management and entitlement validation | Contact data | Personal and/or business contact data, including first name, last name, mailing address, telephone number, fax number, email address, and other similar contact details used for WXP customer account setup and validation, service entitlement, and email notifications related to incidents and services. |
Deliver proactive IT service maintenance and management, and customer-centric reports/dashboards | Device data | Basic device information, such as device name, operating system, amount of memory, device type, disk size, region setting, language setting, time zone setting, model number, initial start date, age of device, device manufactured date, browser version, device manufacturer, warranty status, unique device identifiers, and additional technical information that varies by model. Hardware information, such as BIOS, display, GPU, storage, system slots, memory, real time clock, system’s hardware utilization data (CPU, GPU, memory, and disk I/O), drivers, thermal, fan, PnP devices, RPOS peripherals, HP Sure Recover settings, HP diagnostics test, docking station (HP only), peripheral connected to docking station, battery health, power configuration and state, system sleep diagnostics, primary/external disk attribution, disk utilization, Intel platform service record (requires Intel vPro), system power consumption, system power consumption by PCM (requires HP business PC G11 or later), Intel SoC margin on memory (only HP business PC G12 or later), and laptop’s keyboard health (only HP business PC G12 or later) Software applications installed on device such as the list of installed applications, running time of applications, application errors, hardware utilization data by application (CPU and memory).
Web applications on browsers, such as the number of page visits, page load time, and page load error of only the URLs preconfigured on the Settings page of WXP. By default, data collection for web applications is disabled, but it can be enabled on the WXP > Settings page. WXP does not scan or collect content from web applications on browsers. Operating System generated information for device such as OS events, missing windows updates, process & service monitoring, startup/sleep/hibernate/shutdown time, device usage time, device log-on time, full boot up and fast boot up time, last restarted date, and system crash – blue screen crash on Windows OS. Note: By default, crash dump collection for system crashes is disabled, but it can be enabled on the WXP settings page. Network information such as network interface, MAC address, IP address, SSID, signal strength, connection speed, network authentication settings, network errors, network consumption, network utilization, packet loss, jitter, and latency by process, and network connections and disconnections.
Security information, such as, Trusted Platform Module (TPM), antivirus status, firewall status, BitLocker encryption status, and Secure Boot status. User information of the customer’s users enrolling their devices in WXP, such as last signed-in user information and Active Directory joined user’s information.
Device location information such as live geolocation of device and asset location (set by users to indicate where the device belongs). Note: By default, data collection for device location is disabled, but it can be enabled on the WXP settings page. |
Authentication and authorization of user access to accounts and services that use HP | Security credentials | User passwords, password hints, and similar security information required for authentication to authorize users for access to WXP cloud-based portal accounts and services. (only if using HP ID) |
Data Groupings
Device data collected by WXP 1 may include the following groupings:
Data Group | Description |
Hardware | Including battery, BIOS, disk, display/monitor, graphics, inventory, memory, network interface, Plug and Play (PnP), processor, system clock, system slots, thermal and system performance data. |
Software applications | Including compliance, errors, inventory, performance, utilization and web application utilization data. |
Security | Including non-reporting devices, operating system patch discovery/management, device location, device alarm, lock and wipe, security policy setting, security policy enforcement, security threats, storage encryption, user security settings, Wi-Fi provisioning, and Windows Information Protection violations data |
Windows Event Logs | Windows event logs provide detailed record of system, security and application notifications stored by the Windows operating system that is used by administrators to diagnose system problems and predict future issues. |
HP Warranty and Care Packs | HP Care Packs are extended warranties for your HP computer or printer that covers products after the standard warranty has expired. |
User data collected by WXP includes:
User e-mail address
Last logged on user account
WXP does not collect the following types of data:
Demographic information (with the exception of country or language preferences)
Financial account information, credit or debit card numbers, credit records, or payment data
Social media
Government-issued identifier such as social security, social insurance number, or Government ID
Health information
Sensitive data such as ethnic origin, political beliefs, trade union membership, health data, sexual orientation, and genetic data
Data Privacy
HP has a long-standing history of industry leadership in privacy and data protection. Together, with our robust portfolio of products and services, we support our customers' and partners' efforts in protecting personal data. With respect to WXP analytics, HP acts as a Data Processor. Please refer to the Data Processor section on HP Privacy Central. As a global company, it is possible that any information you provide may be transferred to or accessed by HP entities worldwide in accordance with the HP Privacy Statement and based on the International Privacy Programs listed in the International Data Transfers section.
Data privacy is governed by the HP Privacy Policy for countries worldwide. This policy is updated periodically and covers the following topics:
Our Privacy Principles
International Data Transfers (including EU-US Privacy Shield info.)
How We Use Data
What Data We Collect
Children's Privacy
How We Retain and Keep Your Data Secure
How We Share Data
HP Communications
Exercising Your Rights and Contacting Us
Changes to Our Privacy Statement
Data Retention
Data retention is an important piece of any compliance program and necessary to fulfill proper stewardship of data. HP’s data retention policy incorporates the following data retention best practices:
Maintaining data for shorter than necessary periods can violate contractual or legal requirements or affect security.
Maintaining data for longer than necessary periods can violate privacy regulations and is a top customer concern and sales inquiry.
Once data is deleted, there is no obligation to provide it to the customer or law enforcement.
All data in U.S. and German regional data centers is deleted permanently within thirty days after customer inactivation from WXP.
Data in U.S. Analytics data center is deleted permanently after two years from the date of data creation or within thirty days after customer inactivation from WXP for both structured and unstructured storage. Since WXP application’s analytics package is a singular shared package across many HP applications, the data in U.S. Analytics data center is not deleted permanently if customer is inactivated from WXP because the same customer may be enrolled in other HP applications; and only deleted after three years from the data of data creation.
Note: Telemetry data transmitted to the U.S. Analytics data center is linked to device serial numbers and system-generated IDs. This data is encrypted at rest and handled in accordance with HP’s data protection and security standards. .
Data storage
Data storage for WXP is limited to the user and device information of paying subscribers.
All databases in the U.S. and German regional datacenters that store personal data are encrypted.
All databases in the U.S. Identity management datacenters that store personal data are encrypted.
All databases and unstructured storage in the U.S. Analytics datacenter are encrypted.
The following data types are transmitted and stored in the different data centers:
Data Category | U.S. Regional Data Center1 | German Regional Data Center2 | U.S. Analytics Data Center3 | U.S. Identity Management Data Center3 |
Account data | Yes | Yes | No | No |
Application data | Yes | Yes | Yes | No |
Contact data | Yes | Yes | No | Yes (if using HP ID) |
Device data | Yes | Yes | Yes | No |
Location data | Yes | Yes | Yes | No |
Security credentials data | No | No | No | Yes (if using HP ID) |
For non-European-based customers
For European-based customers
For all customers
Service Monitoring and Reporting
WXP provides service updates regularly to deliver the latest features and updates to customers. WXP also notifies customers through various methods of scheduled or unscheduled updates and changes to the service. For planned service interrupting events such as service maintenance, customers are notified eight hours in advance.
To deliver optimal service, HP conducts ongoing service monitoring and reporting.
Service Monitoring
WXP and agent are monitored on a 24x7x365 basis for reliability and performance. In addition, network performance and availability monitoring occur on a continuous basis. All the monitoring tools route any issues, warnings, and problems directly to service engineers. Exceptions are automatically raised to an internal ticketing system as high-priority work items requiring acknowledgement.
If a threshold is exceeded, the following automatic escalation process occurs:
An email alert is sent to a corresponding on call support engineer
A push notification to the mobile device of the Engineer on call is sent
An email is sent to the Operation Team distribution list
WXP utilizes different monitoring tools including:
New Relic: Monitors various components of the system and more importantly, helps identify and debug bottlenecks when they appear. Most of the applications/services have been instrumented for Splunk thereby providing continuous data collection and near real-time performance metrics.
Amazon CloudWatch: Monitors for events related to provisioning, service failures, and threshold attainment (such as memory consumption). Incidents are reviewed and categorized to identify the most significant problem areas. Based on the priority, actions are taken immediately or scheduled to be taken up for later development. A post-mortem quality-of-service (QoS) meeting is held to review findings, identify root causes, and implement changes for improvement.
Conclusion
HP recognizes that the threat landscape changes rapidly. The evolution of cyberattacks began with file deletion and website defacement in the late 1990s, then moved into the monetization stage with stolen credentials and ransomware. Most recently attacks are being waged by nation-states that are extremely well funded and intent on bringing down power grids and rendering tens of thousands of computers and mobile devices inoperable.
Addressing these risks is a mission HP embarked on more than forty years ago. HP’s legacy of innovation in security threat detection and protection, along with ongoing security-focused investments, informs the design of applications such as WXP. The result is a secure, cloud-based IT management solution built on an integrated security platform that spans the application, physical data center, and end-user access.
With built-in security features, WXP, available through HP Proactive Insights, HP Active Care, and other services powered by WXP, offers organizations a trusted tool to simplify the daily management of devices, data, and users through multiple robust layers of security.