Citrix Secure Private Access

Data Governance

November 21, 2023

Contributed by:

This topic provides information regarding the collection, storage, and retention of logs by the Citrix Secure Private Access service. Any capitalized terms not defined in the Definitions sections carry the meaning specified in the Citrix End User Services Agreement.

Data residency

The Citrix Secure Private Access Service Customer Content data reside in the Amazon Web Services East region, and they are replicated to the following Azure regions for availability and redundancy:

East US
West US
Brazil South
Southeast Asia
North Europe
West Europe
Australia East
South India

The following are the different destinations for the service configuration and runtime logs.

Splunk service for system monitoring and debug logs, in the US location only.
Citrix Analytics Service for the diagnostics and user access logs, see Citrix Analytics Service Data Governance for more information.
Citrix Application Delivery Management Service for the aggregated user access logs, see Citrix ADM Data Governance for more information.
Citrix Cloud System Logs Service for admin audit logs, see the link below

For general information on Citrix Cloud Services, see Citrix Cloud Services Customer Content and Log Handling and Geographical Considerations.

Data collection

Citrix Secure Private Access Service allows the customer administrators to configure the service through the Admin UI, and the companion Connector Appliances through the console. The Customer Content collected are:

For Secure Private Access Service
- Customer private and SaaS applications
- FQDNs and URLs for web apps or both
- IP addresses/ranges, ports, and protocols
- The associated resource locations
- Single Sign-On parameters for Web and SaaS apps
User identifiers for app entitlements
Conditions for Adaptive Access policies
- User identity
- User/device geo location
- User/device network location, through Citrix Cloud network location configuration. For details, see Optimize connectivity to workspaces with Direct Workload Connection.
- User risk score
- Device type
For Connector Appliance Platform, see Connector Appliance for Cloud Services related to Secure Private Access.
- IP addresses or FQDNs
- Users, devices, and resource location identifiers
- Internal proxy configuration

For runtime logs collected by the service components, the key information consists of the following:

User name
User Object ID
User email address
User UPN
User group memberships
Client IP address and port
Destination FQDN/address and port
Client User-Agent
Application name
Application URL path
Application access time and duration
Request byte count
Response byte count
Web Filtering decision for unsanctioned applications
HTTP transaction ID

For the comprehensive list of data sent to Citrix Analytics Service, see Citrix Analytics Service Data Governance.

Data transmission

Citrix Secure Private Access sends logs to destinations protected by transport layer security.

Data control

Citrix Secure Private Access service does not currently provide options for the customer to turn off sending logs or to prevent Customer Content from being replicated globally.

Data retention

Based on the Citrix Cloud data retention policy, the customer configuration data are purged from the service 90 days after subscription has expired.

The log destinations maintain their service-specific data retention policy.

For details, see Data Governance for the retention policy for the Analytics logs.
For the events stored in Citrix Application Delivery Management, see Data governance.
The Splunk logs are archived and eventually removed after 90 days.

Data export

There are different data export options for different types of logs.

The admin audit logs are accessible from the Citrix Cloud System Log console.
The Secure Private Access Service diagnostics logs can be exported from the Citrix Analytics Service as a CSV file.
The Splunk logs are not for customers to consume. These events can also be exported from Splunk as a CSV file.

Definitions

Customer Content means any data uploaded to a customer account for storage or data in a customer environment to which Citrix is provided access to perform Services.
Log means a record of events related to the services, including records that measure performance, stability, usage, security, and support.
Services mean that the Citrix Cloud services outlined earlier for the purposes of Citrix Analytics.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Data Governance

November 21, 2023

Contributed by:

November 21, 2023

Contributed by:

Data Governance

Data residency

Data collection

Data transmission

Data control

Data retention

Data export

Definitions

In this article