Metallic meets the confidentiality, integrity, and availability standards set by government agencies and enterprises. For more information on Metallic’s best-in-class security and compliance program, please visit our Metallic Trust Center. Any terms not defined have the same definition ascribed to them in the Terms of Service.
Revised January 4, 2022
1. Regulatory Compliance
Commvault’s Customers know their data! As such, our Customers are in the best position to ensure compliance with all laws and regulations governing Customer Data, including without limitation, obtaining consents from, and providing disclosures to, data subjects and end users with respect to data security and privacy. Commvault represents and warrants that the SaaS Solutions are compliant with (i) the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), including the processing of Protected Health Information as defined by HIPAA; (ii) the California Consumer Privacy Act of 2018, as amended (“CCPA”), including the processing of personal information as defined by the CCPA, (iii) the European Union’s General Data Protection Regulation and (iv) FedRAMP High Ready status.
2. Security Compliance
2.1 Security Measures. Commvault has implemented and will maintain a security program that leverages a combination of the ISO/IEC 27000-series of control standards, NIST 800-30/CSF, and Information Security Forum ISF best practices. Commvault represents and warrants that the SaaS Solution is compliant with CJIS controls, FIPS 1401-2, SOC 2 Type II and PCI. Commvault regularly tests, assesses and evaluates the effectiveness of its technical and organizational measures set forth below and performs annual penetration and security incident response testing on the SaaS Solution. Commvault partners with Microsoft Azure for hosted storage. Microsoft Azure maintains the technical and organizational measures set forth here.
2.2 Physical Security. Commvault’s web applications, communications, and database servers are located in secure facilities with security measures including but not limited to: (i) access authorization and documentation for employees and third parties, (ii) regulation and restriction of physical and digital access credentials, (iii) maintaining electronically-locked doors and separate cages within facilities (e.g., production and development), (iv) logging, monitoring, and tracking access to all facilities with electronic and CCTV video surveillance by personnel, and (v) protecting all facilities with security alarm systems and user-related authentication procedures, including biometric authentication in some instances, and electronic access cards.
2.3 Technical Security. Commvault has implemented measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. For our security and yours, we do not list these technical security measures publicly. For specific details, please contact us at SOC@commvault.com.
2.4 Organizational Security. Commvault has implemented organizational measures that limit employees’ access to data based on the scope of their roles and responsibilities and respective access permissions and authorizations. For our security we do not list these organizational security measures publicly. For specific details, please contact us at SOC@commvault.com.
2.5 Encryption. The SaaS Solution uses firewalls, zero-trust access controls, and encryption algorithms and keys to protect Customer Data, both in transit and at rest, and web-based access to account management interfaces by Commvault employees. Commvault uses end-to-end encryption of screen sharing for remote access, support, and real time communication. Integrity checks are conducted to monitor the completeness and correctness of the transfer of Customer Data.
2.6 Personal Data. Commvault has implemented an authorization policy for the input of personal data into memory, as well as the reading, alteration, and deletion of stored personal data including documentation and logging of material changes to account data and settings; segregation and protection of all stored personal data via database schemas, logical access controls and encryption; utilization of user identification credentials; physical security of data processing facilities; and session time outs.
2.7 Restricted Access. Commvault restricts access to Customer Data by individual appointment of system administrators; registration of access logs to the infrastructure securely retained; regular audits of system activity to assess compliance with assigned tasks, data controller’s instructions, and applicable laws, and maintenance of system administrators’ identification details (e.g. name, surname, function or organizational area) and responsibilities.
2.8. Business Continuity & Disaster Recovery Plan. Commvault has implemented measures to ensure Customer Data is protected from accidental destruction or loss by creating a business continuity and disaster recovery plan, maintaining global and redundant infrastructure, rapid failover capability, and full capacity disaster recovery sites and testing of disaster recovery centers.
2.9. Security Notification. Unless otherwise required by law, regulation or law enforcement, Commvault agrees to notify Customer of any Security Breach of Customer Data within seventy-two (72) hours following Commvault’s discovery thereof. “Security Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to unencrypted personal data.