Strict laws and regulation apply to the collection, handling and protection of individuals’ data. VMware protects customer to the standards required by applicable data protection laws worldwide.
vCloud Air provides "black box" services. While VMware provides the physical infrastructure, including servers, storage devices, and networking equipment to host workloads and content, the customer is in control of its data. VMware has no visibility of, or access to, customer content except by permission or by legal obligation.
This means that you keep control over your content at all times, and can rest assured that the VMware infrastructure on which your applications run is protected by best-in-class security measures. For your added security, you can choose to encrypt or hash any content you upload onto our infrastructure, making it inaccessible to anyone but you.
VMware customers in the European Economic Area (EEA) and Switzerland are subject to strict rules governing international data transfer which mandate that personal data sent outside of the EEA and Switzerland will remain adequately protected to the standards required by European and Swiss laws.
Historically, VMware provided customers with the assurance that their data would continue to be protected through our participation in the US-EU and US-Swiss Safe Harbor frameworks. While VMware continues to certify and comply with these regimes, the European Court has recently discredited the assurance offered by these mechanisms.
VMware is taking the European Court of Justice’s decision to invalidate the US/EU Safe Harbor program very seriously. Your personal data is still protected in accordance with EU data privacy laws and regulations. VMware recognized the potential for this development and has prepared alternative arrangements.
VMware policy on responding to law enforcement and government data requests is clear: VMware does not disclose any customer content stored on VMware infrastructure without the customer’s consent except where we are under a compelling legal obligation (e.g. a court order) to do so.
Keep in mind that VMware operates on a "black box" basis, as described in "How VMware Protects Your Data". VMware personnel have no knowledge of the content that customers store on vCloud Air infrastructure. VMware directs such requests to the customer to respond. Further, where customers choose to encrypt or hash content on our infrastructure, VMware has no means to identify and disclose that content.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 are US laws applicable to healthcare entities with access to patient information. VMware has completed an independent third-party examination of vCloud Air against applicable controls of HIPAA/HITECH. To help vCloud Air customers comply with HIPAA and HITECH, VMware offers a Business Associate Agreement (BAA) to interested customers using our US-based data centers. Customers interested in our HIPAA examination or BAA should contact their VMware representative for details.