For more information related to VMware Cloud Trust Center, we encourage you to reach out to your VMware Sales Representative. Your representative will be able to obtain the information to best support your request.

“Your Content” or “Customer Content” is any content you, as a customer, upload into a Service Offering as further defined in your agreement with VMware (e.g. VMware Terms of Service). This includes all text, sound, video, or image files, and software (including machine images), or other information that you or any of your end users upload into the Service Offering for processing, storage, or hosting in connection with your account with us. For example, Customer Content includes data that you or your end users store in Workspace ONE. Importantly, your account information, including names, usernames, phone numbers, and billing information associated with your account, is not included in the definition of “Customer Content”, nor any information we collect in connection with your use of our Service Offerings. Rather, VMware will handle that information in accordance with our Privacy Notice.

 

You always retain ownership of your Customer Content. You determine which VMware Service Offerings you would like to use in processing, storing, and hosting Customer Content, and what information you upload into the Service Offering as Customer Content. Also, we will not access or use your Customer Content for any purpose except as necessary to provide the Service Offering to you and as set forth and permitted in our VMware Terms of Service with you. Lastly, we do not use Customer Content for marketing or advertising.

VMware makes the following contractual commitments regarding how it will handle subpoenas, court orders, agency actions or other legal or regulatory requirements to disclose any customer's Content, as set forth in the "Required Disclosure" section of the Terms of Service:

 

Where customer notification is not legally prohibited, VMware will: 

• Notify the Customer: Notify its customers of any demand for disclosure of customer's content.

• Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer's behalf and all requests for access to customer's content should be directed in writing to the contact person the customer has identified to us, or the customer's legal department. 
• Limit Access: Only provide access to customer's content with the customer's authorization. If the customer requests, we will, at the customer's expense, take reasonable steps to contest any demand. 

 

In the event VMware is legally prohibited from notifying the customer, VMware will: 

• Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding. 
• Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with the applicable law. 
• Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

VMware is committed to protecting its customers’ Content while complying with applicable law, and accordingly, VMware has made commitments in its VMware Terms of Service (Required Disclosures) and Binding Corporate Rules (BCRs) Processor Policy regarding how VMware will respond to government access requests, as further detailed below. VMware has prepared VMware’s Principles for Handling Government Requests to Access Customer Content to assist customers in further understanding VMware’s commitments and processes for handling government access requests, including commitments set forth in VMware’s BCR’s. 

 

VMware specifically makes the following contractual commitments regarding how it will handle government access requests, as set forth in the ‘Required Disclosure” section of the VMware Terms of Service:

 

Where customer notification is not legally prohibited, VMware will: 

• Notify the Customer: Notify its customers of any demand for disclosure of customer’s content.
• Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer’s behalf and all requests for access to customer’s content should be directed in writing to the contact person the customer has identified to us, or the customer’s legal department. 
• Limit Access: Only provide access to customer’s content with the customer’s authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any demand.

 

In the event VMware is legally prohibited from notifying the customer, VMware will:

• Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding,
• Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with applicable law.
• Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

 

In no event will VMware disclose any Personal Data in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.

 

Further, following the decision of the European Union Court of Justice (ECJ) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II), VMware has prepared the VMware Statement regarding application of FISA Section 702 and Executive Order 12333 in view of Schrems II to address concerns about U.S. intelligence agencies having access to data transiting from the EU to the U.S. and to assist customers in understanding the likely application of two U.S. authorities: Executive Order (EO)12333 and the Foreign Intelligence Surveillance Act (FISA) Section 702. VMware strongly believes there is a low likelihood that it would be subject to Section 702 or EO 12333 in relation to its provision of the service offerings given the nature of the services it provides.

 

VMware is a global company and is subject to global laws. The list of countries where Personal Data contained in Customer Content is processed in relation to a specific Service Offering are set forth in the applicable Sub-processor list(s), identified here. VMware is not aware of any applicable law that would impinge on its ability to comply with its commitments relating to government access requests and required disclosures as set forth in the VMware Terms of Service.

In connection with the provision of VMware services to a customer, VMware may transfer Personal Data included in Customer Content (as such terms are defined in the VMware Data Processing Addendum from the European Economic Area ("EEA"), Switzerland and UK to third countries in its capacity as a processor. The General Data Protection Regulation ("GDPR") has been incorporated into UK's domestic legislation, and therefore the data transfer mechanism permitted under the GDPR for transfers of personal data outside the EEA will also apply to transfers from the UK. Regarding Switzerland, the Federal Act on Data Protection ("FADP") follows a similar framework as the GDPR and therefore, the same data transfer mechanisms apply to transfers from Switzerland (with the necessary amendments to account for any differences).

 

Recipients or importers of customer's Personal Data include the entities in the VMware Group and select third-party vendors we engage who process Personal Data on our behalf to provide our services (“Sub-Processors”). A list of the entities in the VMware Group and Sub-Processors we use to process our customers’ Personal Data in connection with our service offerings and customer support, along with details of their location, are available here.

 

Intra-Group Transfers: Whenever VMware, acting as a processor, shares Personal Data originating in the EEA, it will do so on the basis of its Irish Data Protection Commissioner and peer approved binding corporate rules known as the VMware Binding Corporate Rules ("VMware's EEA BCRs") which establish adequate protection of such Personal Data and are legally binding on the VMware Group.

 

VMware's BCRs were approved by the European Data Protection Authorities on May 23, 2018. You can review confirmation that this review has now been completed here. For additional information on VMware’s Binding Corporate Rules and to access VMware's EEA BCRs Processor Policy, see VMware's Processor Binding Corporate Rules. To see a listing of the VMware affiliates that have signed an Intra-Group Agreement for VMware's EEA BCRs, click here. For further information, click here.

 

VMware’s application for Binding Corporate Rules in the UK ("VMware's UK BCR’s") is currently pending, and VMware’s Data Processing Addendum will be updated when the UK BCRs take effect. See FAQ “What is VMware data transfer strategy in light of Brexit?” for more information.

 

Transfers to Third-Party Sub-Processors: VMware has in place Data Processing Agreements (DPAs) with its Sub-Processors which incorporate the current version of the Controller to Processor SCCs to ensure safe, secure, and legal data transfers from the EEA, Switzerland and UK and to protect any subsequent onward transfers. The European Commission has published a new draft version of the SCCs available here. Once the new SCCs are approved and take effect, VMware will take such necessary steps to implement such new SCCs with its Sub-Processors in accordance with any new requirements established by the European Commission.

VMware has prepared an FAQ “Brexit and International Data Transfers”, available here, to address concerns from customers regarding VMware's data transfer strategy in light of Brexit, and specifically the use of binding corporate rules (BCRs) and standard contractual clauses (SCCs).

 

For additional information regarding the mechanisms VMware has implemented to ensure appropriate safeguards for the transfer of personal data, see FAQ “What mechanism has VMware implemented to ensure appropriate safeguards for the transfer of personal data outside of the EEA, Switzerland and UK where VMware is acting as a processor?”

Security of our Service Offerings is of the upmost importance to VMware. For a list of the security measures deployed in connection with our Service Offerings, see the Trust Center Security page.

 

In your use of the Service Offerings, you are responsible for configuring and implementing the necessary technical, organizational and administrative controls to enable you to comply with any laws applicable to your use of the Service Offering, which may depend on the types of data you choose to process using the Service Offering. Your responsibilities relating to the security of your Customer Content are set forth in the applicable agreement, and include (a) controlling access you provide to your users, (b) configuring the Service Offering appropriately, (c) ensuring the security of Customer Content while it is in transit to and from the Service Offering, (d) using encryption technology to protect Customer Content as you deem necessary, and (e) backing up Customer Content.

VMware maintains an information security management program that is aligned with the ISO 27001 standard (as applicable), which is reviewed at least annually to ensure appropriate controls, practices and procedures are in place. For a list of the security measures deployed in connection with our Service Offerings, see the Trust Center Security page.

VMware engages and uses third parties to perform services on its behalf in connection with the provision of VMware Service Offerings or Support & Subscription Services. See details provided here. In connection with the engagement of third-parties who process Personal Data as a Sub-processor (as those terms are defined in Data Processing Addendum), VMware has implemented the following processes and procedures:

1. Contractual Commitment and International Data Transfers: VMware enters into data processing agreements with all its Sub-processors which requires the Sub-processors to maintain proper privacy, security and confidentiality of Personal Data on terms which are substantially similar to the contractual commitments VMware makes to its own customers in the Data Processing Addendum. VMware relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place and the Sub-processor makes appropriate contractual commitments.

2. Privacy Review Process and Privacy-by-Design: VMware has established a centralized end-to-end third-party vendor management process to onboard new suppliers, including initiating, conducting and tracking third-party privacy and security reviews using centralized tools to assist with its compliance efforts. The VMware Privacy Team conducts detailed privacy reviews of the services provided by Sub-processors, including determining the categories of Personal Data processed and the processing purposes. The reviews include the implementation of privacy controls for mitigating the risks associated with Sub-processors’ access to and processing of Personal Data and ensuring regulatory compliance.

3. Security Review Process: VMware maintains a policy and process for conducting security reviews of Sub-processors. The VMware Security Team conducts an initial security review of any new Sub-processor, and ongoing monitoring based on the identified security risk level.

4. List of Sub-Processors and Notification of New Sub-Processors: VMware maintains a list of the Sub-processors used by individual Service Offerings and in relation to the Support & Subscription Services. The list for each Service Offering can be accessed here. VMware provides prior notice to Customer of any new engagement of a Sub-processor if the Customer has subscribed to receive notification for a specific Service via the mechanisms provided by VMware. If you would like to receive new Sub-processor notifications, please go here, and enable notifications for the relevant Sub-processor list(s).

VMware has implemented a privacy-by-design framework to ensure that its On-Premise Products and Service Offerings are designed in a manner which complies with applicable privacy principles and legal requirements. A privacy review process has been implemented in the design lifecycle of VMware’s On-Premise Products and Service Offerings, which includes documented instructions for submitting a product or service through a privacy review, designated legal counsel to conduct privacy reviews, data processing impact assessments (as may be required), and general privacy requirements for designing products/services in compliance with applicable data protection and privacy laws.

 

Further, VMware has established a centralized end-to-end third-party vendor management process to onboard new suppliers, including initiating, conducting and tracking third-party privacy and security reviews using centralized tools to assist with its compliance efforts. The VMware Privacy Team conducts detailed privacy reviews of the services provided by Sub-processors, including determining the categories of Personal Data processed and the processing purposes. The reviews include the implementation of privacy controls for mitigating the risks associated with Sub-processors’ access to and processing of Personal Data and ensuring regulatory compliance.

VMware has a Data Protection Officer who is a lawyer and director of an external data protection consulting firm. The role of the DPO is described in Articles 38 and 39 of the GDPR. The DPO must be involved in all issues relating to the protection of personal data, advise the organization regarding its obligations under GDPR, monitor its compliance, provide advice regarding any data protection impact assessment, and be a point of contact for the supervisory authorities.  The VMware Privacy Team engages VMware’s DPO as appropriate.  To contact VMware’s DPO, please email dpo@vmware.com.  The VMware Privacy Team will address the query and/or engage our DPO, as appropriate.

Under the EU General Data Protection Regulation (“GDPR”), VMware is the “processor” with respect to Customer Content. VMware’s obligations and commitments as a processor under GDPR are set forth in our Data Processing Addendum, and VMware will process personal data contained within Customer Content in accordance with the applicable agreement and the Data Processing Addendum. Further, VMware has achieved Binding Corporate Rules (“BCR”) approval for personal data it processes as a processor. A copy of VMware’s BCR is available here and evidence of VMware’s approval is available on the European Commission’s website.

 

VMware provides enterprise solutions which enable its customers to build, manage, secure and run applications across multiple systems and environments. Although VMware believes the nature of the Service Offerings it provides to its customers won’t generally warrant a direct government access request to Customer Content, VMware took the following steps to comply with the Schrems II ruling and to assist customers in their own compliance efforts in relation to data they process as a controller:

Strengthened Contractual Commitments Regarding Government Access Requests

 

VMware updated the ‘Required Disclosure’ section of its Terms of Service to clarify how VMware handles government access requests by adding the following commitments:

 

Where customer notification is not legally prohibited, VMware will:

• Notify the Customer: Notify its customers of any demand for disclosure of customer’s content.
• Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer’s behalf and all requests for access to customer’s content should be directed in writing to the contact person the customer has identified to us, or the customer’s legal department. 
• Limit Access: Only provide access to customer’s content with the customer’s authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any demand.

 

In the event VMware is legally prohibited from notifying the customer, VMware will:

• Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding,
• Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with applicable law.
• Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

 

Transparency Regarding Process for Handling Government Access Requests and US Authorities

 

To assist customers in further understanding VMware’s commitments and process for handling government access requests, including commitments set forth in VMware’s BCR’s, VMware has prepared VMware Principles for Handling Government Requests to Access Customer Content.

 

Further, VMware has prepared the VMware Statement regarding application of FISA Section 702 and Executive Order 12333 in view of Schrems II to address concerns about U.S. intelligence agencies having access to data transiting from the EU to the U.S. and to assist customers in understanding the likely application of two U.S. authorities: Executive Order (EO)12333 and the Foreign Intelligence Surveillance Act (FISA) Section 702. VMware strongly believes there is a low likelihood that it would be subject to Section 702 or EO 12333 in relation to its provision of the service offerings given the nature of the services it provides.

 

Updated Contracts with Sub-Processors to Ensure Legal Basis for Transferring Personal Data

 

Since the invalidation of the EU-U.S. Privacy Shield, VMware has implemented Standard Contractual Clauses with all of its Sub-processors who previously relied on the EU-US Privacy Shield as a data transfer mechanism. In its capacity as a data processor, VMware relies on Binding Corporate Rules to transfer Personal Data outside the EU in connection with the provision of the applicable VMware Service Offerings as set forth in VMware’s Data Processing Addendum. Additional information on VMware’s BCR’s can be found here and on the VMware Trust Center. 

 

Technical and Organizational Measures

 

VMware confirms its commitment to implement and maintain appropriate technical and organizational measures as set forth in VMware’s Data Processing Addendum. VMware’s Trust Center website outlines the third-party certifications and audits VMware maintains in relation to its Service Offerings. Given the nature of the VMware Service Offerings, customers also have control over how they configure the Service Offerings, and can implement any necessary administrative and technical controls as required to protect the data that is processed in connection with their use of the applicable Service Offering. In many instances, VMware provides both on-premise and hosted solutions for customers to choose from when managing their systems and infrastructure.

 

Transparency Regarding the Types of Data processed by VMware Service – Datasheets

 

The European Data Protection Board (EDPB) in its FAQs on “Schrems II" outlined that it is necessary to consider the types of data transferred as one factor in making a determination whether there is an adequate level of protection surrounding the transfer of personal data outside the EU, and that controllers should conduct a case-by-case analysis to determine the risks posed by such transfer. To assist customers in understanding the types of data processed in connection with their use of VMware Service Offerings, VMware provides Service Descriptions for each Service Offering available here, and makes available datasheets for certain Service Offerings in the Privacy section of the VMware Trust Center. For Workspace One Service Offerings, VMware also makes available the Workspace One Disclosure.

The California Consumer Privacy Act (“CCPA”) applies to businesses that provide services to consumers in California. It gives individuals certain rights regarding the processing of their personal data. Under the CCPA, VMware acts as a ‘service provider’ of the customer in connection with the processing of personal data contained within customer content. VMware will not access or use such personal data for any purpose except as necessary to provide the services to the customer as set forth in the applicable agreement, and will assist the customer in responding to data subject access requests under the CCPA as set forth in our Data Processing Addendum. Where VMware acts as a ‘business’ under CCPA, VMware’s California Privacy Notice and other Privacy Notices provide details regarding how VMware handles such personal information as a business, including any required disclosures pertaining to the categories of data collected and used, and the sale of personal information. For more detailed information regarding the applicability of the CCPA to VMware’s provision of the services, click here.