Security

Operate with the confidence of security. View our commitment to keeping your data safe at rest and in transit for your cloud, hybrid, and on-premises deployments.

Privacy

Stay in control. View our policies that let you decide how your data is accessed and used.

Compliance

Realize extensive compliance in every region. View our comprehensive list of compliance standards and regulations.

Resiliency

Stay informed on the status of your solutions. Access a transparent view of global product and service availability.

Why VMware Cloud Security?

Cloud, hybrid or on-premise – your security is our priority.
Extensive Security Experience

From government and defense, to the largest data centers in the world, VMware has a long history as a trusted partner in the most sensitive environments around the world. Now we’ve expanded this reputation to our cloud offerings.

 

Built-in Compliance

VMware builds security into the foundations of every one of our cloud solutions. This means our offerings align with major compliance certifications to maintain standards that meet industry best-practices.

 

Accelerate Without Compromise

Whether migrating to the cloud, building modern apps, scaling your data center or automating multi-cloud operations, move with agility and confidence.

 

VMware Cloud Security Capabilities

Software Security

With world-class security partnerships and an industry-leading Security Development Lifecycle process, VMware ensures Cloud operational and security controls are aligned with industry benchmarks and best-practices.

Data Security

VMware maintains stringent data protection standards, to ensure appropriate handling at every classification level, from processing and storage to transmission and destruction of data. Data in the cloud is a shared responsibility, and we define controls to ensure ownership and stewardship of customer organizational data remains with the customer.



Network Security

VMware Cloud solutions build on top of the base network security provided by our IaaS partners. Network environments are logically separated and protected by firewalls to safeguard business security requirements and ensure appropriate protection and isolation.

Identity and Access Management

Based on the principle of least privilege, VMware cloud solutions use identity and access management controls, ensuring the appropriate level of access for all personnel to keep your data and systems safe and secure.

 

Vulnerability and Patch Management

The VMware comprehensive vulnerability management program includes third-party vulnerability scanning and penetration testing across network, application and local operating system layers, helping you stay ahead of new and emerging gaps in security.

Operations Management

VMware Cloud solutions continuously collect and monitor environment logs correlated with both public and private threat feeds, to spot suspicious and unusual activities. This is supported by continuously updated contact with industry bodies, risk and compliance organizations, local authorities, and regulatory bodies to ensure new threats are apprehended rapidly.

Related Resources

VMware Security Blog

Make sure your enterprise is secure with the latest trends, tips and technology from VMware’s security leaders and experts.

How we Protect Data we Process as a Business

Transparency on how we collect, use, disclose, transfer and store personal information.

Products and Services Notice

Applies to the personal information VMware collects and uses in connection with your use of VMware products and services, including:

 

  • Cookies and similar tracking technologies we may use when providing the products or services.
  • Data we collect to improve our products and services and your customer experience.

Details regarding VMware’s customer experience improvement and analytics programs relating to VMware products and service can be found here.

Privacy Notice

Addresses the personal information we collect when you:

 

  • Visit, interact with or use any of our websites, social media pages, mobile apps (where linked to the Privacy Notice), online advertisements, marketing communications.
  • Visit, interact with or use any of our events, sales, marketing and other offline activities.
  • Purchase VMware products and services and provide account-related personal information.

Cookie Notice

Addresses how VMware uses cookies and similar tracking technologies when you use and interact with our websites and our online properties.

Additional Notices

VMware may have additional privacy notices for specific websites, events, mobile apps, including "just-in-time" disclosures and in-product privacy notices. These notices may supplement or clarify VMware's privacy practices or may provide additional choices about how VMware processes data.

How we Protect Data as a Service Provider

Enabling you to comply with data protection and privacy requirements.

Processing of Customer Content

VMware processes, stores and hosts content you or your end users have uploaded to VMware services as “Customer Content” (as defined in the VMware Terms of Service or other relevant agreement). VMware processes personal data contained within Customer Content as a “service provider” or “processor” acting on your instruction. View our FAQs for more information.

Data Processing Addendum

VMware’s obligations and commitments as a data processor are set forth in VMware’s Data Processing Addendum (DPA). VMware processes personal data contained within Customer Content in accordance with this DPA and the applicable agreements. Standard agreements for each product and service can be found on our End User Terms and Conditions.

Binding Corporate Rules

VMware has achieved Binding Corporate Rules (BCR) as a processor, acknowledging we have met the standards of the EU General Data Protection Regulation for international transfers of personal data contained in Customer Content.

Sub-processors

VMware may use third-party companies to provide certain services on its behalf. Third party service providers who process personal data contained in Customer Content (sub-processors), will have written agreements and data transfer mechanisms in place to protect personal data in the manner set forth in the Data Processing Addendum.

 

VMware Cloud Security

VMware has programs, policies, and practices to ensure personal data contained in Customer Content is adequately protected (including regular training and confidentiality agreements for employees handling data), and to help identify, prevent and resolve security vulnerabilities in our products and services. These programs are continually reviewed and updated.

 

 

Unified Endpoint Management

VMware offers solutions that enable you to protect your organization’s information and systems, accessed and made available through corporate owned or personal devices, using management controls. View information on Workspace ONE’s privacy and security program and disclosure relating to data collected and used by the service.

 

Related Resources

VMware Cloud Disaster Recovery Privacy

Discover how VMware processes and protects your personal data in connection with the VMware Cloud Disaster Recovery Service Offering

VMware Cloud Web Security Privacy

Learn about the types of personal data collected by this secure web gateway and how VMware processes and protects it.

CloudHealth by VMware Privacy

Discover how VMware processes and protects personal data on the trusted platform for optimizing multi-cloud environments.

VMware Carbon Black Cloud Privacy

Learn about the types of personal data collected by this cloud native security solution and how VMware processes and protects it.

VMware SD-WAN by VeloCloud Privacy

Learn about the types of personal data collected by this network overlay solution and VMware’s role in protecting it.

 

VMware Workspace ONE Privacy

Learn about the types of personal data collected by this digital workspace platform and how VMware processes and protects it.

VMware Cloud on AWS Privacy

Learn about who is responsible for personal data in VMware Cloud on AWS SDDCs and how VMware protects any data in its domain.

Maintaining Compliance Together

VMware continuously monitors existing and emerging security standards and requirements and integrates applicable requirements into our cloud service compliance programs. As VMware partners with you on enabling your compliance, you, as the customer, are required to ensure the Service Offering meets your compliance and regulatory obligations.

If you have questions about compliance, we encourage you to discuss your business goals and objectives with your VMware Sales Representative.

Existing Cloud Compliance Programs

Continually updated information on the compliance programs most relevant to you.
For information on VMware Product Compliance click here.
Filter by
Filter by

 

 

Additional Compliance Information

Thank you for your interest in compliance at VMware.

Please contact your VMware Sales Representative if you need additional information about our compliance programs. Your sales representative can also assist you in gaining access to compliance reports not available for immediate download.

Service Status

Service Location

Service Status

Frequently Asked Questions

Trust Center

For more information related to VMware Cloud Trust Center, we encourage you to reach out to your VMware Sales Representative. Your representative will be able to obtain the information to best support your request.

Yes, please visit here.

Privacy

“Your Content” or “Customer Content” is any content you, as a customer, upload into a Service Offering as further defined in your agreement with VMware (e.g. VMware Terms of Service). This includes all text, sound, video, or image files, and software (including machine images), or other information that you or any of your end users upload into the Service Offering for processing, storage, or hosting in connection with your account with us. For example, Customer Content includes data that you or your end users store in Workspace ONE. Importantly, your account information, including names, usernames, phone numbers, and billing information associated with your account, is not included in the definition of “Customer Content”, nor any information we collect in connection with your use of our Service Offerings. Rather, VMware will handle that information in accordance with our Privacy Notice.

You always retain ownership of your Customer Content. You determine which VMware Service Offerings you would like to use in processing, storing, and hosting Customer Content, and what information you upload into the Service Offering as Customer Content. Also, we will not access or use your Customer Content for any purpose except as necessary to provide the Service Offering to you and as set forth and permitted in our VMware Terms of Service with you. Lastly, we do not use Customer Content for marketing or advertising.

 

VMware makes the following contractual commitments regarding how it will handle subpoenas, court orders, agency actions or other legal or regulatory requirements to disclose any customer's Content, as set forth in the "Required Disclosure" section of the Terms of Service:

Where customer notification is not legally prohibited, VMware will: 

- Notify the Customer: Notify its customers of any demand for disclosure of customer's content.

- Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer's behalf and all requests for access to customer's content should be directed in writing to the contact person the customer has identified to us, or the customer's legal department. 

- Limit Access: Only provide access to customer's content with the customer's authorization. If the customer requests, we will, at the customer's expense, take reasonable steps to contest any demand. 

In the event VMware is legally prohibited from notifying the customer, VMware will: 

- Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding. 

- Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with the applicable law. 

- Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

VMware is committed to protecting its customers’ Content while complying with applicable law, and accordingly, VMware has made commitments in its VMware Terms of Service (Required Disclosures) and Binding Corporate Rules (BCRs) Processor Policy regarding how VMware will respond to government access requests, as further detailed below. VMware has prepared VMware’s Principles for Handling Government Requests to Access Customer Content to assist customers in further understanding VMware’s commitments and processes for handling government access requests, including commitments set forth in VMware’s BCR’s

VMware specifically makes the following contractual commitments regarding how it will handle government access requests, as set forth in the ‘Required Disclosure” section of the VMware Terms of Service:

Where customer notification is not legally prohibited, VMware will: 

- Notify the Customer: Notify its customers of any demand for disclosure of customer’s content.

 - Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer’s behalf and all requests for access to customer’s content should be directed in writing to the contact person the customer has identified to us, or the customer’s legal department. 

- Limit Access: Only provide access to customer’s content with the customer’s authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any demand.

In the event VMware is legally prohibited from notifying the customer, VMware will:

- Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding.

- Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with applicable law.

- Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

In no event will VMware disclose any Personal Data in a massive, disproportionate, and indiscriminate manner that goes beyond what is necessary in a democratic society.

Further, following the decision of the European Union Court of Justice (ECJ) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II), VMware has prepared the VMware Statement regarding application of FISA Section 702 and Executive Order 12333 in view of Schrems II to address concerns about U.S. intelligence agencies having access to data transiting from the EU to the U.S. and to assist customers in understanding the likely application of two U.S. authorities: Executive Order (EO)12333 and the Foreign Intelligence Surveillance Act (FISA) Section 702. VMware strongly believes there is a low likelihood that it would be subject to Section 702 or EO 12333 in relation to its provision of the service offerings given the nature of the services it provides.

VMware is a global company and is subject to global laws. The list of countries where Personal Data contained in Customer Content is processed in relation to a specific Service Offering are set forth in the applicable Sub-processor list(s), identified here. VMware is not aware of any applicable law that would impinge on its ability to comply with its commitments relating to government access requests and required disclosures as set forth in the VMware Terms of Service.

In connection with the provision of VMware services to a customer, VMware may transfer Personal Data included in Customer Content (as such terms are defined in the VMware Data Processing Addendum from the European Economic Area ("EEA"), Switzerland and UK to third countries in its capacity as a processor. The General Data Protection Regulation ("GDPR") has been incorporated into UK's domestic legislation, and therefore the data transfer mechanism permitted under the GDPR for transfers of personal data outside the EEA will also apply to transfers from the UK. Regarding Switzerland, the Federal Act on Data Protection ("FADP") follows a similar framework as the GDPR and therefore, the same data transfer mechanisms apply to transfers from Switzerland (with the necessary amendments to account for any differences).

Recipients or importers of customer's Personal Data include the entities in the VMware Group and select third-party vendors we engage who process Personal Data on our behalf to provide our services (“Sub-Processors”). A list of the entities in the VMware Group and Sub-Processors we use to process our customers’ Personal Data in connection with our service offerings and customer support, along with details of their location, are available here.

Intra-Group Transfers: Whenever VMware, acting as a processor, shares Personal Data originating in the EEA, it will do so on the basis of its Irish Data Protection Commissioner and peer approved binding corporate rules known as the VMware Binding Corporate Rules ("VMware's EEA BCRs") which establish adequate protection of such Personal Data and are legally binding on the VMware Group.

VMware's BCRs were approved by the European Data Protection Authorities on May 23, 2018. You can review confirmation that this review has now been completed here. For additional information on VMware’s Binding Corporate Rules and to access VMware's EEA BCRs Processor Policy, see VMware's Processor Binding Corporate Rules. To see a listing of the VMware affiliates that have signed an Intra-Group Agreement for VMware's EEA BCRs, click here. For further information, click here.

VMware’s application for Binding Corporate Rules in the UK ("VMware's UK BCR’s") is currently pending, and VMware’s Data Processing Addendum will be updated when the UK BCRs take effect. See FAQ “What is VMware data transfer strategy in light of Brexit?” for more information.

Transfers to Third-Party Sub-Processors: VMware has in place Data Processing Agreements (DPAs) with its Sub-Processors which incorporate the current version of the Controller to Processor SCCs to ensure safe, secure, and legal data transfers from the EEA, Switzerland and UK and to protect any subsequent onward transfers. The European Commission has published a new draft version of the SCCs available here. Once the new SCCs are approved and take effect, VMware will take such necessary steps to implement such new SCCs with its Sub-Processors in accordance with any new requirements established by the European Commission.

VMware has prepared an FAQ “Brexit and International Data Transfers”, available here, to address concerns from customers regarding VMware's data transfer strategy in light of Brexit, and specifically the use of binding corporate rules (BCRs) and standard contractual clauses (SCCs).

For additional information regarding the mechanisms VMware has implemented to ensure appropriate safeguards for the transfer of personal data, see FAQ “What mechanism has VMware implemented to ensure appropriate safeguards for the transfer of personal data outside of the EEA, Switzerland and UK where VMware is acting as a processor?”

Security of our Service Offerings is of the upmost importance to VMware. For a list of the security measures deployed in connection with our Service Offerings, see the Trust Center Security page.

In your use of the Service Offerings, you are responsible for configuring and implementing the necessary technical, organizational and administrative controls to enable you to comply with any laws applicable to your use of the Service Offering, which may depend on the types of data you choose to process using the Service Offering. Your responsibilities relating to the security of your Customer Content are set forth in the applicable agreement, and include (a) controlling access you provide to your users, (b) configuring the Service Offering appropriately, (c) ensuring the security of Customer Content while it is in transit to and from the Service Offering, (d) using encryption technology to protect Customer Content as you deem necessary, and (e) backing up Customer Content.

VMware maintains an information security management program that is aligned with the ISO 27001 standard (as applicable), which is reviewed at least annually to ensure appropriate controls, practices and procedures are in place. For a list of the security measures deployed in connection with our Service Offerings, see the Trust Center Security page.

VMware engages and uses third parties to perform services on its behalf in connection with the provision of VMware Service Offerings or Support & Subscription Services. See details provided here. In connection with the engagement of third-parties who process Personal Data as a Sub-processor (as those terms are defined in Data Processing Addendum), VMware has implemented the following processes and procedures:

1. Contractual Commitment and International Data Transfers: VMware enters into data processing agreements with all its Sub-processors which requires the Sub-processors to maintain proper privacy, security and confidentiality of Personal Data on terms which are substantially similar to the contractual commitments VMware makes to its own customers in the Data Processing Addendum. VMware relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place and the Sub-processor makes appropriate contractual commitments.

2. Privacy Review Process and Privacy-by-Design: VMware has established a centralized end-to-end third-party vendor management process to onboard new suppliers, including initiating, conducting and tracking third-party privacy and security reviews using centralized tools to assist with its compliance efforts. The VMware Privacy Team conducts detailed privacy reviews of the services provided by Sub-processors, including determining the categories of Personal Data processed and the processing purposes. The reviews include the implementation of privacy controls for mitigating the risks associated with Sub-processors’ access to and processing of Personal Data and ensuring regulatory compliance.

3. Security Review Process: VMware maintains a policy and process for conducting security reviews of Sub-processors. The VMware Security Team conducts an initial security review of any new Sub-processor, and ongoing monitoring based on the identified security risk level.

4. List of Sub-Processors and Notification of New Sub-Processors: VMware maintains a list of the Sub-processors used by individual Service Offerings and in relation to the Support & Subscription Services. The list for each Service Offering can be accessed here. VMware provides prior notice to Customer of any new engagement of a Sub-processor if the Customer has subscribed to receive notification for a specific Service via the mechanisms provided by VMware. If you would like to receive new Sub-processor notifications, please go here, and enable notifications for the relevant Sub-processor list(s).

VMware has implemented a privacy-by-design framework to ensure that its On-Premise Products and Service Offerings are designed in a manner which complies with applicable privacy principles and legal requirements. A privacy review process has been implemented in the design lifecycle of VMware’s On-Premise Products and Service Offerings, which includes documented instructions for submitting a product or service through a privacy review, designated legal counsel to conduct privacy reviews, data processing impact assessments (as may be required), and general privacy requirements for designing products/services in compliance with applicable data protection and privacy laws.

Further, VMware has established a centralized end-to-end third-party vendor management process to onboard new suppliers, including initiating, conducting and tracking third-party privacy and security reviews using centralized tools to assist with its compliance efforts. The VMware Privacy Team conducts detailed privacy reviews of the services provided by Sub-processors, including determining the categories of Personal Data processed and the processing purposes. The reviews include the implementation of privacy controls for mitigating the risks associated with Sub-processors’ access to and processing of Personal Data and ensuring regulatory compliance.

VMware has a Data Protection Officer who is a lawyer and director of an external data protection consulting firm. The role of the DPO is described in Articles 38 and 39 of the GDPR. The DPO must be involved in all issues relating to the protection of personal data, advise the organization regarding its obligations under GDPR, monitor its compliance, provide advice regarding any data protection impact assessment, and be a point of contact for the supervisory authorities.  The VMware Privacy Team engages VMware’s DPO as appropriate.  To contact VMware’s DPO, please email dpo@vmware.com.  The VMware Privacy Team will address the query and/or engage our DPO, as appropriate.

Under the EU General Data Protection Regulation (“GDPR”), VMware is the “processor” with respect to Customer Content. VMware’s obligations and commitments as a processor under GDPR are set forth in our Data Processing Addendum, and VMware will process personal data contained within Customer Content in accordance with the applicable agreement and the Data Processing Addendum. Further, VMware has achieved Binding Corporate Rules (“BCR”) approval for personal data it processes as a processor. A copy of VMware’s BCR is available here and evidence of VMware’s approval is available on the European Commission’s website.

VMware provides enterprise solutions which enable its customers to build, manage, secure and run applications across multiple systems and environments. Although VMware believes the nature of the Service Offerings it provides to its customers won’t generally warrant a direct government access request to Customer Content, VMware took the following steps to comply with the Schrems II ruling and to assist customers in their own compliance efforts in relation to data they process as a controller:

Strengthened Contractual Commitments Regarding Government Access Requests

VMware updated the ‘Required Disclosure’ section of its Terms of Service to clarify how VMware handles government access requests by adding the following commitments:

Where customer notification is not legally prohibited, VMware will:

- Notify the Customer: Notify its customers of any demand for disclosure of customer’s content.

- Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer’s behalf and all requests for access to customer’s content should be directed in writing to the contact person the customer has identified to us, or the customer’s legal department.

- Limit Access: Only provide access to customer’s content with the customer’s authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any demand.

In the event VMware is legally prohibited from notifying the customer, VMware will:

- Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding,

- Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with applicable law.

- Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

Transparency Regarding Process for Handling Government Access Requests and US Authorities

To assist customers in further understanding VMware’s commitments and process for handling government access requests, including commitments set forth in VMware’s BCR’s, VMware has prepared VMware Principles for Handling Government Requests to Access Customer Content.

Further, VMware has prepared the VMware Statement regarding application of FISA Section 702 and Executive Order 12333 in view of Schrems II to address concerns about U.S. intelligence agencies having access to data transiting from the EU to the U.S. and to assist customers in understanding the likely application of two U.S. authorities: Executive Order (EO)12333 and the Foreign Intelligence Surveillance Act (FISA) Section 702. VMware strongly believes there is a low likelihood that it would be subject to Section 702 or EO 12333 in relation to its provision of the service offerings given the nature of the services it provides.

Updated Contracts with Sub-Processors to Ensure Legal Basis for Transferring Personal Data

Since the invalidation of the EU-U.S. Privacy Shield, VMware has implemented Standard Contractual Clauses with all of its Sub-processors who previously relied on the EU-US Privacy Shield as a data transfer mechanism. In its capacity as a data processor, VMware relies on Binding Corporate Rules to transfer Personal Data outside the EU in connection with the provision of the applicable VMware Service Offerings as set forth in VMware’s Data Processing Addendum. Additional information on VMware’s BCR’s can be found here and on the VMware Trust Center

Technical and Organizational Measures

VMware confirms its commitment to implement and maintain appropriate technical and organizational measures as set forth in VMware’s Data Processing AddendumVMware’s Trust Center website outlines the third-party certifications and audits VMware maintains in relation to its Service Offerings. Given the nature of the VMware Service Offerings, customers also have control over how they configure the Service Offerings, and can implement any necessary administrative and technical controls as required to protect the data that is processed in connection with their use of the applicable Service Offering. In many instances, VMware provides both on-premise and hosted solutions for customers to choose from when managing their systems and infrastructure.

Transparency Regarding the Types of Data processed by VMware Service – Datasheets

The European Data Protection Board (EDPB) in its FAQs on “Schrems II" outlined that it is necessary to consider the types of data transferred as one factor in making a determination whether there is an adequate level of protection surrounding the transfer of personal data outside the EU, and that controllers should conduct a case-by-case analysis to determine the risks posed by such transfer. To assist customers in understanding the types of data processed in connection with their use of VMware Service Offerings, VMware provides Service Descriptions for each Service Offering available here, and makes available datasheets for certain Service Offerings in the Privacy section of the VMware Trust Center. For Workspace One Service Offerings, VMware also makes available the Workspace One Disclosure.

The California Consumer Privacy Act (“CCPA”) applies to businesses that provide services to consumers in California. It gives individuals certain rights regarding the processing of their personal data. Under the CCPA, VMware acts as a ‘service provider’ of the customer in connection with the processing of personal data contained within customer content. VMware will not access or use such personal data for any purpose except as necessary to provide the services to the customer as set forth in the applicable agreement, and will assist the customer in responding to data subject access requests under the CCPA as set forth in our Data Processing Addendum. Where VMware acts as a ‘business’ under CCPA, VMware’s California Privacy Notice and other Privacy Notices provide details regarding how VMware handles such personal information as a business, including any required disclosures pertaining to the categories of data collected and used, and the sale of personal information. For more detailed information regarding the applicability of the CCPA to VMware’s provision of the services, click here.

Ready to Get Started?