Home Commvault Legal Trust Center Commvault: Your Data Protected In the face of countless threats, safeguarding data takes a layered, proven, and secure-by-design approach. As your trusted partner, Commvault’s hardened, zero-trust protocols protect business data at its core while meeting the most stringent security standards for government agencies and business, alike. Learn about our FedRAMP High status Data security you can trust From the data center to the cloud, Commvault delivers trusted security, compliance, and resiliency across our award-winning services. Compliance We adhere to stringent regulatory standards so our organization, and yours, remain compliant. Security We meet rigorous and progressive security best practices, always prioritizing the confidentiality, integrity, and availability of your data. Privacy We respect your privacy and are committed to providing transparency into our data management practices. Certifications & Compliances Get certified and compliant FIPS 140-2 Compliant Validates cryptographic modules for encryption and document processing for handling sensitive data.Note: FIPS 140-3 pending CMVP review. Learn more ISO/IEC 27001: 2013 Certified Establishes international standards for managing risks to the security of information.Applicable for Commvault Cloud SaaS customers and Remote Managed Services (RMS) Platform. Learn more NIST 800-53 CP9 & CP10 Compliant Establishes standards for contingency planning and configuration management to maintain the security of information systems and protect sensitive data from unauthorized access or modification. Learn more VPAT 2.0 — WCAG and 508 Compliant Describes the accessibility of Commvault Solutions in conformance with Section 508 of the Rehabilitation Act of 1973. Learn more SOC 2 Type II Certified Provides security standards and criteria for the acceptance, processing, storage, and transmission of credit card information.Applicable for Commvault Cloud SaaS customers. Learn more FedRAMP High Authorized The most stringent confidentiality, accessibility, and availability standards set forth for US government contractors and agencies. See Government Cloud for more information.Applicable for Commvault Cloud SaaS customers. Learn more Center for Internet Security Benchmarks Establishes standards for configuring and safeguarding IT systems, software, and networks. Learn more PCI Certified Provides security standards and criteria for the acceptance, processing, storage, and transmission of credit card information.Applicable for Commvault Cloud SaaS customers. CJIS Provides data security standards for organization handling criminal justice and law enforcement-centric data.Applicable for Commvault Cloud SaaS customers. IRAP Infosec Registered Assessor Program (IRAP) Australian offers a robust security assessment framework for systems, services, and applications. Applicable for Commvault Cloud SaaS customers. Trusted Security In a data-driven world, security is everything Security is more than table stakes; it’s the heart of your business—and ours. Commvault’s Information Security Program provides the information needed for our management and board of directors to make well-informed decisions on our overall information security strategy to protect our data—and yours. How we keep your data secure We follow industry best practices to continuously monitor security threats and remediate data risks in a single cloud-based experience while leveraging built-in intelligence to stay ahead of threats. Additionally, we help customers integrate security into products from the planning stage through design, development, testing, and deployment. A proactive approach to security and compliance Our information security governance framework allows us to: Categorize, prioritize, and mitigate risk and threatsIdentify, remediate, and recover from incidentsUnderstand our risk posture and maturity levelsAdopt a risk-based approach to our security footprint Pillars of our Information Security Governance Framework Strategy We align business and IT strategies with organizational objectives to help us stay true to our mission to help customers protect their data in a difficult world. Implementation We turn strategy into action by fostering a security culture across the organization and integrating security into all business processes. Operation We execute our program with a growth mindset and invest in our people, systems, and technology to continously evolve and innovate. Monitoring We continuously monitor the effectiveness of our program to help us improve our security posture and stay ahead of the evolving threat landscape. Security & Privacy Proven Protection. No compromises. Commvault is committed to supporting our customers compliance with data protection laws and prioritizes the privacy and security of the data we protect with our entire product suite.Privacy PolicyResponsible AI PolicyData Processing AgreementList of Sub-ProcessorsGovernment Access PolicyShared Responsibility Model Learn about Responsible AI Data Sovereignty To help global businesses fulfill their data residency and compliance requirements, Commvault Cloud customers have full control over where their data lives.For more information, please visit our Documentation site. From zero trust to zero loss Future-proof protection starts with zero-trust security to safeguard endpoints, SaaS applications, and hybrid cloud environments from loss. Readiness & response Achieve cyber resilience with predictable, rapid and scalable recovery – at the best TCO. Learn more Risk governance Improve your data security posture by proactively locating and remediating risks across all your production and backup data. Learn more Reliable recovery Advanced preparedness for resilience, your strategy for predictable, fast recovery Learn more Frequently Asked Questions(FAQs) What security certifications do you have? Commvault maintains robust security certifications, which you can learn more about on our documentation site here. Please note they do vary from product to product. How do I request a copy of your audit reports? We are happy to share our audit or attestation reports/certificates under a Mutual Non-Disclosure Agreement (MNDA). You can download the report directly from our online portal here. Does Commvault have access to customer data? We do not have access to your data when you use Commvault products installed on-premises. We may process limited (if any) personal data if we provide remote managed services, professional services, or technical support. For example, we may process personal data such as the business contact details of the person raising a customer support request (e.g., email address, telephone number). Our Master Terms & Conditions, which incorporate our Data Processing Agreement, include terms to cover this limited processing.If the customer has subscribed for one of Commvault’s SaaS offerings where we also provide data storage (using AWS or Azure infrastructure), Commvault will be a data processor for the customer if the data that being stored includes personal data. To cover this, our SaaS Solution Terms & Conditions under our MTCs incorporates a DPA. Does Commvault sell or share customer data with third parties? We never sell your data, nor do we give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct, as required by law (as per our Government Access Policy), or in accordance with our Privacy Policy. Will Commvault’s solutions help me comply with the GDPR? Please visit GDPR compliance to learn more about how our solutions can help you achieve and maintain GDPR compliance. How can I receive updates regarding my product’s sub-processors? To receive sub-processor updates via e-mail, please subscribe here. To find out more about how we meet our GDPR sub-processor and other applicable privacy requirements, please refer to our Data Processing Agreement found here. How can I submit a request regarding my personal data? Please reach out to privacy@commvault.com for any requests, queries, or complaints regarding your personal data. I have more questions on security, privacy, and compliance. How can I get in touch? For questions, comments, or feedback regarding Commvault’s privacy practices, contact us at privacy@commvault.com. To report a security vulnerability in the product or get support on how to use a product security feature, please contact Commvault’s support team here. For all other questions, please visit our Contact us page. How do I report a security vulnerability? Security vulnerability and reporting is the process of identifying potential security risks and vulnerabilities in products and services and then informing the appropriate authorities of these risks and vulnerabilities. This process helps to ensure that products and services remain secure and compliant with security standards. Existing Commvault customers should directly contact Commvault Support to report a security vulnerability and don’t need to fill out the form linked below. All other visitors can report security vulnerabilities via an online form here. To Report Vulnerabilities, please fill out the form here.