Commvault: Your Data Protected
In the face of millions of threats and billions of vulnerabilities, the only way to protect anything is to protect everything. As your trusted partner, Commvault’s data security, protection, and privacy help you address the ever-changing threat landscape and regulatory environment to move forward with confidence.

OVERVIEW
No matter where your data resides, Commvault can ensure it’s secure, defended, protected, and encrypted.
We adhere to industry-leading standards so our organization and yours – remain compliant.
We align with industry best practices to prioritize the confidentiality, integrity, and availability of your data.
We respect your privacy and are committed to providing transparency into our data management practices.
COMPLIANCE
Industry Standards and Certifications
Commvault meets the most stringent industry standards and security certifications to ensure our customer’s data confidentiality, integrity, and availability are fully protected in accordance with US and international standards.
-
FIPS 140-2 Compliant
Validates cryptographic modules for encryption and document processing for handling sensitive data.
Note: FIPS 140-3 pending CMVP review. -
ISO/IEC 27001: 2013 Certified
Establishes international standards for managing risks to the security of information.
Applicable for Metallic and Remote Managed Services (RMS) Platform. -
NIST 800-53 CP9 & CP10 Compliant
Establishes standards for contingency planning and configuration management to maintain the security of information systems and protect sensitive data from unauthorized access or modification.
-
VPAT 2.0 – WCAG and 508 Compliant
Describes the accessibility of Commvault Solutions in conformance with Section 508 of the Rehabilitation Act of 1973.
-
SOC 2 Type II Certified
Assesses ability to meet overall security policies, including availability, processing integrity, confidentiality, and privacy standards.
Applicable for Metallic and RMS. -
FedRAMP High
The most stringent confidentiality, accessibility, and availability standards set forth for US government contractors and agencies. See Metallic Government Cloud for more information.
Applicable for Metallic. -
Center for Internet Security Benchmarks
Establishes standards for configuring and safeguarding IT systems, software, and networks.
-
PCI Certified
Provides security standards and criteria for the acceptance, processing, storage, and transmission of credit card information.
Applicable for Metallic. -
CJIS
Provides data security standards for organization handling criminal justice and law enforcement-centric data.
Applicable for Metallic.
For more information on Commvault’s certifications and compliance, visit our documentation site here.
SECURITY
In a data-driven world, security is everything
For any business today, data is the most important asset you have. Security is more than table stakes; it’s the heart of your business—and ours. Commvault’s Information Security Program provides the information needed for our management and board of directors to make well-informed decisions on our overall information security strategy to protect our data—and yours.
How we keep your data secure
We follow industry best practices to continuously monitor security threats and remediate data risks in a single cloud-based experience while leveraging built-in intelligence to stay ahead of threats. Additionally, we help customers integrate security into products from the planning stage through design, development, testing, and deployment.
A proactive approach to security and compliance
Our information security governance framework allows us to:
- Categorize, prioritize, and mitigate risk and threats
- Identify, remediate, and recover from incidents
- Understand our risk posture and maturity levels
- Adopt a risk-based approach to our security footprint
Pillars of our Information Security Governance Framework
PRIVACY
Proven Protection. No compromises.
See why our customers trust us to enable secure experiences
Commvault is committed to supporting our customers’
compliance with data protection laws, and prioritizes
the privacy and security of the data we protect with our
entire product suite.
SOLUTIONS
From zero trust to zero loss
Future-proof protection starts with zero-trust security to safeguard endpoints, SaaS applications, and
hybrid cloud environments from loss.
Frequently Asked Questions
(FAQs)
SOC2 reports can be downloaded by existing customers and partners directly from our from: support portals. Click here if you are a Commvault customer/partner and here if you are a Metallic customer/partner. If you are a prospective customer, please ask your Sales executive for a copy of the report – we will be happy to share this with you under a Mutual Non-Disclosure Agreement (MNDA).
We do not have access to your data when you use Commvault products installed on-premises. We may process limited (if any) personal data if we provide remote managed services, professional services, or technical support. For example, we may process personal data such as the business contact details of the person raising a customer support request (e.g., email address, telephone number). Our Master Terms & Conditions, which incorporate our Data Processing Agreement, include terms to cover this limited processing.
If the customer has subscribed for one of Commvault’s SaaS offerings where we also provide data storage (using AWS or Azure infrastructure), Commvault will be a data processor for the customer if the data that being stored includes personal data. To cover this, our SaaS Solution Terms & Conditions under our MTCs incorporates a DPA.
We never sell your data, nor do we give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct, as required by law (as per our Government Access Policy), or in accordance with our Privacy Policy.
Please visit gdpr compliance to learn more about how our solutions can help you achieve and maintain GDPR compliance.
Please reach out to privacy@commvault.com for any requests, queries, or complaints regarding your personal data.
For questions, comments, or feedback regarding Commvault’s privacy practices, contact us at privacy@commvault.com.
To report a security vulnerability in the product or get support on how to use a product security feature, please contact Commvault’s support team here. For all other questions, please visit our Contact us page.
Security Notices and Alerts
With the recent announcement of the Volt Typhoon cyber campaign, as disclosed by Microsoft on May 24, 2023, our team has conducted a thorough security assessment of Commvault and Metallic services.
Upon our evaluation, we have found no impact to the security, privacy, or integrity of your data backups.
Commvault and Metallic solutions employ a multi-layered and zero-trust architecture, which include necessary controls to address this vulnerability.
Moving forward, we recommend that customers follow all Microsoft recommendations to address and defend against this cyber campaign.
We also recommend that customers check their Commvault and Metallic environment to ensure security controls such as the following are active:
- MFA is properly configured and up to date
- Dual authorization workflows are in place for backup and restore operations
- Compliance locks are enabled for services, apps, and backup destinations
- Additionally, for customers looking for an extra layer of protection, we encourage you to evaluate ThreatWise, capable of surfacing zero-day and unknown threats in production environments
We will continue to proactively monitor this matter and provide further updates as needed.