VMware Cloud Services GDPR Update

On 25 May 2018, the European Union General Data Protection Regulation (GDPR) went into effect. The GDPR unifies personal data protection laws within the European Union, but many of its provisions have a global impact. This law sets a new standard for the protection of an individual’s personal data and gives individuals specific rights in relation to the processing of their personal data.

We are pleased to announce that the following VMware Cloud Service Offerings have completed GDPR service readiness audits, validating that all generally available services and features adhere to the VMware data protection program designed to meet the requirements of data processors by the GDPR.

 

  • VMware Network Insight
  • VMware Cost Insight
  • VMware Log Intelligence
  • VMware Workspace ONE Horizon Cloud
  • VMware Workspace ONE Intelligence
  • VMware AppDefense
  • VMware Cloud Assembly
  • VMware Service Broker
  • VMware Code Stream

 

In the language of the GDPR, when providing services to its customers via these VMware Cloud Service Offerings, VMware is acting as a data processor. VMware’s customers may perform customer-defined data processing activities in relation to their own data within the services, and in doing so act as data controllers. Data controllers may only appoint data processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets the requirements of the GDPR.

The above list of VMware Cloud Service Offerings meet the following requirements:

Personal Data Protection and Commitments:

VMware Cloud Service Offerings are backed by the VMware Data Processing Addendum which provides that VMware will comply with its processor obligations under the GDPR and that VMware will only process Personal Data in accordance with customers’ instructions. The VMware Data Processing Addendum can be found here.

VMware’s activities as a data processor are defined in the VMware Data Processing Addendum. Additionally, the VMware Terms of Service, which are applicable to all VMware cloud service offerings, incorporate a Service Description (and, for certain cloud service offerings, a Service Level Agreement) for the specific cloud service offering, that describes the roles and responsibilities of VMware as a data processor and the obligations and rights of our customers. These legal documents can be found here.

VMware is also committed to assisting our customers in meeting their obligations under applicable data laws (including the GDPR).

Security

VMware takes customer privacy and security very seriously. VMware employs security and privacy experts throughout the company including our legal and compliance teams, information security organization, VMware Security Engineering, Communications & Response group (vSECR), VMware Security Incident Response Team (vSIRT), and our security operations center (SOC).

These teams collectively work together to build programs, policies, and practices to help identify, prevent, and remediate security vulnerabilities in our products and services. These programs are continuously reviewed and evolve based on our experiences, changes in the threat landscape, and industry observation and collaboration. The VMware Software Development Lifecycle is described in the VMware Product Security Whitepaper.

VMware has also developed service operations practices following industry best-practices including regular risk assessments, privacy reviews, intrusion and threat detection, continuous security monitoring, and third-party vulnerability, security, and compliance audits.

All VMware employees handling personal data that customers provide to VMware as a processor have signed confidentiality agreements, receive regular training on security, and are required to follow code of conduct and data handling policies.

Data Access and Control

VMware Cloud Service Offerings customers retain control of their content and it is the customer’s responsibility to manage data classification methodologies for access control purposes and to their own requirements. VMware Cloud Service Offerings provide Role-Based Access Control (RBAC) for its customers to grant permissions to other users. Processes and procedures are in place to ensure management authorization is required prior to access provisioning. No third parties have access to the production environment or customer content.

Breach Notification

The VMware Security Incident Response Team (vSIRT) is responsible for developing breach handling procedures and forensics, and they handle incident management across VMware. The vSIRT team is notified by the Security Operations Center of any potential breach and participate in its investigation.

If VMware becomes aware of a security breach on a VMware Cloud Service Offering that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information provided to VMware as a processor, we will notify customers without undue delay, and will provide information relating to a data breach as reasonably requested by our customers. VMware will use reasonable endeavors to assist customers in mitigating, where possible, the adverse effects of any personal data breach.

Sub-processors

VMware may hire companies, or sub-processors, to provide certain services on its behalf. VMware has agreements and data transfer mechanisms in place with each sub-processor that obligates the sub-processor to protect personal data in a manner substantially similar to the standards set forth in customer’s agreement with VMware.

Sub processing agreements are reviewed as part of the VMware audit and assessment program. A list of sub-processors for a particular VMware Cloud Service Offering is available at here (select the relevant service under “Cloud Services Offerings” (e.g. VMware Cost Insight) –> Sub-processors)

VMware also provides customers with an easy mechanism to monitor changes to our list of sub-processors. If you would like to receive notifications please visit this page here.

International Data Transfers

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the European Union. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country outside of the European Economic Area. VMware has achieved Binding Corporate Rules (“BCR”) for personal data that it processes as a processor.  Further information about VMware’s BCR may be found here.

The VMware Cloud  Service Offerings listed below have also completed the Cloud Security Alliance CAIQ to provide transparency to the controls and processes in place to protect customers. This has been published here.

  • VMware Network Insight
  • VMware Cost Insight
  • VMware Log Intelligence
  • Wavefront by VMware
  • VMware Cloud Assembly
  • VMware Service Broker
  • VMware Code Stream

VMware does not compromise on user’s security and their privacy is of utmost importance to us. We are committed to providing better products and services to our users with continuous technological developments