On 25 May 2018, the European Union General Data Protection Regulation (GDPR) becomes applicable. The GDPR attempts to unify data protection laws in Europe and certain of its rights and protections are having a global impact. This law sets a new standard for protection of an individual’s personal data and provides individuals specific rights to control the processing of their personal data.
VMware Cloud on AWS has been independently verified by Schellman & Company, LLC. to comply with the General Data Protection Regulation.
In the language of the GDPR, when providing services to its customers via the VMware Cloud on AWS service offering, VMware is acting as a data processor. VMware’s customers may perform customer-defined data processing activities in relation to their own data within the services, and in doing so act as data controllers. Data controllers may only appoint data processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets the requirements of the GDPR.
VMware Cloud on AWS meets the following requirements:
Personal data protection and commitments:
VMware Cloud on AWS is backed by the VMware Data Processing Addendum which sets out that VMware will comply with its processor obligations under the GDPR and that VMware will only process Personal Data in accordance with Customer’s instructions. The VMware Data Processing Addendum can be found here.
VMware’s activities as a processor are defined in the VMware Data Processing Addendum. Additionally, the VMware [Terms of Service] contains a Service Description and a Service Level Agreement that describes the roles and responsibilities of VMware as processor service provider and the obligations and rights of our customers. These legal documents can be found here.
VMware is also committed to assisting our customers in meeting their obligations of under applicable data laws (including the GDPR).
VMware takes customer privacy and security very seriously. VMware employs security and privacy experts throughout the company including our legal and compliance teams, information security organization, VMware Security Engineering, Communications & Response group (vSECR), VMware Security Incident Response Team (vSIRT), and our security operations center (SOC).
These teams collectively work together to build programs, policies, and practices to help identify, prevent, and remediate security vulnerabilities in our products and services. These programs are continuously reviewed and evolve based on our experiences, changes in the threat landscape, and industry observation and collaboration. The VMware Software Development Lifecycle is described in the VMware Product Security Whitepaper.
VMware has also developed service operations practices following industry best-practices including regular risk assessments, privacy reviews, intrusion and threat detection, user access reviews, continuous security monitoring, and third-party vulnerability, security, and compliance audits,
All VMware employees handling personal data that customers provide to VMware as a processor have signed confidentiality agreements, receive regular training on security, and are required to follow code of conduct and data handling policies.
VMware Cloud on AWS gives customers full control over their virtual machines and their content. Documentation exists along with additional tools and services to facilitate the migration of data. VMware Cloud on AWS natively runs VMware vSphere which stores customer data in a widely adopted virtual machine format, and vSphere natively supports the Open Virtualization Format (OVF), making it simple to download, clone, migrate, copy, port, or transfer workloads between environments.
Additionally, customer may use the VMware Hybrid Cloud Extension service for bulk migrations of virtual machine images between cloud providers. These capabilities make it simple to download, clone, migrate, copy, port, or transfer workloads.
The VMware Security Incident Response Team (vSIRT) is responsible for developing breach handling procedures, and forensics, and they handle incident management across VMware. The vSIRT team is notified by the Security Operations Center of any potential breach and participate in the investigation.
If VMware becomes aware of a security incident on VMware Cloud on AWS, VMware that leads to the unlawful disclosure or access to personal information provided to VMware as a processor, we will notify customers without undue delay, and will provide information relating to a data breach as reasonably requested by our customers. VMware will use reasonable endeavors to assist customers in mitigating, where possible, the adverse effects of any personal data breach.
VMware Cloud on AWS primarily utilizes Amazon Web Services (AWS) as our hosting provider and for Platform services. However, VMware may hire other companies to provide certain services on its behalf. VMware has agreements and data transfer mechanisms in place with each sub-processor that obligates the sub-processor to protect the personal data in a manner compliant with the standards set forth in data protection agreement.
VMware also provides customer with an easy mechanism to monitor changes to our list of Sub-processors. If you would like to receive notifications please visit this page here.
International Data Transfers
The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the European Union. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country outside of the European Economic Area. VMware has an intracompany model clause agreement established between the group of companies and offers customers to protect data transferred via agreements containing the standard contractual clauses established by the European Commission.
VMware Cloud on AWS customers expect transparency as well as independent verification of security, privacy, and compliance controls.
VMware Cloud on AWS has completed the Cloud Security Alliance CAIQ to provide transparency to the controls and processes in place to protect customers. This has been published here.
The VMware Cloud on AWS service also undergoes independent third-party audits on a regular basis to provide assurance to our customers that VMware has implemented industry leading controls. VMware Cloud on AWS has been audited for the most of the key industry certifications ISO 27001, ISO 27017, ISO 27018, SOC 1 (SSAE18 / ISAE 3402), SOC 2, SOC 3 and HIPAA.
# # #