Barracuda Networks understands the importance of your data and takes steps to secure and protect it while in our cloud. Our policies regarding data ownership and protection are focused on providing you with confidence that your data remains secure and under your sole control.
Barracuda personnel are expected to be competent, thorough, helpful, and courteous stewards of customer information that is stored on Barracuda products and in Barracuda data centers. Barracuda has established a number of measures to ensure that customers and their data are treated properly.
Privacy and Control Mechanisms
All employees are required to accept and acknowledge in writing Barracuda’s policies for nondisclosure and protection of Barracuda and third-party confidential information, including acceptable use of confidential information. In the course of assisting customers with their technology solutions, Barracuda support technicians understand that they may come into contact with customer communications and/or customer data and they must keep this information confidential.
Technicians who support Barracuda products are prepared in a variety of ways. New tier 1 technicians receive class time training with tier 2 technicians and the support management team. New support technicians also spend a period of time as an understudy to an established technician for each product in which they intend to become certified. Product knowledge is tested and established through formal online training and all technicians are expected to meet a pre-defined standard before supporting customers directly.
All Barracuda support technicians receive ongoing training in product-specific training sessions.
When an employee or contractor leaves Barracuda, a formal process is in place to immediately revoke physical and network access to Barracuda facilities and resources.
Architecture and Infrastructure Security
Storage Facility Standards
Barracuda leases space in a number of data centers worldwide. Each Barracuda data center is equipped with the following:
- Controlled access systems requiring key-card authentication
- Video-monitored access points
- Intrusion alarms
- Locking cabinets
- Climate control systems
- Waterless fire-suppressant systems
- Redundant power (generator backup, UPS, no single point of failure)
- Redundant Internet connectivity
- ISO and/or SOC II certified
Knowing the geographic location of their data is important for customers operating in regulated industries or in countries with data protection laws. Barracuda understands that some customers must maintain their data in a specific geographic location, such as within the European Union or within countries that are members of the Asia-Pacific Economic Cooperation (APEC) forum.
To that end, Barracuda maintains a network of cloud-scale data centers by geographic location around the globe, and verifies that each meets defined security requirements. However, not all Barracuda products are deployed in all regions. To determine where data for a particular Barracuda product is stored, please refer to the product-specific security document.
Data in the Barracuda Cloud is stored in a proprietary storage system developed and managed by Barracuda. This system maintains two copies of customer data to provide redundancy. In the United States, the two copies are stored in separate data center locations. Outside of the United States, the two copies are stored within the same location on separate storage systems.
Barracuda uses a defense-in-depth strategy and proprietary hardened software and operating systems to protect data and services. Barracuda conducts regular inspections to ensure the security of its systems.
Access to your data
You can access your customer data at any time and for any reason without assistance from Barracuda. Barracuda restricts access to Barracuda personnel and subcontractors.
Barracuda Personnel: Barracuda personnel are granted access only when necessary under management oversight. Barracuda personnel will use customer data only for purposes compatible with providing you the services, which can include customer support and troubleshooting services.
Barracuda Subcontractors: Subcontractors can access customer data only to deliver the services we have hired them to provide, are prohibited from using customer data for any other purpose, and are required to maintain the confidentiality of our customers’ information.
The operational processes and controls that govern access to and use of customer data in the Barracuda Cloud are regularly verified. Barracuda regularly performs sample audits to attest that access is only for legitimate business purposes. Strong controls and authentication help limit access to customer data to authorized personnel only. When access is granted, whether to Barracuda personnel or our subcontractors, it is carefully controlled and logged, and revoked as soon as it is no longer needed.
Separation of your data
Barracuda takes strong measures to protect customer data from inappropriate use or loss and to prevent customers from gaining access to one another’s data. The Barracuda Cloud uses systems that are kept logically separate from internal systems run by Barracuda.
Barracuda cloud services are multi-tenant services, meaning that your data, deployments, and virtual machines may be stored on the same physical hardware as that of other customers. When data from many customers is stored at a shared physical location, Barracuda logically segregates storage and processing for different customers through specialized technology engineered specifically for that purpose. We take careful measures to logically separate customer data to help prevent one customer’s data from leaking into the data of another customer, as well as to help block any customer from accessing another customer’s deleted data.
Ensuring Control and Security of Your Data
The Barracuda Cloud uses encryption to safeguard your data and help you maintain control over it.
When customer data moves over a network, the Barracuda Cloud uses industry- standard secure transport protocols between user devices and Barracuda data centers, as well as within the data centers themselves.
The Barracuda Cloud uses industry-standard encryption for data at rest in transit.
When a disk drive used for storage in the Barracuda Cloud suffers a hardware failure, it is securely erased or destroyed before Barracuda returns it to the manufacturer for replacement or repair. All of the data on the drive is completely overwritten to ensure that the data cannot be recovered by any means.
HIPAA Business Associate
Barracuda complies with any portions of HIPAA or the HITECH Act that are directly applicable to Barracuda. In particular, the Barracuda Cloud safeguards data in such a way as to satisfy HIPAA’s Security Rule. Customers wishing to establish a Business Associate relationship with Barracuda per 45 CFR 164.502(e) and 164.504(e) should request a Business Associate Agreement from Barracuda. The Business Associate Agreement defines commitments that Barracuda will make to maintain HIPAA and HITECH compliance. Please refer to our sel-service portal to request a BAA.
Security Incident Notification
If Barracuda becomes aware of any unlawful access to any Customer Data stored on Barracuda’s equipment or in Barracuda’s facilities that results in the loss, disclosure or alteration of Customer Data (each a “Security Incident”), Barracuda will promptly (1) notify Customer of the Security Incident; (2) investigate the Security Incident; and (3) take reasonable steps to mitigate the effects of, and minimize any damage resulting from, the Security Incident.
Security Incidents Notification(s) will be delivered to one or more Customer administrator by a means selected by Barracuda, including via email. It is Customer’s sole responsibility to ensure that its administrators maintain accurate contact information on each applicable Cloud Services portal. Barracuda’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Barracuda of any fault or liability with respect to a Security Incident.
Customer must notify Barracuda promptly of any possible misuse of its accounts or authentication credentials or any security incident related to a Cloud Service.