Schedule 7: Data Privacy
Barracuda is committed to helping protect the security of Customer Data. Barracuda has implemented, and will maintain and follow, appropriate technical and organizational measures intended to protect Customer Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss or destruction.
At Barracuda, we understand the importance of our customers’ personal and business data, and we take steps to secure and protect it whenever it is stored in our cloud or other infrastructure.
Barracuda’s policies regarding data ownership and protection are focused on providing its customers with confidence that their data remains secure and under their control. Barracuda has established a number of measures to ensure that its customers and their data are treated in a manner consistent with privacy principles.
1. Data Privacy Practices.
1.1. Data Processing. Barracuda processes personal and business data in accordance with the GDPR and other applicable laws. To the extent Barracuda processes personal data on behalf of Customer as a Processor, as defined by the GDPR, it shall do so only in accordance with Customer’s instruction and the Data Processing Addendum located online at
https://assets.barracuda.com/assets/docs/dms/Data_Processing_Addendum_Processor_05172018.pdf
.
1.2. Privacy Policy. Please refer to Barracuda’s Privacy Policy
located online at
https://www.barracuda.com/legal/privacy
for information regarding how Barracuda uses, transfers and shares
information collected by or provided to it.
1.3. Subprocessors. Barracuda may engage the other entities to carry out specific processing activities on behalf of its customers or for data center facility management activities.
1.4. Customer Access to and Deletion of Data. Barracuda will retain Customer Data and information for so long as there is an active relationship unless otherwise prohibited by law. After expiration or termination of a Hosted Service or Subscription, Barracuda will disable Customer’s account and may delete Customer Data in its discretion or as required by law.
1.5. California Consumer Privacy Act (CCPA). Please refer to Barracuda’s CCPA Service Provider Attestation .
1.6. Barracuda Trust Center. For additional information on Data Privacy and Security Practices, please visit our Trust Center located online at https://www.barracuda.com/company/legal/trust-center .
2. Information Security Controls.
2.1. Information Security Management.
2.1.1 Barracuda shall have a security policy that explicitly addresses and provides guidance to employees and non-employee workers to ensure the security and confidentiality of Customer Data and systems maintained or processed by Barracuda. The policies shall be endorsed and backed by senior management and provide for, and clearly state, the appropriate ramifications for noncompliance.
2.1.2 Barracuda shall have resources to foster and focus on information security and compliance efforts. Barracuda will provide Customer, upon request, with contact details for Barracuda’s compliance representative.
2.1.3 Barracuda shall have information security policies (“ ISP”) in place that provides a framework for information security management within its organization. The ISP shall include, at a minimum, Barracuda’s ISP, and Barracuda’s incident escalation procedures.
2.2. Personnel Practices.
2.2.1 Signed Confidentiality Agreements. Barracuda shall ensure that non-disclosure and/or confidentiality agreements are signed by all of its employees, non-employee workers, consultants, temporary workers and other persons (“Barracuda Resources”) who may have access to Customer Data.
2.2.2 Training in Security Practices. Barracuda shall cause Barracuda Resources to be made aware of, and be required to adhere to, its security policies.
2.3. Physical Security Controls. Barracuda shall have physical security controls in place to protect systems and facilities that contain any Customer Data including, at a minimum:
(i) Limiting access to premises and facilities (including, without limitation, the general working areas and computer installations) to authorized individuals;
(ii) Availability of adequate power;
(iii) Back up environmental controls such as heat ventilation and air conditioning systems; and
(iv) Adequate monitoring to protect computer installations.
2.4. Outsourcing. If Barracuda outsources activities or relies on third parties to fulfill IT or Security functions then the following shall be in place:
(i) Formal agreements that require security controls employed by the third party to be consistent with Barracuda’s security practices and subject to non-disclosure agreements; and
(ii) That Barracuda conducts third party reviews to assess the third party’s security.
2.5. Audit/Security Reviews.
2.5.1 Barracuda periodically conducts audits, assessments, testing of the system of controls and testing of information security procedures for all of Barracuda’s systems that contain any Customer Data. These periodic audits will be conducted at least annually through either (a) an internal yet independent function of Barracuda employees; or (b) an external independent auditor that is engaged by Barracuda.
2.5.2 Barracuda ensures that its security controls align to the NIST framework and maintains externally validated SOC 2 Reports as listed online at https://www.barracuda.com/company/legal/trust-center . The SOC 2 Report on Barracuda’s systems addresses security and more specifically that the system is protected against unauthorized access (both physical and logical).
3. Security Incident Notification(s). If Barracuda becomes aware of any unlawful access to any Customer Data stored on Barracuda’s equipment or in Barracuda’s facilities that results in the loss, disclosure or alteration of Customer Data (each a “ Security Incident”), Barracuda will promptly: (a) notify Customer of the Security Incident; (b) investigate the Security Incident; and (c) take reasonable steps to mitigate the effects of, and minimize any damage resulting from, the Security Incident.
3.1. Security Incident notification(s) will be delivered to one or more Customer administrators by a means selected by Barracuda, including via email. It is Customer’s sole responsibility to ensure that its administrators maintain accurate contact information on each applicable Hosted Services portal. Barracuda’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Barracuda of any fault or liability with respect to a Security Incident.
3.2. Customer must notify Barracuda promptly of any possible misuse of its accounts or authentication credentials or any security incident related to a Hosted Service.
4. Barracuda Personnel. Barracuda personnel are granted access to Confidential Information and Customer Data only when necessary under management oversight. Barracuda personnel will use Confidential Information and Customer Data only for purposes compatible with providing Customer the Hosted Services, which can include customer support and troubleshooting the Hosted Service and are obligated to maintain the security and confidentiality of any Confidential Information and Customer Data. This obligation continues even after the end of a Customer’s use of the Hosted Services.
5. Additional Information. Additional information about Barracuda’s security and privacy practices is located at https://www.barracuda.com/company/legal/trust-center .
6. Reporting. If Customer has a concern related to the privacy or security of the information entrusted to Barracuda, please contact us. Customer may use Barracuda’s privacy web form located online at: https://www.barracuda.com/company/contact , or send an email to legal@barracuda.com.
Revised: March 1, 2020