Barracuda Networks understands the importance of your data and takes steps to secure and protect it while in our cloud. Our policies regarding data ownership and protection are focused on providing you with confidence that your data remains secure and under your sole control.
Barracuda personnel are expected to be competent, thorough, helpful, and courteous stewards of customer information that is stored on Barracuda products and in Barracuda datacenters. Barracuda has established a number of measures to ensure that customers and their data are treated properly.
Barracuda complies with any portions of HIPAA or the HITECH Act that are directly applicable to Barracuda. In particular, the Barracuda Cloud safeguards replicated data in such a way as to satisfy HIPAA’s Security Rule. Customers wishing to establish a Business Associate relationship with Barracuda per 45 CFR 164.502(e) and 164.504(e) should request a Business Associate Agreement from Barracuda. The Business Associate Agreement defines commitments that Barracuda will make to maintain HIPAA and HITECH compliance as required.
All employees are required to accept and acknowledge in writing Barracuda’s policies for nondisclosure and protection of Barracuda and third party confidential information, including acceptable use of confidential information. In the course of assisting customers with their technology solutions, Barracuda support technicians understand that they may come into contact with customer communications and/or customer data and they must keep this information confidential.
Technicians who support Barracuda products are prepared in a variety of ways. New tier 1 technicians receive class time training with tier 2 technicians and the support management team. New support technicians also spend a period of time as an understudy to an established technician for each product in which they intend to become certified. Product knowledge is tested and established through formal online training and all technicians are expected to meet a pre-defined standard before supporting customers directly.
All Barracuda support technicians receive ongoing training in product-specific training sessions.
When an employee or contractor leaves Barracuda, a formal process is in place to immediately revoke physical and network access to Barracuda facilities and resources.
Barracuda leases space in a number of data centers worldwide. Each Barracuda data center is equipped with the following:
Controlled access systems requiring key-card authentication
Video-monitored access points
Climate control systems
Waterless fire-suppressant systems
Redundant power (generator backup, UPS, no single point of failure)
Redundant Internet connectivity
ISO and/or SOC II certified.
Knowing the geographic location of their data is important for customers operating in regulated industries or in countries with data protection laws. Barracuda understands that some customers must maintain their data in a specific geographic location, such as within the European Union or within countries that are members of the Asia-Pacific Economic Cooperation (APEC) forum.
To that end, Barracuda maintains a network of cloud-scale datacenters by geographic location around the globe, and verifies that each meets defined security requirements. However, not all Barracuda products are deployed in all regions. To determine where data for a particular Barracuda product is stored, please refer to the product-specific security document.
Data in the Barracuda Cloud is stored in a proprietary storage system developed and managed by Barracuda. This system maintains two copies of customer data to provide redundancy. In the United States, the two copies are stored in separate datacenter locations. Outside of the United States, the two copies are stored within the same location on separate storage systems.
Barracuda uses a defense-in-depth strategy and proprietary hardened software and operating systems to protect data and services. Barracuda conducts regular inspections to ensure the security of its systems.
Barracuda products provide a number of security features to ensure that only authorized users can access and operate the products. These features may vary by product. For more information, please refer to the product-specific security document.
Barracuda Central is the 24/7 security center operated by Barracuda Networks to monitor and block the latest Internet threats. Data collected at Barracuda Central is analyzed and used to create definitions for automatic Energize Updates that fuel the Barracuda products.
BarracudaCentral.org is dedicated to providing technical insight for security professionals. By sharing data, BarracudaCentral.org aims to build a strong community to collectively fight the latest Internet threats.
Data stored in the Barracuda cloud is our customers’ data and we protect their right to make decisions about that data and we are transparent about what happens to that data. With the Barracuda Cloud, you are the owner of your customer data.
Customer data is defined as all data, including text, sound, video, or image files and software, that you provide to Barracuda, or is provided on your behalf.
Barracuda will use your customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services.
You can access your customer data at any time and for any reason without assistance from Barracuda. We restrict access to it to Barracuda personnel and subcontractors. We provide simple, transparent data-use policies.
We do not use customer data for advertising
Except as set forth below, Barracuda does not share customer data with our advertiser- supported services, nor do we mine it for marketing or advertising.
In addition to providing the service and day-to-day operations, Barracuda may use your data for the following:
Troubleshooting aimed at preventing, detecting, and repairing problems affecting the operation of services
Ongoing improvement of features, such as those that improve the reliability of our services, or involve the detection of, and protection against, threats to the services or customer data (such as malware or spam)
Providing personalized customer experiences
Contacting you about new products and services
Furthermore, the Barracuda Cloud uses systems that are kept logically separate from internal systems run by Barracuda.
We use logical isolation to segregate each customer’s data from that of others
Barracuda cloud services are multi-tenant services, meaning that your data, deployments, and virtual machines may be stored on the same physical hardware as that of other customers. When data from many customers is stored at a shared physical location, Barracuda logically segregates storage and processing for different customers through specialized technology engineered specifically for that purpose.
We also take strong measures to protect customer data from inappropriate use or loss and to prevent customers from gaining access to one another’s data.
We provide simple, transparent data-use policies and get independent audits
Our subcontractors are contractually obligated to meet our privacy requirements
Barracuda may hire other companies to provide limited services, such as data colocation services. We provide customer data as required to deliver the services we have retained them to provide. Subcontractors are prohibited from using customer data for any other purpose, and they are required to maintain the confidentiality of our customers’ information.
Subcontractors who handle customer data in Barracuda Cloud services must enter into additional agreements with Barracuda that subject them to data protection terms.
Subcontractors who handle Barracuda Cloud customer data in their own facilities are required to set up and follow privacy standards equivalent to our own.
Barracuda personnel are granted access only when necessary under management oversight. Barracuda personnel will use customer data only for purposes compatible with providing you the services, which can include customer support and troubleshooting the service.
Barracuda may hire other companies to provide limited services. Subcontractors can access customer data only to deliver the services we have hired them to provide. Subcontractors are prohibited from using customer data for any other purpose, and are required to maintain the confidentiality of our customers’ information.
The operational processes and controls that govern access to and use of customer data in the Barracuda Cloud are regularly verified. Barracuda regularly performs sample audits to attest that access is only for legitimate business purposes. Strong controls and authentication help limit access to customer data to authorized personnel only. When access is granted, whether to Barracuda personnel or our subcontractors, it is carefully controlled and logged, and revoked as soon as it is no longer needed.
Barracuda imposes carefully defined requirements around government and law enforcement requests for customer data. We will not disclose data hosted in the Barracuda Cloud to a government agency except as you direct or where required by law. When we receive a government or law enforcement request for customer data, we attempt to redirect the third party to obtain the requested data from our customer.
Barracuda follows strict standards and specific processes for removing customer data from all systems under our control.
You can retrieve a copy of your customer data at any time and for any reason without any assistance or notification required from Barracuda.
If you, the customer, terminate your subscription or it expires (except for free trials), Barracuda will store your customer data in a limited-function account for 30 days (the retention period) to give you time to export the data or renew your subscription. During this period, Barracuda provides multiple notices, so you will be amply forewarned of the upcoming deletion of data
After this 30-day retention period, Barracuda will disable the account and may delete all customer data at its discretion, including any cached or backup copies.
In the multitenant environments of Barracuda cloud services, we take careful measures to logically separate customer data to help prevent one customer’s data from leaking into the data of another customer, as well as to help block any customer from accessing another customer’s deleted data.
When a disk drive used for storage in the Barracuda Cloud suffers a hardware failure, it is securely erased or destroyed before Barracuda returns it to the manufacturer for replacement or repair. All of the data on the drive is completely overwritten to ensure that the data cannot be recovered by any means.
The Barracuda Cloud uses encryption to safeguard your data and help you maintain control over it.
When customer data moves over a network, the Barracuda Cloud uses industry- standard secure transport protocols between user devices and Barracuda datacenters, as well as within the datacenters themselves.
The Barracuda Cloud uses industry-standard encryption for data at rest in transit.
When governments or law enforcement make a lawful request for customer data from Barracuda, we are committed to transparency and limit what we disclose. Because Barracuda believes that customers should control their own data, we will not disclose data hosted in the Barracuda Cloud to a government or law enforcement agency except as you direct or where required by law.
We believe that you should control your own data. Barracuda does not give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct, or as required by law.
When we receive a government or law enforcement request for customer data:
We always attempt to redirect the third party to obtain the requested data from our customer
For valid requests that we are not able to redirect to the customer, we disclose information only when we are legally compelled to do so, and we always make sure that we provide only the data specified in the legal order.
In either case, requests may require the release of the customer’s basic contact information.
We do not provide any government with our encryption keys or the ability to break our encryption.
All users must be registered to access the Barracuda Cloud. Individual users must register using their name, and entity users must register under the legal name of their entity. You will be solely responsible and liable for any activity that occurs under your account.
You are solely responsible for the legality and appropriateness of your customer data uploaded or otherwise placed into the Barracuda Cloud.
Barracuda may immediately and without prior notice to You, remove any content or data, or suspend or cancel accounts if it becomes aware of any misuse or illegal actions associated with an account or user.
When using the Barracuda Cloud, you must not use the services to do any of the following things:
Copy or upload files or information unless you have a legal right to the files or information;
Probe, scan, or test the vulnerability of any system, or attempt to circumvent any security or authentication measures;
Access, tamper with, or use non-public areas of the Barracuda Cloud. or attempt to access or search the Barracuda Cloud. through nonpublic interfaces;
Attempt to disrupt any user or network by sending a virus, malware, overloading, flooding, spamming, or mail-bombing, or otherwise interfere with the use of other users;
Send unsolicited communications, promotions or advertisements, or spam;
Attempt to access another user’s account;
Send altered, deceptive or false source-identifying information, including “spoofing” or “phishing”;
Publish anything that is fraudulent, misleading, or infringes another’s rights;
Misrepresent yourself or affiliation with an entity; or
Publish or share materials that are offensive, defamatory, or unlawful.
The Barracuda Cloud services may be controlled for export purposes. You must comply with all United States export laws and regulations. You assume sole responsibility for any required export approval and/or licenses and all related costs and for the violation of any United States export law or regulation. If you are located in a country subject to embargo by the United States government, you are not entitled to use the Barracuda Cloud. services.