Commvault maintains robust security certifications, which you can learn more about on our documentation site here and here. Please note they do vary from product to product.

SOC2 reports can be downloaded by existing customers and partners directly from our from: support portals. Click here if you are a Commvault customer/partner and here if you are a Metallic customer/partner. If you are a prospective customer, please ask your Sales executive for a copy of the report – we will be happy to share this with you under a Mutual Non-Disclosure Agreement (MNDA).

We do not have access to your data when you use Commvault products installed on-premises. We may process limited (if any) personal data if we provide remote managed services, professional services, or technical support. For example, we may process personal data such as the business contact details of the person raising a customer support request (e.g., email address, telephone number). Our Master Terms & Conditions, which incorporate our Data Processing Agreement, include terms to cover this limited processing.

If the customer has subscribed for one of Commvault’s SaaS offerings where we also provide data storage (using AWS or Azure infrastructure), Commvault will be a data processor for the customer if the data that being stored includes personal data. To cover this, our SaaS Solution Terms & Conditions under our MTCs incorporates a DPA.

We never sell your data, nor do we give any third party (including law enforcement, other government entity, or civil litigant) direct or unfettered access to customer data except as you direct, as required by law (as per our Government Access Policy), or in accordance with our Privacy Policy.

Please visit gdpr compliance to learn more about how our solutions can help you achieve and maintain GDPR compliance.

To receive sub-processor updates via e-mail, please subscribe here. To find out more about how we meet our GDPR sub-processor and other applicable privacy requirements, please refer to our Data Processing Agreement found here.

Please reach out to privacy@commvault.com for any requests, queries, or complaints regarding your personal data.

For questions, comments, or feedback regarding Commvault’s privacy practices, contact us at privacy@commvault.com.

To report a security vulnerability in the product or get support on how to use a product security feature, please contact Commvault’s support team here. For all other questions, please visit our Contact us page.

With the recent announcement of the Volt Typhoon cyber campaign, as disclosed by Microsoft on May 24, 2023, our team has conducted a thorough security assessment of Commvault and Metallic services.

Upon our evaluation, we have found no impact to the security, privacy, or integrity of your data backups.

Commvault and Metallic solutions employ a multi-layered and zero-trust architecture, which include necessary controls to address this vulnerability.

Moving forward, we recommend that customers follow all Microsoft recommendations to address and defend against this cyber campaign.

We also recommend that customers check their Commvault and Metallic environment to ensure security controls such as the following are active:

• MFA is properly configured and up to date
• Dual authorization workflows are in place for backup and restore operations
• Compliance locks are enabled for services, apps, and backup destinations
• Additionally, for customers looking for an extra layer of protection, we encourage you to evaluate ThreatWise, capable of surfacing zero-day and unknown threats in production environments

We will continue to proactively monitor this matter and provide further updates as needed.