Compliance: Data security and data privacy

May 2021

NetApp has a long-held and ongoing commitment to compliance with the ever-evolving set of global, regional, and data security and privacy standards and regulations. We uphold this commitment through self-assessments and rigorous audits by independent accredited third parties. These audits validate the adherence of our products and services to the requirements of such standards as ISO/IEC 27001, the GDPR, NIST SP 800-171, and the Common Criteria. These assessments help demonstrate NetApp’s integration of internationally recognized processes and best practices in our business, enabling customers to use our products and services regardless of their compliance needs.

NetApp supplies information for each compliance offering (listed at left) that includes a list of in-scope software and hardware and links to the relevant certificates and auditor’s reports.

Get a complete list of all NetApp services, hardware, and software that comply with global, regional, and industry-specific data security, engineering, and privacy regulations and standards governing the collection and use of data. 

NetApp is committed to respecting consumers’ privacy rights and operating in compliance with global data privacy laws, including the California Consumer Privacy Act (CCPA) and its expansion, the California Privacy Rights Act (CPRA). Our contractual commitments to legal compliance, include our Privacy Policy and customer contracts. These are based on whether we are collecting customers’ personal data or acting as a service provider to customers who are collecting personal data. We back these contractual commitments with processes and policies designed to comply with the CCPA and CPRA.

NetApp ONTAP data management software is the first enterprise-class storage solution validated by the Commercial Solutions for Classified (CSfC) Program. It enables enhanced security protection for data at rest at both the hardware and software layers. The CSfC Program is a key component of the U.S. National Security Agency (NSA) commercial cybersecurity strategy. It validates commercial products that meet the rigorous security requirements for protecting classified secret and top-secret data.

Continuing a certification tradition dating back to 2005, when NetApp Data ONTAP was first certified, NetApp has achieved Common Criteria (ISO/IEC 15408-1:2009) certification for its storage software and hardware products. Independent accredited testing laboratories audited NetApp products and certified their compliance with Common Criteria. NetApp government and government contractor customers can rely on our Common Criteria certification for their purchasing requirements.

NetApp ONTAP was first certified in 2005, and NetApp systems were most recently certified in December 2019 by the U.S. Defense Information Systems Agency (DISA). DISA placed in-scope NetApp products on the U.S. Department of Defense Information Network Approved Products List (DoDIN APL). Certification of NetApp products to the DoDIN APL enables U.S. defense agencies and organizations supporting the defense industrial base to use them with confidence.

Through Microsoft Azure and Azure Government, Azure NetApp Files® obtained a P-ATO from the Joint Authorization Board (JAB), the primary governance body for FedRAMP. Azure NetApp Files maintains a P-ATO at both High and Medium Impact Levels for Azure commercial cloud services and a High Impact Level for Azure Government cloud services. All organizations, including those outside the public sector, have the assurance that Azure NetApp Files is designed to meet the controls of NIST SP 800-53.

FIPS 140-2 is a U.S. government standard that sets security requirements for cryptographic modules in hardware, software, and firmware, and NetApp offers cryptographic modules that have achieved FIPS 140-2 validation. NetApp offers a variety of hardware, software, and services and therefore takes a variety of approaches to FIPS 140-2 compliance. For example, for covered software, NetApp includes cryptographic modules that have achieved level 1 validation for the encryption of data in transit and at rest.

NetApp maintains a comprehensive strategy for compliance with data privacy laws, including the EU General Data Protection Regulation (GDPR). We back our commitments through organizational and engineering measures designed to respect the rights of data subjects and securely process personal information in compliance with the GDPR and our European regulators. Whether your enterprise is a data controller or data processor, NetApp products and services offer the tools necessary to implement programs that support your compliance with the GDPR. We back these commitments with a number of customer contracts.

Customers managing data regulated under the Health Insurance Portability and Accountability Act (HIPAA) can take advantage of a variety of NetApp products and services for storage management.

To support the HIPAA compliance of NetApp services , Net App relies on our SOC 2 Type 2 certifications by an independent third party. SOC 2 reports offer assurance to customers that NetApp controls reasonably protect the confidentiality and privacy of user information processed by NetApp systems. NetApp solutions with SOC 2 Type 2 reports may also be available to covered entities or business associates for their management of protected health information. 

Annually, NetApp engages an accredited certification body, which has certified that the NetApp Information Security Management System demonstrates conformance to the ISO 27001 standard. Our auditor has verified that NetApp policies, procedures, and controls maintain the privacy, security, integrity, and availability of information.

NetApp maintains information systems that store controlled unclassified information (CUI) and attests to our compliance with the control requirements of NIST SP 800-171 in the relevant contracts. The appropriate treatment of CUI forms the basis of our contractual commitments under the Defense Federal Acquisition Regulation Supplement (DFARS). NIST SP 800-171 controls have been incorporated into acquisition regulations and are, therefore, often a requirement for any nonfederal entity that stores, processes, or transmits CUI for the U.S. government.

NetApp products and services are audited regularly against the SOC 2 (AT Section 101) standard by an independent certified public accountant firm and services auditor. They examined NetApp in-scope cloud and managed services, and affirmed that they have achieved SOC 2 reports based on the applicable Trust Services Criteria.