Security Overview

Barracuda understands the importance of your data and takes steps to secure it. Our policies regarding customer data are focused on providing you with confidence that your data remains secure.

The Barracuda security team implements technical and organization controls, via internal policies, procedures, and oversight activities, to protect and secure customer data and confidential information. For more product-specific security information, customers can request a copy of the relevant SOC 2 audit report.

Barracuda Technical and Organizational Controls

Platform Security and Oversight

Barracuda uses a defense-in-depth strategy and proprietary hardened software and operating systems to protect data and services. Barracuda conducts regular inspections to ensure the security of its systems.

Barracuda Employees’ Commitment to Security

All Barracuda employees accept and acknowledge Barracuda’s policies for nondisclosure and protection of Barracuda and third-party confidential information, including the acceptable use of confidential information.

Least Privileged Access to Customer Data

While customers can view their own data within the products at any time, Barracuda restricts access to Barracuda personnel and subcontractors through a role-based access control approach.

Barracuda personnel are granted access to customer data only when necessary. Role-based access controls grant Barracuda personnel access to customer data only when necessary to provide our products and services to our customers. 

Barracuda subcontractors are granted limited access to data only to deliver the services we have hired them to provide. Subcontractors are prohibited from using customer data for any other purpose and are contractually required to maintain the confidentiality and security of customer information.

When an employee or contractor leaves Barracuda, a formal process is in place to immediately revoke physical and network access to Barracuda facilities and resources. 

The operational processes and controls that govern access to and use of customer data are routinely verified. Barracuda regularly performs sample audits to attest data access is for legitimate business purposes. Strong controls and authentication limit access to customer data to authorized personnel only. When access is granted, whether to Barracuda personnel or our subcontractors, it is carefully controlled, logged, and revoked as soon as it is no longer needed.

Technical Support Data Access Training

Barracuda support technicians may come into contact with customer data and confidential information while providing technical assistance at the customer’s request. These technicians undergo comprehensive training with management oversight to ensure proper data protection and security procedures. Technicians are certified on a per product basis and their product knowledge is tested through formal online training. All technicians must meet a pre-defined standard before supporting customers directly. Also, Barracuda support technicians receive ongoing training in product-specific training sessions.

Data Location Transparency

Barracuda understands that transparency in data storage locations is essential for customers operating in regulated industries or in countries with stringent data residency requirements. Barracuda maintains tenants on a network of cloud-scale data centers in various geographic locations around the globe. Depending on the product, customers may have the option to choose the region in which to store their data at rest. Some products only allow customer data to be stored in data centers in the United States. For more information about a particular Barracuda product’s data storage, please refer to the Product Guide.

All transfers of personal data outside of the European Union, the UK, and Switzerland are subject to authorized transfer mechanisms. See our Privacy page for more information on data transfers.

Redundancy and Segregation

Barracuda provides for data redundancy (ie. live replication) in SaaS products (where applicable). Data is segregated between production and non-production settings. For more information regarding redundant data storage and data segregation, please see the applicable Product or Service Description on the Product Guide.

Customer Data Encryption

Customer Data is encrypted at rest and in transit. Please see the specific Product or Service Description on the Product Guide for information regarding encryption.

Security Incident Notification

If Barracuda becomes aware of any security event that results in the loss, disclosure, or alteration of the Customer Data stored by Barracuda, (“Security Incident”), Barracuda will promptly (1) notify the relevant Customer of the Security Incident; (2) investigate the Security Incident; and (3) take reasonable steps to contain and mitigate the effects of the Security Incident.

Barracuda will notify the customer of relevant Security Incidents by a means selected by Barracuda, including via email. Customer must ensure that accurate administrator contact information appears on each applicable Cloud Services portal. Barracuda’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Barracuda of any fault or liability with respect to a Security Incident.

Customers should notify Barracuda promptly of any suspected or known misuse of its Barracuda accounts or authentication credentials or any other security incident related to a Barracuda product or service.