CrashPlan

CrashPlan is committed to the security of your data.

CrashPlan includes the strongest data encryption, both in transit and at rest. You control the encryption keys and where your data is stored.

Security at CrashPlan

Security is a foundational principle at CrashPlan, covering confidentiality, integrity and availability. At CrashPlan we take a comprehensive approach to securing our products and protecting your data. We imbed industry security standards in our processes which are verified and validated by independent auditors and third parties, giving our customers assurance that their data is secure. CrashPlan provides you with peace of mind, knowing that:

  • Your data is encrypted both in transit and at rest.
  • You maintain control over the encryption keys.
  • CrashPlan maintains end-to-end control of the cloud stack, including software, storage and network hardware, and security components.
  • CrashPlan performs rigorous quality testing of platform and product code and follows industry security best practices.
  • CrashPlan leverages strong authentication protocols to ensure authorized customer access.
  • CrashPlan conducts ongoing vulnerability testing by professional third parties and internal teams.
  • CrashPlan personnel provide full-time monitoring of the CrashPlan cloud environment and maintains a dedicated response team.
  • Crashplan conducts a comprehensive security awareness training program for all its personnel.

CrashPlan maintains compliance certifications and attestations on our product and infrastructure to validate our security program. Additionally, CrashPlan ensures and monitors appropriate security assurance obligations (SOC 1, SOC2, ISO27001) for our cloud data centers. Learn more about our compliance certifications and standards below.

*Other organizations, such as managed service providers and resellers, may provide cloud storage using CrashPlan cloud hardware and software. The information on this page may not apply to the cloud data centers managed by those organizations. Please contact those organizations for information about the features of their cloud solutions.

Data Privacy at CrashPlan

We are committed to the privacy and protection of our customers’ data.

Keeping your data secure and private is paramount to our success as a business. We follow global privacy principles to design practices and products that safeguard your data and enable your organization to meet its own privacy obligations.

Transparency

CrashPlan values trust and transparency.

Whether you are a prospective or existing customer, it’s important to us that we’re clear about our data practices.

The data protected by CrashPlan through our products is customer data that is owned and controlled by the customer. CrashPlan will only process that data in order to provide our services as described in our agreements and product documentation. In addition, CrashPlan processes and controls other information about potential and existing customers, including account-related information. For more details on how CrashPlan processes this data, please review our Privacy Statement.

CrashPlan does not and will not sell our customers’ data.

To provide our services, CrashPlan may engage and use sub-processors as part of our service offering. CrashPlan has a mature third-party security process to ensure your data remains secure and protected. We validate that sub-processors have the appropriate privacy and security safeguards and contractual agreements in place to protect your data.
View our Authorized Sub-processors.

Protecting your data

CrashPlan’s commitment to protecting customer data is built into our agreements. A Data Processing Addendum (“DPA”) is automatically incorporated into our Master Services Agreements. The DPA is based upon globally recognized privacy standards, including the GDPR, UK Data Protection Act, and CCPA.

CrashPlan supports international data transfers by executing standard contractual clauses through our updated DPA, which is available to all customers and can be viewed here.

We use industry security best practices that are regularly verified by external auditors. This includes end-to-end encryption of your files, customer-controlled access, and deletion of your files after your subscription ends.

Privacy in our product

  • Access controls. CrashPlan provides a variety of role-based access and permissions controls within the product which allow manual or automated (via an external Identity Provider) access delegation.
  • Audit logs. CrashPlan maintains both customer-facing and internal audit-logging to ensure proper monitoring of privileged accounts.
  • Data encryption. CrashPlan leverages independently tested industry best practices and protocols to ensure that all data backed up to the service is encrypted both in transit and at rest.
  • Retention and storage. CrashPlan allows you to control how and when back up operations take place, what files to include and exclude from back up, the frequency of back up, and how long file versions should be retained.

Compliance at CrashPlan

Compliance is built into everything we do.

There are a myriad of compliance requirements across industries and geographies that our customers have to comply with. Our platform helps you maintain your compliance with regulations governing where and how your data is stored, who can access it, and how it is protected.

With CrashPlan, you are in control and have peace of mind knowing that our platform provides:

  • Layered data encryption.
  • Customer controlled encryption keys.
  • Role-based access control.
  • Multi-Factor Authentication.
  • Control over data residency.
  • Simple enterprise-wide administration.
  • Tamper-proof audit trails.
  • Compliance with data export laws.
  • Permanent data deletion after your subscription ends.

Data recovery and resiliency are key components of most security and privacy regulations. CrashPlan helps its customers meet their applicable compliance and risk management requirements while meeting their data resiliency needs.

1. Will CrashPlan enter into a Data Processing Addendum?

CrashPlan has a Data Processing Addendum (“DPA”) that sets out our obligations and commitments related to the processing of customer data. The DPA can be found here. Our DPA is incorporated into our Master Services Agreements (“MSA”), which means it automatically forms part of our customer agreement.

2. Does CrashPlan’s DPA include GDPR or CCPA provisions?

Our DPA includes applicable privacy provisions to assist customers with their GDPR and CCPA compliance.

3. Does the GDPR require EU personal data to stay in the EU?

The GDPR does not require EU data to reside in the EU. It does require that certain regulatory and contractual conditions be met if personal data is transferred to a third country. CrashPlan provides the required contractual provisions in our DPA, which includes Standard Contractual Clauses as approved by the European Commission(“SCCs”) to lawfully transfer personal data outside the EU.

4. How does the Schrems II decision impact CrashPlan services?

Under the GDPR, companies that transfer personal data outside of the EU must have a legal basis to ensure the continued protection of such data. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield framework, which means companies can no longer rely on the framework to transfer personal data from the EU to the US. The CJEU confirmed the validity of the European Commission’s SCCs as a legal mechanism for the transfer of EU personal data. CrashPlan customers can rely on the SCCs, which are incorporated into our DPA.

5. How does CrashPlan handle government requests for access to customer data?

At CrashPlan, we are committed to maintaining customer privacy and confidentiality. Information about our policies and practices with respect to requests for customer data by law enforcement or government entities can be found here.

6. Does CrashPlan use sub-processors?

CrashPlan uses sub-processors in the performance of services that may require the transfer of customer data for purposes of hosting data, providing customer support, and ensuring the services are working properly. These sub-processors can include affiliates of CrashPlan as well as third party organizations. As described in the DPA, CrashPlan takes responsibility for the actions of its sub-processors. Up-to-date information about our sub-processors can be found here​.

7. Does CrashPlan comply with HIPAA?

CrashPlan has a Business Associate Agreement that we will enter into with any customer that has data regulated by the United States Health Insurance Portability and Accountability Act (“HIPAA”). For customers that have entered into contracts as a business associate with covered entities, CrashPlan also has a Subcontractor Business Associate Agreement.

Compliance Certifications

CrashPlan holds current, up to date, accredited certifications in the form of the SOC 2 Type 2, the ISO/IEC 27001 Certification, and we are also Star Level One certrified. If you would like access to our SOC 2 or ISO 27001 certification as a new customer, please contact us at security@crashplan.com.

Compliance Whitepapers

These documents provide key information related to how CrashPlan helps our customers maintain their compliance requirements. For more information on CrashPlan Security and Compliance, please reach out to security@crashplan.com.

Privacy Documents

CrashPlan complies with the following Privacy Regulations:
CCPA, GDPR, UK DPA 2018

For more information around CrashPlan’s privacy practices, contact us at privacy@crashplan.com.

Protect the data that matters most.

Lock-in your data so you can always stay moving. We can help.