VMware controls the access rights based on the principle of least privilege, which means only the minimum level of access required is granted. Access is provided according to the individual job functions and requirements. Appropriate levels of management authorize the access rights to computers and information systems and before the rights are granted. Managing access to information systems is implemented and controlled through centralized identity stores and directories.

Internal audits are performed annually under the VMware ISMS program. VMware uses internal and external audits to measure the conformance and effectiveness of the controls applied to reduce risks associated with the information security, and identify areas of improvement. Audits are essential to the VMware continuous improvement program.

VMware has a comprehensive sourcing and vendor risk management process to select providers that meet VMware requirements including security provisions. Supplier agreements ensure that providers are in compliance with the applicable laws, security, and privacy obligations.

As a customer, you are responsible for using the VMware solution in compliance with relevant laws and regulations. The VMware ISMS process documents and tracks non-conformance, and also monitors supplier performance and escalates issues if necessary. To ensure information security across your information supply chain, VMware also conducts risk assessments annually to ensure that appropriate controls exist to reduce the risk related to the confidentiality, integrity, and availability of sensitive information.

The VMware audit and assessment program performs reviews on subprocessing agreements. VMware monitors audit reports and certifications to review risk management and governance processes, and effectiveness of applicable controls.

VMware has made Service Level Agreement (SLA), Terms of Service, Data Processing Addendums, and Privacy notices publicly available at vmware.com/download/eula.