Cohesity’s next-gen data management platform supports intelligent IT operations to unlock data value for operational efficiency and innovation. The Cohesity threat defense architecture provides extensive safeguards to detect and thwart cyberattacks.

Cohesity maintains rigorous product security standards and inspects adoption across every phase of its product lifecycle. Cohesity follows industry best practices and through these security practices as well as the inclusion of security features and functionality, Cohesity delivers secure, highly functional products and services to its customers.

Trust Center Security by Design icon
Secure By Design

Cohesity follows fundamental security principles including but not limited to: secure by default, secure failure, and secure implementations of cryptographic algorithms. To ensure the targeted security posture, compliance, and certification of its products as new features are developed, Cohesity aligns the product design with current security best practices.

Trust Center Secure Development icon
Secure Development

Development teams at Cohesity engage with a dedicated Product Security team during the design and planning stages of the development lifecycle. Cohesity's Product Security team makes recommendations for the adoption of secure design patterns, performs threat modeling, defines applicable security standards, and sets security requirements.

Expand All
Trust Center Security Assurance icon
Security Assurance

Cohesity’s platform and infrastructure are regularly subjected to security testing and hardening to enhance security. The OS and components are specifically configured to meet security hardening requirements including Center for Internet Security (CIS) benchmarks and US Department of Defense Security Technical Implementation Guide (STIG) configuration standards.

Expand All
Trust Center - Security Standards and Programs Icon
Security Standards and Programs

Cohesity aligns to industry-standard frameworks for vulnerability management, secure product development lifecycle management, and incident response.

Expand All
Trust Center Security Training icon
Security Training

Cohesity provides its developers, architects, development managers, release managers, QA engineers, and product managers with security training and resources to incorporate security practices throughout the product development lifecycle. Cohesity conducts quarterly secure coding training covering security best practices in product development that is mandatory for all engineers.

Trust Center Responsible Disclosure Standards Icon
Responsible Disclosure Standards

Cohesity follows industry best practices to discover, investigate, and address vulnerabilities through the product lifecycle using a risk-based approach. Cohesity's dedicated Product Security team promptly investigates and responds to all reports of potential security vulnerabilities, and Cohesity's product incident response plan supports analysis, mitigation, and remediation of vulnerabilities in its products. The plan also covers responsible disclosure processes when issues are reported by third-party researchers, customers, or partners.

Expand All
Trust Center Reporting Issues icon
Reporting Issues

Customers, partners, and third-party researchers may report vulnerabilities in Cohesity products and services by contacting Cohesity Security.

Cohesity maintains rigorous security, privacy, and resiliency standards for its Cohesity-managed cloud services and software as a service (SaaS) offerings. Learn about the key practices that Cohesity follows to keep the Helios platform, services, and customer data secure and available at all times.

Trust Center Helios cloud icon
Helios Administration

Customers may administer the cloud-based Helios platform that provides centralized management and analytics for customers’ self-managed products and services (Helios management service).

Depending on the Cohesity product or service deployed, usage of the Helios management service will be either mandatory or optional for the customer.

Expand All
Trust Center Tenant Isolation icon
Security Architecture and Tenant Isolation

The Helios data management environments are logically segregated with the management and data services from one another.

The Cohesity-managed Helios services are natively multitenant, where each tenant is implemented as a unique organization. Organizations are logically segregated and the organization’s resources, such as data, policies, administrators, etc. are restricted to the organization to which they belong.

Dedicated tenant data repositories ensure customer data is isolated from other customers.

Trust Center Cloud Infrastructure icon
Cloud Infrastructure

Cohesity ensures logical security by deploying access control based on Zero Trust principles to prevent unauthorized access or compromise of its cloud infrastructure, including the Helios management service and Cohesity-managed data management services.

Trust Center Customer Authentication and Access Control icon
Customer Authentication and Access Control

The Helios management service provides customers a broad set of controls to manage user accounts and their assigned access in accordance with strong security standards and their own security policy. In every tenant organization, an admin user manages the other users in that organization. Organization admins can add and manage users through role-based access controls (RBAC). Applying principles of least privilege and separation of duties can be achieved with fine-grained control over standard and custom defined roles. Tenant admins can also integrate the Helios management service with existing identity providers. This enables each organization to apply its specific authentication controls for password policy, multifactor authentication (MFA), and more.

Employee Authentication and Access Control

Cohesity maintains a highly restrictive approach to internal access to Helios management services. Access is based on a strict need-to-know basis related to the job responsibility for managing and maintaining the system. Cohesity adheres to the principles of least privilege and separation of duties, and applies internal access and authorization controls. Before a user can log in to a particular role, they must meet established qualification criteria and obtain documented management approval beforehand in every case. A unique user ID and multifactor authentication are required for all Cohesity users.

Trust Center Data Isolation icon
Data Isolation

For the Helios management service, each tenant's data and metadata are logically segregated and isolated from that belonging to other tenants. For the Cohesity-managed data management services, unique storage repositories are allocated to each tenant, ensuring that content from one tenant is never shareable with or accessible by other tenants.

Trust Center Data Resiliency and Availability icon
Data Resiliency and Availability

The Helios management service maintains an availability rate of 99.9% (three 9s), not inclusive of scheduled or emergency maintenance windows. Helios data management services rely on Amazon Web Services (AWS) S3 service in customer-defined regions spanning across a minimum of three availability zones, each separated by many miles within the same AWS region. The AWS S3 service guarantees 99.999999999% (eleven 9s) of data durability. In the event of a disaster scenario, the Helios management service can recreate data stored in the data management service using just the data stored in S3.

Trust Center Data Encryption icon
Data Encryption

All customer data—both metadata in the Helios management service and data in the data management services themselves—is encrypted at rest and in flight using strong, industry-standard encryption algorithms, and protocols.

Expand All
Trust Center Infrastructure Attack Defenses icon
Infrastructure Attack Defenses

Cohesity has several measures in place to address distributed denial of service (DDOS), intrusions, and malware attacks. These safeguards are built into the monitoring infrastructure that we have implemented to manage the Helios environment. Cohesity uses firewalls to monitor connections constantly and detect anomalies. As anomalies are detected, Cohesity blocks and evaluates the connection into the Helios control plane environment. The servers, containers, and infrastructure within the Helios control plane environment are monitored for vulnerabilities with remediation occurring on a regular basis.

Trust Center Security icon
Data Center Security

Cohesity’s Helios management service and data management services are hosted in Amazon Web Services (AWS). For more information about AWS data center security controls, please visit https://aws.amazon.com/compliance/data-center/controls/.

Trust Center Business Continuity and Disaster Recovery Icon
Business Continuity and Disaster Recovery

Cohesity maintains a business continuity plan covering business operations and disaster recovery response. We regularly assess risks to the business and apply appropriate treatment plans to bring risks within acceptable levels. The plan identifies critical business processes, documents threats that could cause business disruption, and addresses recovering connectivity and supporting systems to ensure Cohesity’s obligations to its customers can be met.

Trust Center Monitoring and Alerting Icon
Vulnerability Management

Cohesity has a threat and vulnerability management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, penetration testing or identification by Cohesity personnel. Threats are ranked based on severity level and assigned for remediation as needed.

Trust Center Monitoring and Alerting Icon
Monitoring and Alerting

Helios implements continuous monitoring for both the security and availability of the service.

Monitoring is a function of every service, with key performance indicators and metrics built in from the start. Dashboards and metrics are tracked by the monitoring and response teams. Alerts are designed in the development process. Alerts are reviewed by the cloud operations team and the development teams to ensure that thresholds are set and monitored while deploying to production.

Cohesity's corporate security practices demonstrate our commitment to ensuring the security, safety, and compliance of Cohesity and customer assets. Cohesity takes the security of our customers’ information very seriously and the execution of the controls outlined here demonstrate how we establish trust with our customers, partners, and others.

Trust Center Information Security Organization icon
Information Security Organization

Led by Cohesity's CISO and overseen by the Cohesity Security Council, Cohesity Information Security is a dedicated team of professionals with the mission of ensuring the security, safety, and compliance of Cohesity systems, processes, data, and personnel as well as the assets entrusted to us by our customers.

Trust Center Information Security Policies Icon
Information Security Policies

Cohesity's Information Security policy suite covers the organization, its personnel, and information assets. The policies are aligned with industry standards and include domains such as security organization, acceptable use of assets, access controls, and information classification and handling. Policies are reviewed regularly by Cohesity Information Security and updated as appropriate.

Trust Center Security Awareness Training icon
Security Awareness Training

Cohesity Information Security is responsible for establishing information security training requirements and ensuring that all personnel complete training and understand their responsibilities. Information security training is built into our new-hire onboarding experience and annual retraining is required. Training is augmented with regular presentations, communications, and learning sessions on particular topics. Where appropriate, business units will receive specialized training for their roles and job responsibilities, such as members of the engineering team receiving regular training covering security principles and secure development practices.

Trust Center Cyber Risk Management Icon
Cyber Risk Management

Cohesity leverages a Cyber Risk Management Program to identify, prioritize, and manage risks to its IT assets, including system infrastructure, networks, endpoints, data, and intellectual property. Through its Cyber Risk Management Program, Cohesity identifies internal and external cyber risks, the likelihood of them occurring, and their potential impact. Cohesity collaborates with risk owners to mitigate and remediate risks, in accordance with Cohesity’s risk appetite.

Trust Center Vendor Risk Management icon
Vendor Risk Management

Cohesity’s Vendor Risk Management Program reviews and validates the security posture of its third-party vendors prior to onboarding and conducts follow-up assessments in accordance with the established vendor tier. Cohesity manages and monitors vendor security risks through its risk management program in alignment with Cohesity’s security posture, customer commitments, and applicable regulatory requirements.

Trust Center Threat Intelligence and Vulnerability Management Icon
Threat Intelligence and Vulnerability Management

Cohesity Information Security maintains a Vulnerability Management Program which identifies and partners with control owners to remediate vulnerabilities to help reduce threats to Cohesity’s products and infrastructure. In addition, penetration testing is conducted against applicable Cohesity assets, and remediation is prioritized to optimize Cohesity’s security posture.

Trust Center Incident Response icon
Incident Response

Cohesity Information Security maintains an Incident Management Policy with procedures that provide the structure and guidance for our response operations. The incident response procedures of this policy provide the steps to be followed by Cohesity personnel to ensure the quick detection of security events and vulnerabilities as well as to promote rapid response to security incidents, including identifying, assessing, containing, mitigating, and recovering from incidents.

Trust Center Personnel Security Icon
Personnel Security

Upon employment, background checks are conducted. Personnel also receive and acknowledge the company Code of Conduct, policies, and non-disclosure agreements.

Trust Center Physical Security icon
Physical Security

Cohesity office locations are physically secured with guards or lobby personnel. Badged access controls are centrally managed and maintained. Access to secured areas requires escalated privileges. Camera systems are in place. All locations have 24x7x365 gated and guarded entry, employ camera and lighting systems, and require badged access for named individuals. Cohesity is SOC 2 certified and can be provided upon request.

Cohesity follows personal data confidentiality guidelines and processes personal data in accordance with applicable data protection laws and regulations. All personal data remains the property of the customer. Information on Cohesity’s security compliance and certifications can be found here. Moreover, our Data Processing Addendum (available at www.cohesity.com/agreements) specifies numerous legal, technical, and organizational protections which apply to our customers where applicable.

Trust Center Information Security Policies Icon
Privacy Policy

Our privacy policy is available at www.cohesity.com/agreements.

Cohesity Trust Center Processing Locations
Processing Locations

Cohesity may process personal data outside of the European Economic Area (EEA). An example of this processing may be the provision of 24/7 support services if the customer chooses to share personal data with Cohesity. The legal mechanisms used to allow for such data transfers are the standard contractual clauses (SCC), as further detailed in Cohesity’s Data Processing Addendum available at www.cohesity.com/agreements.

Trust Center Support Locations icon
Support Locations

Cohesity currently has support centers in the USA, Ireland, India, Canada, and Japan.

Trust Center Cross Border Data Transfer icon
Cross-border Data Transfer

Cross-border data transfers are addressed in detail in our Data Processing Addendum available at www.cohesity.com/agreements.

Trust Center Compliance with International Regulations Icon
Compliance with International Regulations

Cohesity processes personal data in accordance with all applicable data protection laws and regulations, including laws and regulations of the European Union (GDPR), the European Economic Area and their member states, Switzerland and the United Kingdom, the California Consumer Privacy Act (CCPA), and the Personal Information Protection and Electronic Documents Act (Canada) in each case as and to the extent applicable to Cohesity as a matter of law with respect to the processing of personal data. More information may be found in our Data Processing Addendum available at www.cohesity.com/agreements.

Expand All
Trust Center Data Center Processing Agreement icon
Data Processing Agreement

Cohesity’s Data Processing Addendum is available at www.cohesity.com/agreements. It applies automatically to all customers using Helios SaaS and is incorporated into Cohesity’s Helios SaaS Terms of Service (also available at www.cohesity.com/agreements). If a customer believes that the Data Processing Addendum should apply to other activities, please contact Cohesity Legal.

Cohesity maintains a comprehensive security certification program designed to protect our customers’ data confidentiality, integrity, and availability in accordance with industry, US government, and international standards. Cohesity's products and services have also been certified by independent third-party auditors to meet various security standards.

Trust Center SOC 2 Type II certified icon
SOC 2 Type II Report

The Cohesity Helios SaaS platform undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the security, availability, and confidentiality of the Trust Services Criteria.

Trust Center HIPAA icon
HIPAA

Cohesity's products and services adhere to the security benchmarks and requirements that are aligned with Health Insurance Portability and Accountability Act (HIPAA) guidelines.

Trust Center Trade Agreements Act compliance icon
Trade Agreements Act Compliance

Cohesity complies with the Trade Agreements Act (TAA) and hardware ships from San Jose, California. Cohesity white label systems are manufactured and assembled in designated countries that are TAA-compliant.

Trust Center National Defense Authorization Act of 2019 compliance icon
National Defense Authorization Act of 2019

Cohesity complies with Section 889 of the National Defense Authorization Act of 2019.

Trust Center DataPlatform Security Hardening Guide icon
US Department of Defense Information Network Approved Products List

The Cohesity platform has been certified by the Defense Information Systems Agency (DISA), an agency within the US Department of Defense (DoD), for inclusion on the DoD Information Network (DoDIN) Approved Products List (APL). The DoDIN APL is a single, consolidated list of products that have met stringent cybersecurity and interoperation certification requirements for deployment on DoD networks.

FedRAMP icon
FedRAMP

FedRAMP is a U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. government. This security compliance framework aims to protect U.S. citizens’ data in the cloud.

View Cohesity's FedRAMP status here.

Authorization to Operate

Cohesity maintains ATOs for its products to operate within highly classified US Department of Defense (DoD) agency networks, US Department of Energy (DoE) networks, and US intelligence community networks. Security Technical Information Guides (STIG) are available for Cohesity products for deployment on DoD Top Secret networks.

Trust Center Common Criteria EAL2 certified
Common Criteria EAL2+

The Cohesity platform is Common Criteria certified at EAL2+ ALC_FLR.1. Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria) is an international standard (ISO/IEC 15408) for computer security certification.

More details can be found here.

Trust Center NIST FIPS 140-2 Cryptographic Module Validation icon
NIST FIPS 140-2 Cryptographic Module Validation

The cryptographic module employed within Cohesity's products has been validated by the United States National Institute of Standards and Technology (NIST) at the Federal Information Processing Standards (FIPS) 140-2 Level 1 standard. FIPS 140-2 is a US government standard for cryptographic modules providing assurances that the module design and implementation of cryptographic algorithms are secure and correct.

More details can be found here.

Trust Center IPv6 icon
IPv6

The Cohesity platform has been certified by the University of New Hampshire-InterOperability Lab (UNH-IOL) as USGv6 compliant as part of the USGv6 test program.

More details can be found at https://www.iol.unh.edu/registry/usgv6-2008?name=cohesity.

Trust Center SEC-17a 4F icon
SEC 17a‐4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d)

The Cohesity platform has in-built support for write-once, read-many (WORM) functionality. Its WORM implementation has been assessed as compliant with SEC 17a‐4(f), FINRA Rule 4511(c), and CFTC Regulation 1.31(c)-(d) rules by Cohasset Associates.

More details can be found here.

The following resources provide Cohesity customers and partners with more details about Cohesity's security and privacy practices across its products and services.

Trust Center Data Protection Addendum icon
Data Protection Addendum

Cohesity offers a Data Processing Addendum (DPA) for customer GDPR or CCPA compliance needs.

Trust Center Subprocessor list icon
Subprocessor List

Cohesity may use third-parties as (sub)processors of personal data in order to provide our services.

Trust Center Products and Services documentation icon
Products and Services Documentation

The Cohesity documentation portal may be accessed from MyCohesity.

Helios SaaS Security Brief

The Helios SaaS Security Brief may be found on the Cohesity documentation portal.

Trust Center Responsible Disclosure Standards Icon
DataPlatform Security Whitepaper

The DataPlatform Security white paper may be found on the Cohesity documentation portal.

Trust Center US Department of Defense Information Network Approved Products List icon
DataPlatform Security Hardening Guide

The DataPlatform Security Hardening Guide may be found on the Cohesity documentation portal.

Trust Center Ransomware Protection
Cohesity Ransomware Protection – Prepare and Recover

The Cohesity Ransomware Protection – Prepare and Recover white paper may be found on the Cohesity documentation portal.

Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again

Icon ionic ios-globe

You are now leaving the German section of www.cohesity.com/de/ and come to an English section of the site. Please click if you want to continue.

Don't show this warning again