BMC Helix Data Handling policy

This topic outlines the policy for handling data in the BMC Helix services.

Customer data is any data that you enter into the system during onboarding activities and normal use of services. This data can contain information that should be managed as sensitive data. For example, in the healthcare industry, Personal Health Information (PHI) is considered sensitive data. BMC manages sensitive customer data by using the following guidelines:

• Customers retain ownership of their data at all times.
• Strong physical security mechanisms are in place at all BMC Helix facilities based on SSAE 18 (or equivalent) certified data centers. See Compliance for additional details.
• All external solution traffic over the web is secured using encryption.
• You are allocated a dedicated or shared environment depending on the services purchased. Environments leverage virtualization and/or containerization for the user interface and application server components.
• Your database is dedicated to your data (data is not mixed among customers or environments).
• The infrastructure and applications are configured to account for security standards using a hardening process to reduce security vulnerabilities.
• Monitoring is in place to alert you of any suspected or actual data breaches.
• Periodic penetration tests are performed to identify any potential or actual security issues.
• The operational and support organizations employ the separation of duties security principle to ensure that only the resources required to support the solution have access to specific data.
• Periodic internal and external security audits are run on the systems to identify any vulnerabilities.
• For the production environment, BMC deletes system-generated non-customer data on a weekly basis for the following subscription services: BMC Helix Digital Workplace, BMC Helix ITSM, and Smart IT.