Resource Centre Blog Open Source Partners
Search
Products
Knowledge Base
Support Downloads
Articles
suggested searches
Products Solutions Innovation Support About
Open
By Type External Hard Drives Internal Hard Drives External SSDs Internal SSDs Enterprise Hard Drives & SSDs Data Storage Systems Enterprise Storage Services
By Category Personal Storage Devices Gaming Storage Devices Creative Professional Network Attached Storage (NAS) Video Analytics Cloud, Edge & Data Centre Hyperscale & Cloud
By Brand LaCie
By Use Case Backup & Recovery Big Data Analytics (AI/ML) Cloud Backup Data Migration Data Transfer High Performance Computing (HPC) Storage as a Service Video Analytics
By Environment Edge Multicloud Private Cloud Public Cloud Hyperscale & Cloud
By Partner IBM AWS Commvault Veeam VMWare Milestone Equinix EVS NI View All Seagate Technology Partners
By Industry Autonomous Vehicles Healthcare Media & Entertainment Surveillance & Security Telecommunications Geosciences & Energy
lyve-infrequent-access-nav-banner
Learn more

Perspectives Storage for the AI Era Why Areal Density Matters Composable Infrastructure Decarbonizing Data Report
Data Storage Innovations Mozaic 3+ Platform MACH.2 Multi-Actuator Hard Drives Seagate Secure
Data Management Innovations Circularity Program Open-Source Developer Community
Factory AI Innovations Smart Manufacturing AI Enhanced Automated Vision System Autonomous Monitoring Augmented Code Development Singapore Dream Factory
decarb-data-report-nav-banner
Read the report

General Support Home Product Support Seagate Software Downloads LaCie Software Downloads Seagate Product Registration LaCie Product Registration
Warranty & Data Recovery Warranty & Replacements Data Recovery Services Report Fraudulent Products
Enterprise Seagate Systems Support Lyve Mobile Support Lyve Cloud Support
Read the Article
Read the article

Our Story Leadership Team Board of Directors ESG Trust Centre Product Security Quality Assurance
Join our Seagate Team Life at Seagate Seagate Culture Employee Resource Groups University Programmes
Investors
News Resources Press Room Seagate Stories Blog Seagate Brand Portal
Mozaic 3+

Seagate Legal

Security Requirements

Seagate and Company have entered into an agreement for the purchase of goods and/or services in the form of a master agreement, purchase order, or other contracting document which incorporates these Security Requirements by reference (collectively the “Agreement”).  All defined terms in the Agreement will retain their original meaning unless otherwise defined in these Security Requirements.  All references in the Agreement to “Seagate”, “Client”, “Customer” or similar references, will refer to the Seagate company identified in the Agreement. All references in the Agreement to “Provider”, “Contractor”, “Company”, or similar references, will refer to the Company identified in the Agreement.  

COMPANY AGREES TO THE FOLLOWING SECURITY REQUIREMENTS:

  1. DEFINITIONS
    1. External Solution” means any service, application, software, or service managed and hosted by a third-party provider outside of Seagate's internal infrastructure. The External Solution is responsible for all maintenance, updates and security. Seagate accesses the External Solution over the internet and relies on the External Solution for system performance, availability and support.
    2. Seagate Data” means any data, including Seagate Personal Information (defined below), intellectual property, trade secrets, or other data, created, owned, or provided by Seagate or for Seagate, that Company has access to, obtains, uses, maintains, or processes in connection with any agreement(s) between the parties and/or their Affiliates.   
    3. Seagate Personal Information” means any information that relates to an identified or identifiable natural person, which is created, owned, or provided by Seagate or for Seagate, that Company has access to, obtains, uses, maintains, or processes in connection with any agreement(s) between the parties and/or their Affiliates.  
    4. Seagate Data Privacy Agreement” means the terms located at: https://www.Seagate.com/legal-privacy/electronic-and-physical-security-and-data-protection/.  Provided however, if the parties agreed to data privacy terms other than the Seagate Data Privacy Agreement as defined herein, then the references to Seagate Data Privacy Agreement will refer to the mutually agreed upon data privacy terms in the Agreement.  
    5. Security Breach” means (a) the failure by the Company to properly handle, manage, store, destroy, or otherwise control, or the unauthorised access or disclosure by the Company of: (i) Seagate Data in any format; (ii) third party corporate information in any format specifically identified as confidential and protected under a confidentiality agreement or similar contract; or (iii) of the Services password directory; (b) an unintentional violation of the Company’s privacy policy or misappropriation that results in the violation of any applicable data privacy laws or regulations; (c) any other act, error, or omission by Company in its capacity as such which is reasonably likely to result in the unauthorised disclosure of Seagate Data.
    6. Seagate Systems” means any network or computing equipment, applications or software programs that Seagate provides or makes available to Company (or its subcontractors or agents) in connection with the performance of the Agreement or any other agreements with Seagate including but not limited to engineering and manufacturing equipment, testing equipment, network gear, computer systems, software and the configuration parameters specified or implemented by Seagate for the proper functioning of the Seagate Systems or the delivery of the Services.
    7. Enclave System” means Seagate-managed equipment deployed inside Company-designated sites (e.g., manufacturing locations, configuration areas). A Seagate Enclave securely extends Seagate's internal network into a Company site via Seagate-managed firewalls and Network Access Control (NAC) switches. These switches enforce stringent connection policies, restricting connectivity exclusively to registered assets, such as Seagate-authorised devices and systems. This Seagate-controlled environment within Company facilities enables Seagate assets and devices to securely communicate directly with Seagate's corporate network.
    8. Non-Enclave System” means scenarios where Company-designated users access applications remotely without Seagate managed/owned physical equipment at their sites. This includes two distinct scenarios:
      1. Non-Enclave with VPN Tunnel: Certain Company-designated locations maintain direct, outbound-only VPN tunnels for specialised use-cases, such as sending print jobs from Seagate internal systems directly to Company-owned printers located at Company sites, which are not managed or controlled as Seagate network assets. These VPN tunnels strictly support outbound traffic only.
      2. Non-Enclave without Direct Network Connection: Company-designated networks that remain completely isolated from Seagate’s network, with access limited to Seagate hosted, Internet-facing platforms like Citrix Workspace or other secure web-based portals. In this scenario Company is provisioned access via Business Partners Account Services (“BPAS”) system and, no direct network-layer connection exists between Seagate and the Company's infrastructure.
  2. GENERAL DATA SECURITY REQUIREMENTS
    1. The Company shall establish and maintain a comprehensive Written Information Security Program (“WISP”) that includes technical and organisational security safeguards designed to protect Seagate Data (as defined in the Security Exhibit) from accidental, unauthorised, or unlawful use, destruction, loss, alteration, disclosure, access, or other unauthorised processing. The WISP must comply with any requirements specified in agreements with Seagate, including the Seagate Data Privacy Agreement. Upon request, the Company shall provide Seagate with a copy of its WISP, including any updates during the engagement period. The WISP, along with relevant services, controls, and processes, must align with industry standards and recognised security frameworks such as SOC 2, ISO 27001, or NIST to ensure comprehensive risk management, data protection and regulatory compliance.
  3. REQUIRED REPORTS AND CERTIFICATIONS
    1. SOC 1 Type 2 Report. If Company provides Services involving Seagate Data related to financial reporting, then Company must provide Seagate with a SOC 1 Type 2 report for such Services. This report must cover the Company’s standards and controls specific to the services provided. The Company shall deliver a copy of the SOC 1 Type 2 report to Seagate (a) prior to the commencement of services and (b) annually, no later than June 15th each year. The report must cover at least 9 months of Seagate’s fiscal year and be delivered to Seagate within 90 days after the period covered by the report.
    2. SOC 2 Type 2 Report. If Company provides Services involving External Solutions, then Company must provide Seagate with a SOC 2 Type 2 report for such Services. This report must cover the Company’s standards and controls specific to the services provided. The Company shall deliver a copy of the SOC 2 Type 2 report to Seagate (a) prior to the commencement of services and (b) annually upon request.
    3. SOC Bridge Letters. Upon request, provide SOC bridge letters to confirm the continuity of security controls between SOC audit periods.
    4. ISO 27001. If Company provides Services involving External Solutions, then Company must provide ISO 27001 certifications upon request for Services involving External Solutions.
    5. ISO 20243. If Company is: a) providing a commercialized product to Seagate for use in the building, testing, manufacturing or supporting of Seagate products; or b) performing services on Seagate's commercialized products, then Company will obtain a certification of compliance with ISO 20243, also known as the Open Trusted Technology Provider Standard (O-TTPS) Certification, mitigating maliciously tainted and counterfeit products. It will be either a self-assessed certification or based on the assessment of a reputable independent auditor (sufficiency of which is assessed in Seagate’s sole discretion). Alternatively, if Company requests in writing and Seagate approves in writing, Company will obtain a certification of compliance with a substantially equivalent industry standard addressing secure development and supply chain practices.
    6. PCI Compliance. If Company provides Services involving payment card processing, Company must provide evidence validating compliance with PCI Data Security Standards upon request.
  4. SEAGATE DATA
    1. Security Policies and Procedures. Maintain policies that ensure Seagate Data is securely collected, hosted, transmitted, and stored to prevent unauthorised access, theft or disclosure.
    2. Data Integrity. Ensure that Seagate Data remains intact, complete, and current during processing, transmission, and storage, with no unauthorised alterations.
    3. Logical Data Segregation. In multi-tenant environments, ensure Seagate Data is securely segregated using industry-standard techniques like partitioning, containerization, and micro-segmentation, ensuring that each tenant can only access their own data.
    4. Access Control. Access to Seagate Data shall be restricted through Role-Based Access Control (RBAC), granting users, third-party vendors, and tenants only the access needed for their specific roles. Quarterly reviews will be conducted to ensure permissions align with current responsibilities, and segregation of duties will be enforced to maintain least privilege.
    5. Data Environment Segregation. Seagate Data shall not be used in test or development environments.
    6. Monitoring and Logging. Continuous monitoring, logging, and auditing of access to Seagate Data shall be enforced to detect and respond to unauthorised activities in real-time.
    7. AI Data Security and Confidentiality. The AI system shall follow industry-standard security practices to protect the confidentiality, integrity, and availability of all data, including Seagate Data. Seagate Data will be securely stored, encrypted during transmission and at rest, and handled in compliance with relevant privacy regulations. Seagate Data shall not be used to train or improve AI models without explicit consent.
    8. Data in Transit. Ensure Seagate Data transmitted over networks is encrypted using TLS 1.3.
    9. Data at Rest. Encrypt Seagate Data at rest using secure algorithms (e.g., AES-256), using unique encryption keys for each customer or dataset.
    10. Data Export. Provide Seagate Data in an accessible format upon request for up to 90 days after contract termination.
    11. Data Deletion. Securely destroy Seagate Data within 90 days after confirming migration or a decision not to migrate. Provide Seagate a signed certificate of destruction upon request.
    12. Retention Obligations. Notify Seagate if legally required to retain data and destroy or return it once the obligation ends.
    13. Data Requests. Comply with Seagate’s data requests for audits, investigations, or as required by law.
    14. Location Notification. Upon request, provide Seagate with the locations where Seagate Data is stored and processed.
  5. SECURITY BREACH
    1. Breach Notification. Notify Seagate as soon as practicable ([email protected]), but in no case later than 72 hours, of detecting any Security Breach. The notification must include the nature of the breach, affected systems, compromised data and mitigation steps.
    2. Security Manager. Assign designated personnel with clear roles to manage security obligations.
    3. Access to Security Personnel. Provide Seagate access to appropriate security personnel for reviewing and resolving security-related issues.
  6. SUBCONTRACTORS AND SUB-PROCESSORS
    1. Sub-Contractor Due Diligence and Audit Requirements. Ensure subcontractors agree in writing to adhere to the Company’s information security obligations.
    2. Liability. The Company remains fully liable for the actions of its subcontractors and sub-processors, guaranteeing their performance and ensuring that they meet all security, privacy, and contractual obligations related to the processing of Seagate Data.
    3. Third-Party Application and Sub-Processor Disclosure. Upon request, provide Seagate with a detailed and current list of all third-party applications, platforms, or services, including sub-processors, involved in processing or interacting with Seagate Data or providing services related to Seagate operations.
    4. Risk Assessments. The Company will regularly assess, evaluate, and document the security posture of all subcontractors and sub-processors handling Seagate Data, ensuring any identified risks are promptly mitigated. Reports of such assessments will be made available to Seagate upon request.
  7. IDENTITY MANAGEMENT
    1. Federated Authentication and SAML SSO. Require Seagate’s IdP (Azure) federated authentication using the SAML v2.0 standard for all services that support it.
      1. Single Sign-On (SSO). Integrate with Seagate’s SSO using SAML v2.0 where applicable.
      2. Token and Session Management. Validate authentication tokens and securely manage sessions, ensuring session tokens are protected and properly invalidated upon logout.
    2. Non-Federated Authentication. If the Company's services do not support the SAML v2.0 Federation standard, the following alternative measures must be met:
      1. Authentication and Authorisation. Securely authenticate and authorise users before access is granted.
      2. Strong Passwords. Secure passwords using encrypted databases and strong hashing algorithms such as bcrypt or PBKDF2. Passwords must be at least 12 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters
      3. Password Change Requirement. Require users to change default passwords and passwords provided as part of a password reset process upon initial login.
      4. MFA. Provide multi-factor authentication (MFA) as part of Seagate user authentication.
    3. Secure Communication. Use secure communication protocols for all authentication-related communications — such as those transmitting credentials, authentication tokens, or session identifiers — and ensure they are encrypted using TLS 1.3 or higher.
    4. Access Control. Implement role-based access control for both federated and non-federated authentication.
    5. Compliance and Monitoring. Log and monitor all authentication events involving Seagate users.
  8. ENVIRONMENT AND EQUIPMENT
    1. Physical Security. Restrict physical access to facilities housing Seagate Data or Seagate Systems, including data centres and critical infrastructure, to authorised personnel only. Implement visitor logs, access monitoring, secure access controls (e.g. biometric or badged access), climate control, fire safety and 24/7 video surveillance systems.
    2. MFA. Company shall enforce MFA using TOTP or U2F keys for local and remote access to systems hosting Seagate Data.
    3. System Security and Patch Management. Ensure all equipment, servers, and systems have up-to-date antivirus, timely security patches and system hardening. Critical patches must be applied within 7 days, with all other patches applied within 30 days.
    4. Monitoring and Auditing. Implement continuous monitoring of systems and conduct regular audits to ensure compliance with security policies and identify vulnerabilities.
    5. Incident Management. Maintain a security incident management process, including formal incident response phases and timelines.
    6. Change Management. Maintain a change management process that includes segregation of duties in change management, documentation, testing, review, and approval of changes to systems or infrastructure.
    7. Security Awareness and Training. Provide regular security awareness training for all personnel handling Seagate Data, covering topics such as data handling best practices, role-based security, phishing awareness and incident response.
  9. NETWORK SECURITY
    1. Network Security. Implement network security by ensuring that the principle of least privilege is enforced.
    2. Firewalls and ACLs. Configure firewalls and access control lists (ACLs), allowing only essential access and protocols for service provision.
    3. IDS/IPS. Deploy Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to detect and respond to suspicious activities.
    4. Logging. Maintain detailed logs of network activities for auditing and incident investigation.
    5. Key Management System (KMS). Securely manage encryption keys using a Key Management System (KMS) to ensure proper generation, storage, rotation and access control.
  10. VULNERABILITY AND RISK ASSESSMENTS
    1. Vulnerability Assessments and Penetration Tests (VA/PT). Conduct regular vulnerability assessments and penetration tests on applications and systems, internally or through third-party providers as necessary.
    2. Risk Assessments. Regularly evaluate potential risks to Seagate Data and internal systems, prioritising vulnerabilities based on severity.
    3. Immediate Mitigation. Promptly address any critical security vulnerabilities identified.
  11. AUDIT AND TEST 
    1. Seagate reserves the right to audit and test the Company’s processes, controls, privacy, and security measures to ensure the integrity, availability and confidentiality of the Services.
    2. Audits may include non-intrusive network scans without notice and technical tests (e.g., penetration, load, denial-of-service) with prior consent. Seagate will not access data belonging to other customers and may use third-party auditors under confidentiality obligations. The Company must promptly address any identified deficiencies.
  12. SEAGATE ENCLAVE REQUIREMENTS: In addition to Sections 1-11 above, the requirements listed in this Section 12 apply to Seagate Enclave Systems. 
    1. Physical Access Controls: Company shall provide Seagate a dedicated, separated room or secure cage with access controls to physically segregate Seagate Systems and Seagate Data from non-Seagate systems and data.
    2. Network Security.
      1. Company shall ensure that Seagate Systems are segregated from any Company systems, assets and technologies (including firewall, switches, testers, other devices) at the Company site.
      2. Company shall ensure that Seagate Systems will not be connected to Company or its other customers' networks other than through a Seagate approved and authorised VPN connection to the Company’s Internet Service Prover (“ISP”).
      3. Seagate may select a different ISP in its sole discretion upon written notice to Company.
    3. Systems Security. 
      1. Seagate will issue Company the equipment and infrastructure required to access Seagate Systems to perform the Services.
      2. Company’s a) use of or access to Seagate Systems, and b) use of any equipment provided (or approved by Seagate), will be solely to provide the Services set forth in the Agreement and any applicable SOWs and will comply with the terms thereof.
      3. Company will not modify, change, alter, remove or move any Seagate Systems including configuration settings, physical and/or logical network settings or network ports, power outlets, and any physical connections, without prior written approval from the Seagate Information Security Department at [email protected].
      4. Company will provide all IT support necessary for Seagate to remotely install and manage Seagate equipment such as firewalls, switches, servers, workstations etc.
    4. Decommissioning of Enclave.  Upon termination or conclusion of the Services, all Seagate Systems shall be returned to Seagate, unless otherwise directed by Seagate.  Any Seagate Data on Company systems or Seagate Enclave System must be securely and permanently destroyed, with a signed certificate of destruction provided upon request. In addition, if any equipment is not returned, Seagate reserves the right to charge a fee for the value of the equipment at the time.
  13. SEAGATE NON-ENCLAVE ACCESS REQUIREMENTS: In addition to Sections 1-11 above, the security requirements listed in this section 13 apply to Seagate Non-enclave systems:
    1. Access Limits. Access to Seagate Systems by Company is only permitted as required to perform the Services under the Agreement or any applicable Order Form or SOW. Seagate Systems and Seagate Data shall not be accessed, nor any access attempts be made, by Company without written authorisation from the Seagate Information Security Department at [email protected].Personal use of any Seagate Systems by Company is prohibited.
    2. VPN. Only Virtual Private Network (VPN) methods approved by the Seagate Information Security Department at [email protected]. shall be used by Company to access Seagate Systems from outside the Seagate network. Alternate methods of accessing Seagate Systems from public networks are prohibited.
    3. Software Licences. All software installed and used by Company for the purpose of fulfilling the obligations under the Agreement or providing the Services must be appropriately and legally acquired, licensed, and used in accordance with the applicable governing licence agreement. Company shall hold Seagate harmless, defend, and indemnify for any claim or action arising out of the use of such software in accordance with the indemnification obligations in the Agreement.
    4. Password Management. If applicable, passwords used by Company for use of Seagate Systems shall comply with Seagate’s password management standards and Company shall prevent disclosure of all such passwords to any unauthorised persons.
    5. Non-Seagate Systems Use. Company’s use of any non-Seagate Systems, including video conferencing equipment with electronic data transfer capabilities, may not be connected or used to communicate with Seagate or any Seagate Systems.
    6. Secure Locations. Company’s personnel will work solely at secure, authorised locations as set forth in Company’s processes and procedures.

DECARBONIZING DATA REPORT

Data centre sustainability in the AI era
About Seagate Our Story  ESG  Trust Centre  Quality Assurance 
Support  Product Support  Seagate Software Downloads  LaCie Software Downloads  Seagate Product Registration  LaCie Product Registration  Warranty & Replacements  Seagate Systems  Contact Us 
Press Resources Press Room  Seagate Stories  Blog  Seagate Brand Portal 
Investors 
Partners  Indirect Partners & Resellers  Seagate Training Portal  Seagate Direct & Suppliers  Seagate Technology Alliance Program 
Jobs  Life at Seagate  Seagate Culture  University Programmes 
Where to Buy  Product Finder 
facebook logo linkedin logo youtube logo x logo instagram logo
©2025 Seagate Technology LLC Legal Privacy Vulnerability Disclosure EU-GPSR Cookie Settings
Site Map