Data Processing and Data Transfers

Enterprise Software Products and Services

Understanding personal data and its lifecycle throughout our organization.

We are a company with global software operations and customers located in many different countries around the world. Depending on the actual use of our software by our customers and the services we provide we are considered a data processor under the General Data Protection Regulation (GDPR) or other applicable laws. As such we manage and ensure compliance with a unified corporate-wide and global approach.

Customer CCPA Supplement


Customers who are subject to the California Consumer Privacy Act (CCPA) and require entering into service provider terms with us should download and countersign our pre-executed CCPA Customer Supplement. This Supplement fulfills all the requirements of the CCPA and contains clauses that are specific to our lines of business. These specific terms are required to ensure that the use of our services will not under any circumstance be considered as involving any sale of data in the meaning of the CCPA. This is an important assurance both for our customers and for ourselves, which is why our Supplement should be used.


Data Processing Addendum


Where we are a data processor, we act under our data processing addendum (DPA). This addendum sets out our commitment to privacy and security when processing personal data in connection with the provision of products and services and addresses the transfer of personal data outside of the EEA, United Kingdom and Switzerland.


Data Processing Addendum - GDPR


Binding Corporate Rules, Standard Contractual Clauses, Privacy Shield


As a data controller we hold Binding Corporate Rules for Controllers as a method for transferring data globally, including but not limited to marketing data, contract data and HR information of our employees.

As a data processor we have implemented intercompany Standard Contractual Clauses among the CA affiliates located in the EEA (as data exporters) and CA affiliates located outside the EEA (as data importers) as well as Broadcom’s affiliates to safeguard personal data transfers as a data processor or Subprocessor. View our list of CA subsidiaries and third party Subprocessors.

To cover transfers of personal data to the United States, we have self-certified to the principles of the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce.


Information Security


Our information security program is a holistic approach that considers every aspect of how we may collect, store, secure, use or dispose of your data.



Our Information Security Practices document outlines the current policies, procedures and safeguards we have implemented to achieve this as well as relevant certifications. As technology evolves these will be subject to change without further notice.




In the event that personal data is included in a support case, see below how it is typically processed when providing technical support for CA software.





See below how personal data is typically processed in a SaaS environment and learn more about our SaaS solutions.



If you have any questions, please send an email to