Data Security: Physical and Environmental Controls


Oracle Global Physical Security is responsible for defining, developing, implementing, and managing all aspects of physical security for the protection of Oracle’s employees, facilities, business enterprise, and assets.

Preventive Controls: Protecting Oracle Assets and Employees

Oracle has implemented the following protocols in Oracle facilities:

  • Physical access to facilities is limited to Oracle employees, contractors, and authorized visitors.
  • Oracle employees, subcontractors, and authorized visitors are issued identification cards that must be worn while on Oracle premises.
  • Visitors are required to sign a visitor’s register, be escorted and/or observed when they are on Oracle premises, and/or be bound by the terms of a confidentiality agreement with Oracle.
  • Security monitors the possession of keys/access cards and the ability to access facilities. Staff leaving Oracle’s employment must return keys/cards and key/cards are deactivated upon termination.
  • Security authorizes all repairs and modifications to the physical security barriers or entry controls at service locations.
  • Mixture of 24/7 onsite security officers or patrol officers, depending on the risk/protection level of the facility. In all cases officers are responsible for patrols, alarm response, and recording of physical security events.
  • Centrally managed electronic access control systems with integrated intruder alarm capability and CCTV monitoring and recording. The access control system logs and CCTV recordings are retained for a period of 30-90 days as defined in Oracle’s Record Retention Policy which are based on the facility’s function, risk level and local laws.

Data Center Security

Data centers hosting Oracle cloud services are designed to help protect the security and availability of customer data. This approach begins with Oracle’s site selection and data center provider selection processes. Candidate sites and provider locations undergo a risk evaluation that considers environmental threats, power availability and stability, vendor reputation and history, neighboring facility functions (for example, high-risk manufacturing or high-threat targets), standards compliance, and geopolitical considerations among other criteria.

Oracle defines requirements for data center suppliers housing Oracle Cloud Infrastructure (OCI) services based on industry good practice. Requirements for data center providers include redundant power sources and maintenance of generator backups (to provide business continuity in case of electrical outages) as well as monitoring of air temperature and humidity. Fire-suppression systems are also mandatory. Personnel are trained in response and escalation procedures to address security events and availability events that may arise. Oracle’s data center team evaluates the business continuity and security controls for data center providers by leveraging the supplier’s independent third-party attestations for standards such as ISO 27001 and SOC 2.