Governance
Data Protection
We ensure the physical security of our facilities to protect our digital infrastructure and the equipment our customers deploy in our data centers.
We also safeguard the data entrusted to us by our customers and employees by integrating privacy measures throughout our operations. These actions strengthen our cybersecurity capabilities and foster a culture of cyber awareness through employee education.
The Nominating and Governance Committee of our Board oversees our Governance, Risk and Compliance (GRC) program and receives quarterly briefings on cybersecurity. The Global Chief Information Security Officer—in partnership with our SVP, Global Regulatory, Public Policy, Privacy and Compliance—leads our ongoing efforts to apply policies, standards and procedures to maintain the highest levels of data security across our global platform. These efforts include ensuring compliance with all applicable and evolving data privacy laws where we operate.
Data Privacy
Guided by our Global Privacy Policy, the Privacy Statement defines how we collect, process, use, share and safeguard personal data. It is regularly reviewed for legal compliance.
Our Data and Privacy Office (DPO) monitors evolving privacy laws and regulations to maintain our global data privacy program, including when our business strategy evolves and where our markets expand. In 2024, we responded to new laws in China and India and in new locations for Equinix such as Cote d’Ivoire, Ghana, Malaysia, Nigeria and South Africa.
Our shared responsibility model outlines the security and compliance responsibilities between us and our customers, fostering transparency and mutual trust. In 2024, we further refined this model by defining the shared responsibilities specific to the Enhanced Platform as a Service (PaaS+), further enhancing transparency and trust.
In 2024, we strengthened our “Privacy by Design” approach by resetting and relaunching the Privacy Champions program. Representing various functions of the business, Privacy Champions inform their functions about relevant data privacy laws and regulations, ensuring that privacy is embedded into day-to-day work.
As artificial intelligence (AI) use has expanded, AI laws and regulations around the world have followed. Our AI governance program identifies and mitigates AI-related risks across the business. In 2024, we developed an assessment program to analyze the potential risks and benefits of AI use cases from an AI law and privacy compliance standpoint.
We continue to monitor and manage third party risks for data privacy using our Data Privacy Questionnaire (DPQ). In 2024, we:
- Developed an AI Assessment Questionnaire (AIAQ) to understand AI use by our vendors and suppliers.
- Updated our supplier contract templates to mitigate AI related third party risks.
- Collaborated with our InfoSec team to streamline our processes and started identifying AI use cases to further baseline and strengthen AI governance at Equinix.
- Published AI guidelines for employees on responsible use of AI technology.
We mandate privacy training for all employees as part of our Code of Conduct training. In 2024, we deployed an enterprise-wide awareness training covering the data privacy laws that impact our business. Over 13,350 employees completed the training. We also identify teams to develop and provide role-based training to employees and managers who handle personal data in their scope of responsibility. The DPO regularly issues ’Data-Bites’, its newsletter, to enhance awareness of developments within the data privacy and AI regulations’ space.
Employee privacy notices
We respect the confidentiality of employees’ personal information. Our Privacy Notices provide employees with details on how their personal data is collected, processed and protected. The notices explain the reasons for data processing, security measures in place and steps employees can take to access their data or exercise their rights under applicable regulations. We continuously review and update the notices to align with changes in our business and the markets in which we operate.
Cybersecurity
Our cross-functional Information Security Steering Committee (ISSC) comprises senior leaders from across the business who shape our cybersecurity strategies and programs to protect Equinix and its customers. Specifically, the ISSC:
- Facilitates identification of risk-based priorities and trade-offs.
- Aims to ensure economies of scale and enforce consistency of information security and compliance across IT assets at the company.
- Reviews and approves information security policies.
- Reviews requests for policy and risk exceptions to provide a “Risk Acceptance Authorization.”
- Serves as a communication channel to cultivate a culture of trust across the enterprise.
In 2024, the ISSC met quarterly to review key risk indicators and assessments, evaluate changes to our policies and examine our policy framework in preparation for upcoming regulations.
Equinix adheres to the “Never trust, always verify” Zero Trust principle. This approach assumes that no users or devices are inherently trustworthy. It uses identity to protect data and requires ongoing authentication and validation from anyone or anything attempting to access information. Additionally, we align our control framework with global standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (800-53) and ISO 27001 Information Security Management Framework, as well as local standards and certifications relevant to our operations.
In 2024, we bolstered our cybersecurity processes by:
- Implementing Unified Enterprise Risk Management for Equinix within the GRC Platform.
- Automating the IBX Threat and Risk Assessment Process.
- Rolling out a new cookie banner across all Equinix domains, including websites in different countries.
- Establishing the Equinix AI Security charter and appointing committee members to build consensus on a framework for governing and protecting AI applications.
Third-party management
We monitor and evaluate our supply chain to mitigate third-party risks. The InfoSec GRC program includes supplier monitoring tools and automated third-party security assessments for new and existing suppliers, enabling us to update and maintain our supplier risk tiering. As part of our Know Your Supplier program, we assess the information security systems, processes and programs of new suppliers using Security Assessment Questionnaires (SAQs), monitor critical suppliers for information security vulnerabilities and conduct periodic security quality reviews. In 2024, we added 100+ suppliers to the third-party risk management program.
We regularly evaluate the security and resilience of our systems through internal audits, third-party assessments and penetration testing of shared controls.
Transparency
Equinix maintains a Trust and Transparency program composed of three avenues for communication and engagement with customers.
- The Equinix Customer Portal (ECP) is a dedicated self-service resource for our customers. It provides quick and easy access to Equinix’s information security policies, certifications, statements and other essential materials, as well as materials on other relevant topics.
- Attestation requests enable our customers and partners to obtain the information they need to meet their own compliance requirements. Additionally, we conduct self-assessments and document the security controls integrated into our products. This information is publicly available in the Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) registry.
- The internal Trust and Transparency website, accessible via the ECP, serves as a platform for customers and researchers to report any concerns or security issues identified in our services. It also provides valuable information about Equinix’s security and data privacy practices, including the shared responsibility model. This resource fosters open communication and collaboration, ensuring potential issues are addressed and resolved efficiently.
Trust and security culture
New hires must complete training on security best practices and how to report suspicious activities related to IT security. In 2024, 98%1 of new hires completed the Global Information Security Awareness training. Additionally, we assign annual cybersecurity training for all employees.
In 2024, we implemented biweekly phishing tests based on trending real-world examples and emails blocked by our systems. We monitored employee click rates and analyzed performance by region and department, allowing us to identify and address areas needing improvement.
We assign additional training as needed. For instance, actions such as unsafe browsing, potential data exposure or password reuse can trigger security alerts. In such cases, we provide just-in-time training to offer immediate guidance and support to the employees concerned.
Our NEXTcode Development Training and Certification program educates employees in coding and software development skills, fostering a culture of trust and security. It includes practical coding exercises and projects that help reinforce theoretical knowledge through real-world application. By equipping software developers with the tools to write secure code from the beginning and analyze code for potential vulnerabilities, we enhance our ability to prevent and address security weaknesses.
1 Completion rate excludes employees on leave or those who left Equinix.
In 2024, over 1,500 developers completed the NEXTcode Development Training and Certification program.
1.5%
Reduction
in click rate on phishing emails sent by InfoSec in 2024
209
Posts
on the Information Security Awareness Yammer channel
with
308K
Total Views
and 500 total engagements
16.6K
Employees
and contractors included in the Information Security Yammer channel
We also use novel learning techniques, including gamified learning, to motivate and engage employees in our security practices. In 2024, we launched 39 games designed to align with ongoing data security initiatives. In 2024, 4,125 employees participated in Cybersecurity Awareness Month, up from 3,200 in 2023.
More than 450 employees participated in our Cyber Knights Ambassador program, up from 275 in 2023. We host monthly talks, games and presentations on trending security threats as part of the security ambassador program to educate employees who have a keen interest in cybersecurity. The ambassadors share information with their team members in their departments and regions, enabling us to scale and promote security awareness education.
