This document gives an overview of Cloudreach group companies (collectively "Cloudreach") security and data protection practices and processes.
The content of this document is for informational purposes only and comes without any, including implied, warranties whatsoever. The practices and processes set out in this document may be amended by Cloudreach from time to time to comply with applicable laws and to reflect improvements of Cloudreach’s procedures.
Information Security Programme
Cloudreach has implemented and maintains a formal and comprehensive information security programme designed to ensure the security and integrity of customer data. Cloudreach’s information security programme includes internal policies and procedures which govern crucial security aspects, including but not limited to:
- risk management
- remote access and network management
- physical access and security monitoring
- data classification
- data sharing and storage controls
- service provider engagement and security
Security Standards and Certifications
Cloudreach’s operations, policies and procedures are reviewed at least annually and audited regularly to ensure Cloudreach meets and exceeds all standards expected of service providers.
ISO 27001 is an information security standard originally published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In September 2013, ISO 27001:2013 was published which superseded the original 2005 standard. ISO 27001 is a globally recognized, standards-based approach to security that that outlines requirements for an organisation’s Information Security Management System (ISMS).
Cloudreach is proud to say we have achieved certification against ISO 27001 since 2011.
Cloudreach has achieved the Cyber Essentials certification in April 2018. The Cyber Essentials scheme is a government certification that provides an independent assessment of security controls. This scheme is backed by the National Centre for Cyber Security. This certification further demonstrates Cloudreach’s continued commitment to Information Security and willingness to accommodate its customer’s requirements.
Cloudreach passed its first SOC2 (Type 1) report audit for its software-enabled cloud services in June 2018. Originally designed by the American Institute of Certified Public Accountants (AICPA), the SOC2 report evaluates the internal controls and security measures of an organisation. It assesses against 5 main, “Trust Services Principles and Criteria:” security; availability; processing integrity; confidentiality; and privacy. Additionally, Cloudreach passed its first SOC2 (Type II) audit in July 2019; this evaluates the operational effectiveness of the internal controls and security measures. Achieving SOC2 compliance provides to clients further assurance of the robustness of Cloudreach’s security posture and control framework.
In January 2019, Cloudreach officially achieved Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliance for its Cloud Operations services. Administered by the PCI Security Standards Council, PCI DSS is an information security standard that aims to enhance payment account security and prevent credit card fraud.As further demonstration of Cloudreach’s commitment to cyber security, in October 2019, Cloudreach joined over 100 other tech leaders in signing the Cybersecurity Tech Accord, whose collective goal is to: “promote a safer online world by fostering collaboration among global technology companies committed to protecting their customers and users and helping them defend against malicious threats.”
In general, Cloudreach follows industry best practices around implementation of secured transmission, storage, and disposal of information and of authentication and access controls within media, applications, operating systems and equipment.
Cloudreach has also implemented proactive security procedures such as perimeter defence and network intrusion prevention systems. Vulnerability assessments and penetration testing of the Cloudreach network infrastructure are evaluated and conducted on a regular basis by both internal Cloudreach resources and external third-party vendors.
International Data Transfers
Strict data protection laws govern the transfer of personal data originating from the European Economic Area (EEA) or Switzerland to other countries not deemed adequate under applicable data protection laws. Cloudreach has implemented the following international data transfer safeguards in order to comply with such data protection laws:
- Intracompany data processing agreement. As a global company, Cloudreach may need to share personal data across its entities to support our customers in the provision of services. Cloudreach has put in place an intracompany data processing agreement incorporating the European Commission’s approved standard contractual clauses (“Model Clauses”) to allow the processing of personal data amongst its entities.
- European Union Model Clauses. Cloudreach has incorporated the Model Clauses into our standard data protection agreement used with service providers located in a third country. The Model Clauses creates a contractual mechanism to meet the adequacy requirement which allows for transfer of personal data from the EEA to a third country.
- In light of the July 2020 ruling that Privacy Shield is an invalid data transfer mechanism, Cloudreach are currently reviewing all affected subprocessors and are in the process of moving those affected by the change to the Model Clauses, as per our standard data protection agreements.
Investigation and Reporting of Security Incidents
Cloudreach has a documented internal security incident response plan in place both in Europe and North America that aligns with the GDPR data breach notification requirements.
The strong relationship between the Cloudreach Security and Legal teams enables the incident handling process to benefit from a broad approach and appropriate response plan to be implemented efficiently from technical and legal standpoints.
Due to our thorough training programmes, a number of incidents or anomalies are directly reported by Cloudreach staff, thereby giving Cloudreach security a visibility of security threats affecting the company. Examples of such reports have included phishing (up to 100% reporting in some cases), possible mishandling of credentials and inappropriate permissions.
Customer Data Safeguards
Information Classification and Risk-Based Controls
Cloudreach has implemented a three-tier classification scheme to protect information according to risk levels. All information that Cloudreach processes on behalf of its customers is given the highest levels of protection.
Use of Google’s G Suite products
Cloudreach extensively utilises G Suite productivity and collaboration tools, products and software and especially Google Drive for storage purposes, thereby benefiting from Google’s experience and innovation in the security field. The use of G Suite enables Cloudreach to set appropriate security controls. Details on G Suite’s Security practices can be found here.
In addition to adhering to various security best practices, Cloudreach require all employees to set up two-factor authentication on their accounts, whenever possible and business effective. This includes G Suite access (policy controlled), Cloud provider services and secrets management systems.
Data Encryption at rest and in transit
Customer data is encrypted at rest whenever possible. Cloudreach encrypts customer data transmitted over transit in network.
Security Compliance by Cloudreach Staff
Cloudreach has a secure procedure for vetting new employees, which includes conducting background checks on all employees consistent with applicable country specific laws.
Cloudreach takes appropriate steps to ensure compliance with our security measures and standards by employees and contractors to the extent applicable to their scope of performance. This includes ensuring that all persons authorised to process customer personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
All Cloudreach employees receive privacy and security training during onboarding as well as on an ongoing basis. In addition, tailored business unit training and awareness sessions, for example focused on social engineering are carried out throughout the year.
Before engaging any third party to process our customer’s data (“Subprocessor”), Cloudreach conducts an audit of the security and privacy practices of Subprocessors to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are considered for.
Once Cloudreach has assessed the risks presented by Subprocessors, they are required to enter into appropriate security, confidentiality and privacy contract terms. The list of authorised Subprocessors is made available to Cloudreach customers.
Retention and Deletion
Cloudreach only retains customer personal data as long as necessary to provide services and products for a customer or for the purposes permitted by the customer. Once the purpose of retaining personal data expires, Cloudreach will return or delete personal data to the customer and will only retain a copy of such data if required by law, and to that extent, only the portion of personal data that is absolutely necessary.
Privacy by Design
Before launching any new product, Cloudreach’s privacy and product teams evaluate how such product collects, uses and stores data. This allows the business to identify any potential privacy and data protection risks early; therefore allowing for early resolution saving costs in the long term and ensuring that transparent and comprehensive information can be provided to customers.
Ongoing evaluations and improvements
Cloudreach recognises that data protection and data security are very important priority for our global customers. As such, Cloudreach continues to monitor legal developments, both on an EU and member state level and to improve its practices and processes.
At Cloudreach, we are committed to the responsible disclosure of vulnerabilities, allowing all third parties, including: partners, researchers, media outlets, and the general public a suitable, legal method to disclose any known vulnerabilities to us. Vulnerabilities can be reported to email@example.com. For further information, please see our vulnerability disclosure notice.
Data Protection Officer
Cloudreach has appointed a data protection officer (DPO) to oversee compliance with relevant data protection laws. If you have any questions about our data protection or security practices, please contact the DPO (firstname.lastname@example.org).
Last updated December 2019