A Cloud guru is a serverless environment and use the shared cloud security model. We do not run our own routers, load balancers, DNS servers, or physical servers.
A list of all cloud providers used to maintain security and provide services on our platform can be found in our white paper located here.
All code is reviewed by a senior engineer before being deployed to production systems. Code reviews are designed to ensure the security, performance and quality of code released to production
We protect our user login against a number or attack vectors including brute force attacks by utilising third party services. Passwords are cryptographically hashed and salted based on industry best practises by our authorisation provider and user authorisation tokens to manage connections to the platform.
The deployment of the A Cloud Guru platform is entirely automated. Changes to both infrastructure and code are subject to automated testing using our Continuous Integration (CI) tool before being released to production. A change that passes our review and testing process is then deployed to production using our CI tool.
A Cloud Guru performs regular penetration test audits with a contracted third party.
Data encryption and transfer
A Cloud Guru encrypts data both at rest and in transit. All network communication uses TLS encryption to protect it in transit. We leverage the encryption tools included in public cloud data stores to encrypt data at rest.
Policies and Compliance
A Cloud Guru is committed to protecting your information. While A Cloud Guru has not undergone a 3rd party security audit for SOC-2 or ISO27001, 27018, we hold ourselves to the security controls present in those frameworks and have chosen our cloud hosting providers that are SOC and ISO compliant.
A Cloud Guru is obligated to comply with PCI standards, and uses certified third-party payment providers (Braintree and Stripe) to achieve this. A copy of our compliance certification can be found here.
Employee Access to Data
A Cloud Guru restricts access to systems and infrastructure to A Cloud Guru personnel who require access as part of their job responsibilities. Access removal processes are used to revoke access to personnel who no longer need it.
A Cloud Guru enforces a password policy and a requirement for multi-factor authentication when available to protect our accounts.
Documentation and Change Control
We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process for applying these changes.
Notification of Security Breach
A Cloud Guru complies with GDPR requirements for data breach notification standards. In the event of a security breach A Cloud Guru will take actions to contain, investigate and mitigate the breach. A Cloud Guru will notify customers in the event of a breach in writing within 72-hours of a breach being confirmed.
An unsuccessful Security Incident will not be subject to notification. An unsuccessful Security Incident is one that results in no unauthorised access to Personal Data or to any of ACG’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
If you have concerns, don’t hesitate to contact our team.