The following Technical and Organisational Measures are being provided in compliance with Article 32(1) of the GDPR. A Cloud Guru maintains its production environment with Amazon Web Services and, as such, it relies in large part on the technical security measures adopted by Amazon Web Services. All physical security controls are managed by the cloud hosting providers we use. To the extent that A Cloud Guru processes Personal Data outside the Amazon Web Services system, the following technical and organisational measures have been implemented with respect to your Personal Data. The structure of the content below is derived from Article 32(1) of the GDPR.
Pseudonymisation and Encryption
- Data is encrypted both at rest and in transit. We use TLS encryption to protect the Data in transit and we leverage industry standard encryption tools to encrypt data at rest.
- We have access controls designed to manage access to Data and system functionality based on authority levels and job functions. Documented access removal processes are utilised to revoke access of personnel who no longer need it.
- We enforce password policies and require multi-factor authentication when available to protect our accounts.
- All personnel laptops are encrypted and password protected enforced through a centralised endpoint protection solution that enforces best practices on devices.
- Automatically activated and password protected computer locking.
- We protect our user login against a number of attack vectors including brute force attacks by utilising industry-standard third party services. Passwords are cryptographically hashed and salted based on industry best practices by our authorisation provider and user authorisation tokens to manage connections to the platform.
- We do not run our own routers, load balancers, DNS servers or physical servers as our platform is a serverless environment.
- We have implemented procedures and rules for the safe and permanent destruction of Data that is redundant.
- We log and monitor activity on our system, including but not limited to, Amazon Web Services, AWS CloudTrail events, AWS CloudWatch logs, Auth0 logs, GSuite, and Gitjub. We actively store these logs from such systems and analyse them for unusual activity. Processes are in place to alert our dedicated security team of any suspicious activity for review.
- The deployment of the A Cloud Guru platform is entirely automated and changes to both infrastructure and code are subject to automated testing using our Continuous Integration (CI) tool before being released to production.
- Our infrastructure is provisioned via code solutions including AWS CloudFormation enabling consistent, reliable, and secure deployments of cloud infrastructure.
- Changes to our platform are reviewed by peers and such code reviews are designed to ensure the security, performance and quality of code released to production.
- We engages an independent organisation to assess the security of our platform, which is reviewed on a no less than once every 6 months.
Availability and Resilience
- We leverage fully managed services to deliver the platform and such provider (i.e. AWS Lambda) is responsible for administering and patching services for their service.
- All customer data is stored in Cloud storage services and is backed up on at least a daily basis.
Ability to Restore the Availability and Access to Personal Data
- We have a written Business Continuity and Disaster Recovery Plan setting forth processes to restore the platform.
Processes of Regular Testing, Assessing and Evaluating the Effectiveness of Technical and Organisational Measures for Ensuring the Security of the Processing
- We regularly review data privacy measures.
- We have a dedicated security team that works with all teams at A Cloud Guru to provide security in all aspects of the platform and services.
- All members of our team (including both full time employees and independent contractors) are required to comply with internal security policies and practices, including but not limited to, an Information Security Incident Management Policy, and Information Security Policy and Standards – Data Encryption Policy, an Acceptable Use Policy, an Email Policy and a Data Classification and Access Control Policy.
- We perform regular penetration test audits with a contracted third party.