Last updated: March 19, 2021
The following Technical and Organisational Measures are being provided in compliance with Article 32(1) of the GDPR. A Cloud Guru maintains the majority of its production environment with Amazon Web Services and, as such, it relies in large part on the technical security measures adopted by Amazon Web Services. All physical security controls are managed by the cloud hosting providers we use. To the extent that A Cloud Guru processes Personal Data outside the Amazon Web Services system, the following technical and organisational measures have been implemented with respect to your Personal Data. The structure of the content below is derived from Article 32(1) of the GDPR.
Pseudonymisation and Encryption
- A Cloud Guru encrypts data both at rest and in transit. All external network communication uses TLS encryption to protect it in transit. We leverage the encryption tools included in public cloud data stores to encrypt data at rest.
- A Cloud Guru restricts access to systems and infrastructure to A Cloud Guru personnel (or, at limited times, consultants who are bound by confidentiality and data protection standards) who require access as part of their job responsibilities. Access removal processes are used to revoke access to personnel who no longer need it.
- A Cloud Guru enforces a password policy and a requirement for multi-factor authentication to protect sensitive systems.
- We protect our user login against a number or attack vectors including brute force attacks by utilising third party services. Passwords are cryptographically hashed and salted by our authorisation provider based on industry best practises. Our authorization provider generates user authorisation tokens to manage connections to the platform.
- A Cloud guru is primarily a serverless environment, entirely hosted in the cloud and uses the shared cloud security model. We do not run our own routers, load balancers, DNS servers, or physical servers.
- Activity on A Cloud Guru’s systems is logged and monitored. We capture and store logs generated by our infrastructure, application code and vendors. This includes but is not limited to, Amazon Web Services (AWS), Auth0, GSuite and Github. Logs from these systems are stored and analysed for unusual activity.
- The deployment of the A Cloud Guru platform is entirely automated. Changes to both infrastructure and code are subject to automated testing using our Continuous Integration (CI) tool before being released to production. A change that passes our review and testing process is then deployed to production using our CI tool.
- All changes to the A Cloud Guru codebase are reviewed by peers. Code reviews are designed to ensure the security, performance and quality of code released to production. Code changes are staged or tested prior to deployment to production systems.
- A Cloud Guru engages an independent organisation to perform regular penetration tests to assess the security of our platform. The security of our platform is reviewed on a 6 monthly basis. The team works quickly to mitigate potential issues identified by these reviews.
Availability and Resilience
- A Cloud Guru leverages fully managed, ie “serverless”, services to deliver the platform such as AWS Lambda. The provider is responsible for administering and patching the servers for in such cases.
- In cases where we run cloud based servers, we actively scan for security and configuration vulnerabilities and patch those servers according to the risks presented.
- We manage our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process for applying these changes.
- A Cloud Guru maintains a Business Continuity plan for the A Cloud Guru organization.
- Backups are a central part of our Disaster Recovery strategy. All customer data is stored in Cloud storage services. All data is backed-up on at least a daily basis.
Processes of Regular Testing, Assessing and Evaluating the Effectiveness of Technical and Organisational Measures for Ensuring the Security of the Processing
- We regularly review data privacy measures.
- We have established a collaborative security council for surfacing security concerns across the business. Representatives from the various business units participate in regular discussions about security and compliance issues, and executive participants make high level decisions
- A Cloud Guru has a dedicated security team. Our security team works with all teams at A Cloud Guru to ensure security is built into everything we do.
- All members of our team (including both full time employees and independent contractors) are required to comply with internal security policies and practices.
- As noted above we perform regular penetration testing.