Cloudmore Security Measures
Updated March 20, 2020
To protect Your Personal Data Cloudmore will implement and maintain the following Security Measures. We may update or modify such Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
1 Security Measures Utilized by Us
We will abide by these Security Measures to protect Your Personal Data as is reasonably necessary to provide the Services.
1.1 Security Policies and Personnel
We have in place a security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is reviewed on a regular basis to provide for continued effectiveness and accuracy. We maintain an information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
1.2 Data Transmission
Cloudmore maintains commercially reasonable administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of Your Personal Data. These safeguards include encryption of Personal Data at rest and in transmission with Our user interfaces or APIs (using TLS or similar technologies) over the Internet.
1.3 Incident Response
We have an incident management process for security events that may affect the confidentiality, integrity, or availability of Our systems or data that includes a response time under which We will contact You upon verification of a security incident that affects Your Personal Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to service incidents.
1.4 Access Control and Privilege Management
We restrict administrative access to production systems to approved personnel. We require such personnel to have unique IDs which are used to authenticate and identify each person’s activities on Our systems. Upon hire, Our approved personnel are assigned unique ID’s and upon termination of personnel, or where compromise of such an ID is suspected, these ID’s are revoked. Access rights and levels are based on Our employees’ job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
1.5 Network Management and Security
The Subprocessors utilized by Us for infrastructure services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular vulnerability audits.
1.6 Data Center Environment and Physical Security
The Subprocessors’ environments which are utilized by Us for infrastructure services in connection with Our provision of the Services employ at least the following security measures:
- A security organization responsible for physical security functions 24x7x365.
- Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
- N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.
In connection with Our provision of the Services we only use Subprocessors for infrastructure services who are fully compliant with GDPR and CCPA, are publishing regular SOC 1, SOC 2, and SOC 3 reports, and who maintain certifications against the following standards:
- Cloud Security Alliance (CSA) STAR
- ISO 9001:2015 Quality Management Systems Standards
- ISO/IEC 27001:2013 Information Security Management
- ISO/IEC 27017:2015 Code of Practice for Information Security Controls
- ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud
2 Technical and Organizational Security Measures for Third-Party Service Providers Who Process Personal Data
Any third-party service providers that are utilized by Cloudmore will only be given access to Your Account and Personal Data as is reasonably necessary to provide the Service and will be subject to, their implementing and maintaining compliance with the following appropriate technical and organizational security measures:
2.1 Physical Access Controls
Third-party service providers shall take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to data processing systems in which Personal Data is Processed.
2.2 System Access Controls
Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization. These controls shall vary based on the nature of Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
2.3 Data Access Controls
Third-party service providers shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Personal Data only have access to Personal Data to which they have the privilege of access; and, that Personal Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
2.4 Transmission Controls
Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
2.5 Input Controls
Third-party service providers shall take reasonable measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed; and, any transfer of Personal Data to a third-party service provider is made via a secure transmission.
2.6 Data Protection
Third-party service providers shall take reasonable measures to provide that Personal Data is secured to protect against accidental destruction or loss.
2.7 Logical Separation
Third-party service providers shall logically segregate Personal Data from the data of other parties on its systems to ensure that Personal Data may be Processed separately.