How Is Security Handled In Cloudiway SaaS Platform?
We take your privacy and security seriously at Cloudiway, and we have invested significant effort into making our platform and your data secure.
Cloudiway provides a cloud-based application hosted on Windows Azure. It means that the software and data are centrally hosted and accessed by clients using a web browser and internet connection.
In addition, Cloudiway’s SaaS benefits from Windows Azure’s certifications, ensuring the security of Microsoft’s infrastructure, network, and physical security layers.
At Cloudiway, we take your privacy and security seriously and as such we have invested significant effort in making our platform and your data secure.
This document is intended to answer questions around the infrastructure and security associated with the software and the data.
Hosting environments
Cloudiway uses the secure Windows Azure infrastructure to provide a secure and scalable platform to clients around the world.
Microsoft’s public auditor Deloitte has issued a Service Organization Control (SOC) 2 Type 2 report for Windows Azure in security, availability, and confidentiality trust principles.
http://azure.microsoft.com/en-gb/support/trust-center/compliance/
100% of the infrastructure is hosted in Windows Azure.
Security and compliance
Cloudiway leverages Windows Azure certifications and attestations to provide assurance to Cloudiway and its customers to the security of the infrastructure, network, and physical security layers of Cloudiway’s cloud.
- Security: Physical and logical protection against unauthorized access.
- Availability: The system is operationally available for use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: All information is classified and protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, and transferred as committed or agreed.
Audit trails
Audit trails and session logs record user activity and changes made to data by the user.
Cloudiway provides logs detailing when customers logged in and when changes to configuration were made.
Application layer security
All data transmitted between Cloudiway and the user is encrypted via HTTPS.
All data transmitted between the different cloud applications (Google Apps, Office 365, etc…) is encrypted via HTTPS.
Backups
The environment is backed up every day using Windows Azure backup facilities.
Restores are tested every month.
Data destruction
At Cloudiway, we prioritise the security and privacy of your data.
To ensure the protection of your information,
we have implemented a data destruction policy. Here’s how it works:
Automatic Data Destruction:
If your project remains inactive for 90 consecutive days,
all associated data will be automatically destroyed. This includes backups of your data, which are also permanently deleted.
To avoid this, please ensure you log in and open your project before the 90-day inactivity period expires.
We will send you three notifications before initiating the deletion process.
Manual Project Deletion:
If you wish to delete your project manually, you can do so by locating the Delete option on the right-hand side of your project interface.
Once you initiate the deletion, the project’s database will become inaccessible for a maximum of 10 days.
After this period, the data will be permanently deleted from our system.
Requesting Data and Account Deletion:
If you no longer require your data and accounts, you can also reach out to our support team through the portal.
They will assist you in deleting your data and accounts securely.
Important Note: Cloudiway never stores your mail, file, or site data.
Your data is handled with utmost care and in compliance with our privacy policy.
For more detailed information, please refer to the following sections.
What data do we store
Migration platform
Nothing is stored internally. No data persists on the platform* and Cloudiway doesn’t ever store your mail, files, or site data (except Lotus Notes).
The migration takes place in real-time in memory. The migration engine connects to the source, pulls data, and pushes it in real-time.
*However, for the delta pass mechanism, a reference ID of each data migration is stored into internal caches (SQL databases) with the date of modification.
During a delta pass, this ensures that no data is duplicated, and for efficiency, only the changes are propagated.
Connections to the source and the target are done using HTTPS; the data is not transferred unencrypted over the internet.
Coexistence platform
For the GALSync product, all contact objects and their attributes are stored (cached) in the Cloudiway Azure environment. This allows the GALSync tool to check for and synchronize any changes made since the last sync.
Free/busy queries are performed in real-time.
Google and Office 365 free/busy queries are sent over HTTPS to the coexistence platform which in real-time queries the remote system.
Calendar data are not stored internally. No cache is implemented.
Access to the coexistence platform is authenticated and logged.
The mail routing service relays mail in real-time via a mail queue. If an email can’t be delivered, it can stay in this queue for up to an hour before a delivery report is sent and the email is removed from the queue. Mail routing data are not stored internally. No cache is implemented.
Credentials to connect to the different systems
Because the platform needs credentials to connect to the source and the target, you define connectors to connect to them and enter credentials that will be used for the connection.
These credentials are stored encrypted using AES 256.
We recommend that you create temporary passwords during your migration and change the password after the completion of your project.
Credentials to connect to the Cloudiway platform
Passwords are not stored in a reversible way.
A hash of the password is stored. During the connection, hashes are compared.
Cloudiway staff cannot know your password.