Updated March 20, 2020
To protect Your Personal Data Cloudmore will implement and maintain the following Security Measures. We may update or modify such Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
We will abide by these Security Measures to protect Your Personal Data as is reasonably necessary to provide the Services.
We have in place a security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is reviewed on a regular basis to provide for continued effectiveness and accuracy. We maintain an information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
Cloudmore maintains commercially reasonable administrative, physical, and technical safeguards to protect the security, confidentiality, and integrity of Your Personal Data. These safeguards include encryption of Personal Data at rest and in transmission with Our user interfaces or APIs (using TLS or similar technologies) over the Internet.
We have an incident management process for security events that may affect the confidentiality, integrity, or availability of Our systems or data that includes a response time under which We will contact You upon verification of a security incident that affects Your Personal Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to service incidents.
We restrict administrative access to production systems to approved personnel. We require such personnel to have unique IDs which are used to authenticate and identify each person’s activities on Our systems. Upon hire, Our approved personnel are assigned unique ID’s and upon termination of personnel, or where compromise of such an ID is suspected, these ID’s are revoked. Access rights and levels are based on Our employees’ job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
The Subprocessors utilized by Us for infrastructure services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular vulnerability audits.
The Subprocessors’ environments which are utilized by Us for infrastructure services in connection with Our provision of the Services employ at least the following security measures:
In connection with Our provision of the Services we only use Subprocessors for infrastructure services who are fully compliant with GDPR and CCPA, are publishing regular SOC 1, SOC 2, and Soc 3 reports, and who maintain certifications against the following standards:
Any third-party service providers that are utilized by Cloudmore will only be given access to Your Account and Personal Data as is reasonably necessary to provide the Service and will be subject to, their implementing and maintaining compliance with the following appropriate technical and organizational security measures:
Third-party service providers shall take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to data processing systems in which Personal Data is Processed.
Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization. These controls shall vary based on the nature of Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
Third-party service providers shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Personal Data only have access to Personal Data to which they have the privilege of access; and, that Personal Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
Third-party service providers shall take reasonable measures to provide that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified or removed; and, any transfer of Personal Data to a third-party service provider is made via a secure transmission.
Third-party service providers shall take reasonable measures to provide that Personal Data is secured to protect against accidental destruction or loss.
Third-party service providers shall logically segregate Personal Data from the data of other parties on its systems to ensure that Personal Data may be Processed separately.