Data Protection and Security
Alphacloud Technologies Pte Ltd(Alphacloud) cares about the security of our services and about the security of your data.
We understand how critical maintaining consumer trust is and how trust is rooted first and foremost in protecting personal data.
Our services are built on Amazon Web Services(AWS), which is itself compliant with certifications such as SOC 2, CSA, ISO 27001, and more. We operate a highly secure platform and store data securely with Amazon Web Services (AWS) while addressing all relevant legal, industry, and regulatory concerns around the world.
Contents
- 1. Physical Security.
- 2. System Security.
- 3. Confidential Information Handling.
- 4. Encryption.
- 5. Employee Security & Access Control.
- 6. System Development Lifecycle.
- 7. Client and Server Hardening.
- 8. Application Security.
- 9. Service Levels, Backups, and Recovery
- 10. API & Integrations.
- 11. Customer Payment Information.
- 12. Security Incident & Vulnerability Management.
- 13. Compliance.
- 14. Technical and Organizational Measures (TOMs).
1. Physical Security
Alphacloud production data is processed and stored within world-renowned data centers(Amazon Web Services), which use state-of-the-art multilayer access, alerting, and auditing measures, including:
- perimeter fencing.
- vehicle access barriers.
- custom-designed electronic access cards.
- biometric checks.
- laser beam intrusion detection.
- continuous external and internal security camera surveillance.
- 24×7 trained security guards.
2. System Security
- All servers that run Alphacloud software in production are recent, continuously patched Linux systems.
- Our web servers encrypt data in transit using the strongest grade of HTTPS security so that requests are protected from eavesdroppers and man-in-the-middle attacks.
- Our SSL certificates are 2048-bit RSA, signed with SHA256.
- Internal tier-to-tier requests are signed and authenticated to prevent request forgery, tampering, and replay.
3. Confidential Information Handling
- All systems that contain Confidential Information are identified.
- Information classification and handling procedures are implemented. These procedures include labeling and handling techniques for information that contain Confidential Information.
- All employees who handle Confidential Information are properly trained to secure our information while it is being processed, transmitted or stored.
- We adhere to a comprehensive security policy and procedures for handling Confidential Information that addresses secure methods for processing, transmitting and storing Confidential Information.
- We maintain standard media handling procedures to protect Confidential Information that is stored on media.
4. Encryption
- We use approved encryption methods (256-bit encryption) using American National Standards Institute (ANSI), at a minimum, for transmitting Confidential Information.
- Encryption methods are used while processing, transmitting or storing Confidential Information. This includes:
- Infrastructure components such as: servers, etc.
- Electronic communications such as: email, fax, etc.
- Mobile devices such as: laptops, smartphones, tablets, USB drives.
- We maintain a formal process for managing and protecting encryption keys which follows industry standards.
5. Employee Security & Access Control
- We conduct background checks on all employees and contractors that will be handling Confidential Information.
- All employees and contractors sign non-disclosures (NDA) and confidentiality agreements.
- Actions of employees and contractors that have access to Confidential Information are monitored and logged.
- We maintain a formal process for registering and de-activating user accounts on systems.
- Access is removed immediately when employees and contractors that have access to Confidential Information are terminated.
- All employees and contractors that have access to Confidential Information are identified on systems with a unique ID.
- We authenticate all access to any system containing Confidential Information. This includes access by applications, administrators and all users.
- We limit access to Confidential Information based on the concept of “least privilege” (i.e., access on a “need to know” basis only).
- We enforce password controls.
6. System Development Lifecycle
- We maintain an SDLC process that ensures new systems or enhancements to existing systems that contain Confidential Information will have security controls defined and implemented prior to being placed into production.
- All changes to source code destined for production systems are subject to pre-commit code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.
- Prior to updating production services, all contributors to the updated software version are required to approve that their changes are working as intended on staging servers.
7. Client and Server Hardening
- Exposed server endpoints are recurrently tested for vulnerabilities using multiple types of scanning software as well as manual testing. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and made searchable to operations staff.
- Client code utilizes multiple techniques to ensure that using the Alphacloud application is safe and that requests are authentic, including:
- IFRAME sandboxing
- XSS and CSRF protection
- signed and encrypted user auth cookies
- remote invalidation of extant sessions upon password change/user deactivation
8. Application Security
- PDF templates, image templates and data: A template is a design with a preset layout or preset styles for formatting, which only consists of static data. Your templates are stored in AWS RDS and the underlying storage is encrypted.
- Generated PDF files and uploaded files:
The generated PDF files are stored on the cloud storage AWS S3 with strong encryption at rest. - Pre-signed URLs for PDFs:
A generated PDF URL is a pre-signed URL. Pre-signed URLs are created, signed using our credentials, and have a controllable expiry date. The expired PDF documents will be purged periodically.
9. Service Levels, Backups, and Recovery
- Alphacloud infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of autoscaling, load balancing, task queues and rolling deployments.
- The production data is backed up according to a defined scheduled and stored in a secure environment.
- The Confidential Information is encrypted on the media during the backup process.
- The data retention policies are defined and implemented.
- The data recovery processes are documented and tested to ensure successful recovery.
10. API & Integrations
- The access to CraftMyPDF REST API endpoints requires an access key that can be regenerated on demand by customers. Learn more
- API logs are generated for troubleshooting and it’s retained for up to 14 days, and you could turn off the logging in “API Integration”.
- Integrations with other applications are all opt-in and authenticate via OAuth or other applicable mechanisms required by the third-party application. Integrations can be disabled at any time.
11. Customer Payment Information
We use Stripe for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider. Learn more
12. Security Incident & Vulnerability Management
- We maintain a formal threat and vulnerability management program to identify new vulnerabilities and to ensure security is consistently maintained over time.
- We maintain a virus protection process to prevent and detect the introduction of malicious Platform into the environment.
- We maintain a patch management process that ensures security patches are implemented in a timely manner.
- We maintain a system event management process to ensure security events are consistently identified, monitored, logged, and acted on in a timely fashion.
- The log files of our systems are protected from modification or deletion, and can be correlated to reflect the actions taken by any individual.
- We maintain a security incident handling process to quickly manage and remediate security incidents.
- We investigate any such breach or unauthorized access to our systems, and we immediately notify customers of any security breaches or unauthorized access to Confidential Information.
13. Compliance
- All security controls are implemented and functioning properly on all systems that contain Confidential Information.
- We maintain compliance with applicable laws, regulations, and industry standards that apply to the services being offered as part of this contract.
14. Technical and Organizational Measures (TOMs)
The following measures apply to all data processing activities that are under control of Alphacloud, or where our company is a subcontracted data processor on behalf of another data controller.
In situations where Alphacloud is the data controller and another organization is the data processor on behalf of our company, Alphacloud ensures that the security measures implemented by the subcontracted processor equals at minimum the processing security level indicated by the following measures.
- Confidentiality Measures
- Physical Access Control in Your Premise
Measures for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.- Measures:
- Alarm system.
- Automatic access control system.
- Biometric access barriers.
- Smart cards systems.
- Manual locking system.
- Doorbell system with camera.
- Video surveillance of entrances.
- Key regulation / List.
- Visitors’ protocol.
- Care in selection of staff.
- Work instruction access control.
- Measures:
- Physical Access Control in Your Premise
- Logical Access Control
Measures for preventing data processing systems from being used by unauthorized persons.- Measures:
- Login with username + strong password.
- Anti-Virus Platforms.
- Use of VPN for remote access.
- Two-factor authentication in data center operation and for critical systems.
- User permission management.
- User profiles.
- Central password assignment.
- Information Security Policy.
- Access control Policy.
- Measures:
- Logical Access Control
- Authorization Control
Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.- Measures:
- Logging of accesses to applications, specifically, when entering, changing, and deleting data.
- SSH encrypted access.
- Certified SSL encryption.
- Use of authorization concepts.
- Minimum number of administrators.
- Management of user rights by administrators.
- Measures:
- Authorization Control
- Separation Control
Measures that ensure that data collected for different purposes can be processed separately.- Technical Measures:
- Separation of production and development environments.
- Physical separation (systems/databases/data carriers).
- Client systems are logically separated.
- Staging of development, test, and production environment.
- Control via authorization concept.
- Technical Measures:
- Separation Control
- Pseudonymization
The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.- Technical Measures:
- In case of pseudonymization: separation of the allocation data and storage in a separate system (encrypted).
- Internal instruction to anonymize/pseudonymize personal data as far as possible in the event of disclosure or even after the statutory deletion period has expired.
- Technical Measures:
- Pseudonymization
- Integrity Measures
- a. Transfer Control
Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media.- Measures:
- Use of VPN.
- Logging of accesses and retrievals.
- Provision via encrypted connections such as https.
- Use of signature procedures.
- Survey of regular retrieval and transmission processes.
- Transmission in anonymized or pseudonymized form.
- Measures:
- a. Transfer Control
- b. Input Control
Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified, or removed from data processing systems.- Measures:
- Technical logging of the entry, modification, and deletion of data.
- Manual or automated control of the logs.
- Survey of which programs can be used to enter, change or delete which data.
- Traceability of data entry, modification, and deletion through individual user names.
- Assignment of rights to enter, change and delete data on the basis of an authorization concept.
- Retention of forms from which data has been transferred to automated processes.
- Clear responsibilities for deletions.
- Measures:
- b. Input Control
- Resilience Measures
- Recoverability Control
Measures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident- Measures:
- Backup monitoring and reporting.
- Restorability from automation tools.
- Backup concept according to criticality and customer specifications.
- Recovery concept.
- Control of the backup process.
- Regular testing of data recovery and logging of results.
- Measures:
- Recoverability Control
- Procedures for regular Review, Assessment, and Evaluation
- Data Protection Management
- Measures:
- Central documentation of all data protection regulations with access for employees.
- A review of the effectiveness of the security measures are carried out at least annually.
- Staff trained and obliged to confidentiality/data secrecy.
- Regular awareness trainings at least annually.
- Formalized process for requests for information from data subjects is in place.
- Measures:
- Data Protection Management
- Data Protection by Design and by Default
Measures pursuant to Art 25 GDPR that comply with the principles of data protection by design and by default.- Measures:
- No more personal data is collected than is necessary for the respective purpose.
- Use of data protection-friendly default settings in standard and individual Platform.
- Data Protection Policy (includes principles “privacy by design / by default”).
- Perimeter analysis for web applications.
- Measures:
- Data Protection by Design and by Default
- Order Control (outsourcing, subcontractors, and order processing)
Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions.- Measures:
- Monitoring of remote access by external parties, e.g. in the context of remote support.
- Monitoring of subcontractors according to the principles and with the technologies according to the preceding chapters 1, 2.
- Prior review of the security measures taken by the contractor and their documentation.
- Selection of the contractor under due diligence aspects (especially with regard to data protection and data security).
- Obligation of the contractor’s employees to maintain data secrecy.
- Agreement on effective control rights over the contractor.
- Regulation on the use of further subcontractors.
- Ensuring the destruction of data after termination of the contract.
- In the case of longer collaboration: ongoing review of the contractor and its level of protection.
- Measures:
- Order Control (outsourcing, subcontractors, and order processing)