Security Is Our Top Priority.

Physical Security

• Data center access limited to data center technicians
• Biometric scanning for controlled data center access
• Security camera monitoring at all data center locations
• 24×7 onsite staff provides additional protection against unauthorized entry
• Unmarked facilities to help maintain low profile
• Physical security audited by an independent firm

Environmental Controls

• N+1 redundant HVAC (Heating Ventilation Air Conditioning) system ensures a duplicate system immediately comes online in the event of an HVAC system failure
• Sensors to detect environmental hazards, including smoke detectors and floor water detectors
• Raised flooring to protect hardware and communications equipment from water damage
• Fire detection and suppression systems (dry-pipe, pre-action water-based)

Power

• Redundant (N+1) UPS power subsystem with instantaneous failover
• UPS (Uninterruptible Power Supply) for all servers
• Diesel Generators (minimum N+1)
• Service agreements with fuel suppliers in place
• If an extended utility power outage occurs, onsite diesel generators can run indefinitely

Operational Security

• ISO27001-based policies and procedures, regularly reviewed
• All employees trained on documented information security and privacy procedures
• Access to confidential information restricted to authorized personnel only, according to documented processes
• Systems access logged and tracked for auditing purposes
• Fully documented change-management procedures
• Independently audited disaster recovery and business continuity plans in place

System Security

• New systems are provisioned with a hardened operating system (only necessary programs and services)
• Security patches are applied on a regular basis
• Provisioning follows documented policies and procedures
• All systems are firewall protected
• CloudPassage Halo constantly monitors the internal network, provides daily status emails, and provides weekly vulnerability scans of all internal machines
• Virus scanning and detection are on all machines
• Quarterly vulnerability testing conducted by third parties

Security Monitoring

• The Information Security team monitors internal and external security events and implements corrective actions
• Systems access logged and tracked for auditing purposes
• Application access logs are collected and analyzed according to internal security procedures

Application Security

• CloudPassage tests all code for security vulnerabilities before release, and regularly scans networks and systems for vulnerabilities.
• CloudPassage services are based on proven and secure Open Source solutions and custom applications
• Applications and servers are regularly patched to provide ongoing protection from exploits
• Communication encryption – Secure Socket Layer (TLS) connections secure all communications

Internal and Third-party Testing and Assessments

• All code is tested for security vulnerabilities prior to release
• Third-party assessments are conducted regularly:
  • Application vulnerability threat assessments
  • Network vulnerability threat assessments
  • Selected penetration testing and code review
  • Security control framework review and testing

SSAE-16 SOC 2

CloudPassage has been audited against the Service Organization Control (SOC) reporting framework for SOC 2, Type 2. The SOC 2 report is available to customers to meet a wide range of US and international auditing requirements.

The SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into CloudPassage security and availability based on a defined industry standard and further demonstrates CloudPassage’s commitment to protecting customer data.

CSA STAR Level 1

The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CloudPassage is a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to almost 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider

A CSA STAR Level 1 Questionnaire for CloudPassage is available for download on the Cloud Security Alliance’s website here.

PCI DSS 3.1 Level 1

Our PCI DSS 3.0 compliance certifies safe and secure handling of credit card holder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), CloudPassage places stringent controls around cardholder data as both a service provider and merchant.

CloudPassage provides managed security services that may assist our customers in securing their environments and/or meeting certain PCI DSS compliance requirements.  The CloudPassage Halo service does not store, process, or transmit any cardholder data.  Under the PCI Data Security Standards, our services fall into the category of impacting the security of cardholder data and as such, we acknowledge our responsibility to comply with applicable requirements for PCI for our environment.  As CloudPassage does not perform hosting services, customers are fully responsible for meeting all PCI DSS requirements within their own environments.

FedRAMP

The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. CloudPassage is now listed as one of the few CSPs that are FedRAMP Ready in the FedRAMP Marketplace and is continuing in the next phase of the evaluation process towards “Authorized” status.