The cloud licensing portion of CSI products is provided and hosted by a third-party licensing vendor.
Cloud Licensing Vendor, further referred to as the 'Vendor', is a third-party entity who manages the cloud licensing platform that CSI utilizes in its products.
Cloud Licensing Service, further referred to as the 'Service', is the cloud licensing platform utilized inside CSI products.
1. Where is the Service hosted?
The Vendor hosts the servers on Rackspace, physically located in the United States.
2. What security standards are your Vendor certified to?
The hosting provider for our Vendor has multiple security certifications. Information on Rackspace’s certifications can be found on their website: https://www.rackspace.com/compliance
3. How is the security of the platform handled?
The cloud license server has no ability to contact a client machine, it only responds when a client machine contacts it.
4. How is user data protected?
All data transmitted and stored is encrypted with AES256.
5. What security measures against cyber-attacks, viruses and/or hacking are implemented?
Our Vendor has implemented the following:
- All their systems have updated antivirus detection and monitoring.
- They use OSSEC for intrusion detection.
- They do their own penetration testing on a monthly basis.
- All the data in their system is encrypted during transit and at rest.
6. Have there been any third-party security audits conducted?
Our Vendor only conducts their own internal audits.
7. Are we permitted to run a vulnerability and/or penetration test assessment?
Due to the potential negative impact on the Vendor’s production infrastructure, third-party test assessments are not permitted.
8. Does the Vendor have any cyber insurance coverage?
Yes, they have cyber insurance. As of date, they have not had a breach of data or customer information.
9. How are users notified in the event of a security breach?
Per their GDPR policy, our Vendor will notify CSI within 72 hours of the breach. CSI will notify users of the breach via email.
10. How often are backups performed and where are the backups hosted?
The Vendor performs backups on a daily basis and backups are held in AWS.
11. How many Disaster Recovery facilities are available?
Rackspace has multiple datacenters and can provide alternate infrastructure as needed.
12. Can user data be moved to another hosting jurisdiction?
In the event that user data needs to be moved to another hosting jurisdiction, the Vendor, per GDPR compliance, will give CSI prior notification of the move. CSI will notify users via email.
13. How does your Vendor comply with GDRP?
Original compliance to GDPR, by our Vendor, was by leveraging Privacy Shield. They are now working with the Standard Contractual Clauses as a model.
14. Does your Vendor have an Information Security Policy or Program addressing confidentiality, integrity, and availability of their facilities, systems and the information in their possession and control?
Yes, our Vendor does as part of their GDPR compliance package.
15. Is user data, extracts or summaries used for any other purpose other than providing Service?
No customer data is not used for anything other than providing Service.
16. Is there a Business Continuity plan for the Service with Recovery Point Objective (RPO) and Recovery Time Objective (RTO) metrics?
There is no formal Business Continuity plan with ROP and RTO objectives.