Security & Compliance
Our customers rely on BetterCloud to manage and secure mission critical SaaS applications and the data inside them. To protect our customer’s environments, BetterCloud utilizes the best infrastructure, protected by top Security experts.
Download our Security and Compliance White Paper to learn more.
COMPLIANCE & CERTIFICATIONS
BetterCloud is certified for a number of compliance standards and controls, and undergoes independent third party audits to test for data safety, privacy, and security.
A SOC 2, Type II attestation reports on controls relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2, Type II is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service.
Please reach out to your Customer Success Manager to receive a copy of BetterCloud’s SOC 2 report. A non-disclosure agreement is required if you are not currently under a master services agreement with BetterCloud.
Privacy Shield certification ensures that BetterCloud’s privacy and data collection practices are in line with European regulatory requirements. In addition they have been reviewed and approved by an independent third-party based on the guidelines set forth by Privacy Shield for transparency, accountability and choice regarding the collection and use of a consumer personal information.
BetterCloud is diligently working on and is on-track for GDPR compliance when it goes into effect in May 2018.
The BetterCloud’s security model is an end-to-end process, spanning application authentication and metadata storage, the hosting services that power our software, and employee data management and physical security.
- Usernames and passwords are never created, given, or stored by BetterCloud, as all user logins are verified using Single Sign-On.
- The OAuth 2.0 open standard allows customers to authorize BetterCloud to access their SaaS application without sharing personal account credentials.
- BetterCloud accesses APIs for metadata around domain settings, users, groups, calendars, files, and 3rd part application scope approvals. The content of documents are not stored, we only maintain important security metadata, including owner and exposure level.
- BetterCloud does not retain email, messages, social security numbers, family member information, or any other personal information that is not necessary for an IT admin to manage and secure their domain.
Secure Browser Connections (HTTPS)
- HTTPS provides a secure internet connection between the BetterCloud application, which runs on Google Cloud Platform, and a customer’s local computer. This secure connection provides a bidirectional encryption of communications.
- Role-Based Privileges enable admins to limit the permissions of some users within a team, including Help Desk, HR, or Security.
- Privileges are built on a multi-tiered system and include functionality to limit users to create, read, edit, or delete actions across applications and specific data objects (such as files or groups).
- BetterCloud logs the relevant activity into a system that is immutable, time synced, and accessible by account admins. Audit logs are fully exportable or can easily be searched through via the application.
- The event logs contain: BetterCloud user activities, the application affected by event, status of event (success/failed), event type, timestamp, and a brief description.
BetterCloud is built and hosted exclusively on the Google Cloud Platform (GCP) platform. For more information regarding Google Cloud Platform Security, please view Google’s own Security and Privacy Documentation: https://cloud.google.com/security/
Data is actively stored across three availability zones and encrypted at rest. Database and search index backups are performed daily and instantly replicated to geographically distributed data centers.
A dedicated security team, including a senior officer in the company, is chartered with ensuring the security, confidentiality, and integrity of company and customer data. Our security team performs engineering tests and educational campaigns to mitigate attacks and develop a security mindset as part of the culture of the company.
We actively reduce the attack surface by limiting the number of personnel with access to production, auto locking employees computers after a short period of inactivity, and utilizing commercial tools to provide a multi-layered defense.