Security & Compliance

Our customers rely on BetterCloud to manage and secure mission critical SaaS applications and the data inside them. To protect our customer’s environments, BetterCloud utilizes the best infrastructure, protected by top Security experts.

Download our Security and Compliance White Paper to learn more.

COMPLIANCE & CERTIFICATIONS

BetterCloud is certified for a number of compliance standards and controls, and undergoes independent third party audits to test for data safety, privacy, and security.

privacyshield

A SOC 2, Type II attestation reports on controls relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2, Type II is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service.

Download a copy of BetterCloud’s SOC 3 Report

Please reach out to your Customer Success Manager to receive a copy of BetterCloud’s SOC 2 report. A non-disclosure agreement is required if you are not currently under a master services agreement with BetterCloud.

Privacy Shield certification ensures that BetterCloud’s privacy and data collection practices are in line with European regulatory requirements. In addition they have been reviewed and approved by an independent third-party based on the guidelines set forth by Privacy Shield for transparency, accountability and choice regarding the collection and use of a consumer personal information.

BetterCloud made improvements in the people, processes and technology necessary for protection of customer personal data in compliance with legal and contractual obligations for GDPR compliance. Key activities for GDPR compliance are listed below.

People

  • Held awareness sessions with customer-facing staff on their roles and responsibilities for GDPR compliance;
  • Updated company-wide security awareness materials to include new customer personal data protection and privacy practices;
  • Established and assigned the Data Protection Officer (DPO) role and responsibilities;
  • The DPO and dedicated Security Compliance staff can be contacted using privacy@bettercloud.com for GDPR compliance issues;
  • Retained Cooley LLP, one of the country’s leading law firms for privacy and security matters, to update our Privacy Policy and Product Privacy Statement and provide an action plan and advisory services for GDPR compliance;

Process:

  • Established registers of customer personal data and processing activities;
    Completed a privacy risk assessment to support customer data protection impact assessments;
  • Mapped SOC 2 security and confidentiality controls to processing activities for protection of customer personal data;
  • Established data processing agreements with sub-processors of customer personal data;
  • Updated policies and procedures for privacy governance, breach notification, data retention, managing sub-processors, and supporting data subject requests from customers; and
  • Data processing addendum (DPA) available upon request from privacy@bettercloud.com.

Technology:

  • Established a privacy-by-design checklist;
  • Removed special categories of data from the product; and
  • Implemented new features to support data subject requests from customers exercising their rights to erasure and data portability.

GDPR FAQ

1. What personal data is processed by BetterCloud? BetterCloud processes the following types of personal data:

  • Contact and job information (Name, Email, Phone,Photo, Title, Address, Department, Manager)
  • User information (IP address, user activity, helpdesk tickets, satisfaction data)
    Payment information

2. What categories of individuals (aka data subjects) does the personal data come from? BetterCloud processes personal data from customers’ SaaS application users and administrators.

3.Where does BetterCloud store customer personal data? All customer personal data processed by BetterCloud on Google Cloud Platform using datacenters located in the United States of America. BetterCloud maintains PrivacyShield certification to provide an adequate level of protection for data transfers from EU customers.

If you have any questions, please contact your Account Executive, Customer Success Manager, or email privacy@bettercloud.com.

4. How do I obtain a Data Processing Addendum? We make it easy for our customers to formalize and share with stakeholders, including employees, customers and potential auditors, that they use BetterCloud in a way that meets GDPR data processing obligations. The Data Processing Addendum (DPA), pre-signed by BetterCloud, is a self-serve and easy-to-execute document that only requires an electronic signature from the customer.

After you execute the DPA, it will automatically be sent to the BetterCloud Legal team, and if accurately completed, the DPA will then become legally binding. We’ll communicate with you in the event of any issues. Send questions to privacy@bettercloud.com.

Sign your DPA here.

5. Does BetterCloud use any third parties (“sub-processors”) to process customer personal data? Yes, we do. See the sub-processors page for a list of third parties with access to customer personal data.

6. Can BetterCloud help me respond to data subject requests? Yes, we have established an SOP to support customer data subject requests in compliance with GDPR requirements. Please submit requests to your customer success manager, technical support, or privacy@bettercloud.com.

Security

The BetterCloud’s security model is an end-to-end process, spanning application authentication and metadata storage, the hosting services that power our software, and employee data management and physical security.

Application Security

Authentication

  • Usernames and passwords are never created, given, or stored by BetterCloud, as all user logins are verified using Single Sign-On.
  • The OAuth 2.0 open standard allows customers to authorize BetterCloud to access their SaaS application without sharing personal account credentials.

Metadata

  • BetterCloud accesses APIs for metadata around domain settings, users, groups, calendars, files, and 3rd part application scope approvals. The content of documents are not stored, we only maintain important security metadata, including owner and exposure level.
  • BetterCloud does not retain email, messages, social security numbers, family member information, or any other personal information that is not necessary for an IT admin to manage and secure their domain.

Secure Browser Connections (HTTPS)

  • HTTPS provides a secure internet connection between the BetterCloud application, which runs on Google Cloud Platform, and a customer’s local computer. This secure connection provides a bidirectional encryption of communications.

Role-Based Privileges

  • Role-Based Privileges enable admins to limit the permissions of some users within a team, including Help Desk, HR, or Security.
  • Privileges are built on a multi-tiered system and include functionality to limit users to create, read, edit, or delete actions across applications and specific data objects (such as files or groups).

Audit Logs

  • BetterCloud logs the relevant activity into a system that is immutable, time synced, and accessible by account admins. Audit logs are fully exportable or can easily be searched through via the application.
  • The event logs contain: BetterCloud user activities, the application affected by event, status of event (success/failed), event type, timestamp, and a brief description.

Hosting Security

BetterCloud is built and hosted exclusively on the Google Cloud Platform (GCP) platform. For more information regarding Google Cloud Platform Security, please view Google’s own Security and Privacy Documentation: https://cloud.google.com/security/

Data is actively stored across three availability zones and encrypted at rest. Database and search index backups are performed daily and instantly replicated to geographically distributed data centers.

Corporate Security

A dedicated security team, including a senior officer in the company, is chartered with ensuring the security, confidentiality, and integrity of company and customer data. Our security team performs engineering tests and educational campaigns to mitigate attacks and develop a security mindset as part of the culture of the company.

We actively reduce the attack surface by limiting the number of personnel with access to production, auto locking employees computers after a short period of inactivity, and utilizing commercial tools to provide a multi-layered defense.