Security & Compliance
Our customers rely on BetterCloud to discover, manage and secure mission-critical SaaS applications and the data inside them. To protect our customer’s environments, BetterCloud utilizes the best infrastructure, protected by top Security experts.
Download our Security and Compliance White Paper to learn more.
Compliance & Certifications
BetterCloud is certified for a number of compliance standards and controls, and undergoes independent third party audits to test for data safety, privacy, and security.
A SOC 2, Type II attestation reports on controls relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2, Type II is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service.
Download a copy of BetterCloud’s SOC 3 Report. Please reach out to your Customer Success Manager or Account Executive to receive a copy of BetterCloud’s SOC 2 report.
The Cloud Security Alliance’s (CSA) Security, Trust & Assurance Registry (STAR) is a free, publicly-accessible registry that offers a security assurance program for cloud services, helping users assess the security posture of the cloud providers they currently use or are considering using.
BetterCloud has achieved Level 1 status with the CSA STAR program. You can view our registry entry with the CSA STAR program, along with the results of our self-assessment and related supporting documentation, by visiting https://cloudsecurityalliance.org/star/registry/bettercloud/.
Privacy Shield certification means that BetterCloud’s privacy and data collection practices have been reviewed and approved by an independent third-party based on the guidelines set forth by Privacy Shield for transparency, accountability and choice regarding the collection and use of consumer personal information.
The BetterCloud Master Subscription Agreement (MSA) and Data Processing Addendum (DPA), as updated from time to time, address the obligations and requirements of the California Consumer Privacy Act (CCPA); European Union General Data Protection Regulation (GDPR); any laws or regulations that amend, supplement, supersede, repeal or replace the GDPR or that are intended to ensure the continued application of the GDPR in the United Kingdom once it ceases to be a member state of the European Union (including the Data Protection Act 2018 (collectively, “UK Privacy Law”), or any successor laws of the above. These documents make it easy for customers to share information with their stakeholders, including compliance and privacy managers, customers and potential auditors. For more information, see the Privacy FAQ section below.
The BetterCloud MSA and DPA are supported by the people, processes and technology necessary for protection of customer personal data in compliance with legal and contractual obligations for regulations such as CCPA and GDPR. The key activities implemented for privacy regulations are listed below.
- Provided awareness sessions with customer-facing staff on their roles and responsibilities for compliance
- Updated company-wide security awareness materials to include new customer personal data protection and privacy practices;
- Established and assigned data protection roles and responsibilities;
- Established firstname.lastname@example.org email@example.com for data subjects to submit requests
- Appointed DataRep as our Data Protection Representative in the European Union and the UK, and data subjects in the EU or the UK may exercise their rights by sending an email to firstname.lastname@example.org or submitting this webform
- Californian consumers (as defined by the CCPA) may exercise their rights by sending an email to email@example.com or submitting this webform
- Retained outside counsel with extensive expertise in privacy and security matters to provide ongoing advisory services for privacy compliance
- Established and maintains registers of customer personal data collection and processing activities
- Completed and revises privacy risk assessment to support customer data protection impact assessments
- Maintains SOC 2 security and confidentiality controls to support processing activities for protection of customer personal data
- Established and reviews DPAs and CCPA addenda with sub-processors of customer personal data
- Provides MSA, CCPA addendum and DPA upon request from BCLegal@bettercloud.com to support customer compliance
- Established a privacy-by-design checklist
- Implemented features to support data subject requests from customers exercising their rights to erasure and data portability
GDPR, UK Privacy Law & CCPA FAQ
1. What personal data is processed by BetterCloud?
BetterCloud processes the following types of personal data:
- Contact and job information (Name, Email, Phone, Photo, Title, Address, Department, Manager, IP Address)
- User information (IP address, user activity, helpdesk tickets, satisfaction data)
- Payment information
2. What categories of individuals (aka data subjects) does the personal data come from?
BetterCloud primarily processes personal data from customers’ SaaS application users, and administrators.
3. Where does BetterCloud store customer personal data?
All customer personal data is stored by BetterCloud on the Google Cloud Platform (GCP) using datacenters located in the United States of America. BetterCloud enters into data processing agreements with Standard Contractual Clauses to provide an adequate level of protection for data transfers from the EU and the UK.
If you have any questions, please contact your Account Executive, Customer Success Manager, or email firstname.lastname@example.org.
4. How do I obtain a Data Processing Addendum?
We make it easy for our customers to formalize and share with stakeholders, including employees, customers and potential auditors, that they use BetterCloud in a way that meets GDPR and UK Privacy Law data processing obligations. The DPA pre-signed by BetterCloud, is a self-serve and easy-to-execute document that only requires an electronic signature from the customer.
After you execute the DPA, it will automatically be sent to the BetterCloud Legal team, and if accurately completed, the DPA will then become legally binding. If you have any questions, please email us at email@example.com.
5. Does BetterCloud use any third parties (“sub-processors”) to process customer personal data?
Yes, we do. Please see the sub-processors page for a list of third parties with access to customer personal data.
6. Can BetterCloud help me respond to data subject requests?
Yes, we have established standard operating procedures to support customer data subject requests in compliance with GDPR and CCPA requirements. Please submit requests to your Customer Success Manager, Technical Support, or firstname.lastname@example.org.
The BetterCloud’s security model is an end-to-end process, spanning application authentication and metadata storage, the hosting services that power our software, and employee data management and physical security.
- Usernames and passwords are never created, given, or stored by BetterCloud, as all user logins are verified using Single Sign-On.
- The OAuth 2.0 open standard allows customers to authorize BetterCloud to access their SaaS application without sharing personal account credentials.
- Role-Based Privileges enable admins to limit the permissions of some users within a team, including Help Desk, HR, or Security.
- Privileges are built on a multi-tiered system and include functionality to limit users to create, read, edit, or delete actions across applications and specific data objects (such as files or groups).
- BetterCloud accesses APIs for metadata around users, user email settings, groups, organizational units, contacts, calendars, calendar resources, documents, domain settings, and third-party application scope approvals.
- BetterCloud enables customers to scan files in cloud systems such as Google Drive, Box, and Slack, for certain attributes but never stores the content of those searches. BetterCloud only stores the metadata related to those files (e.g. document name, date last modified, owner, document size).
- BetterCloud logs the relevant activity into a system that is immutable, time synced, and accessible by account admins. Audit logs are fully exportable or can easily be searched through via the application.
- The event logs contain: BetterCloud user activities, the application affected by event, status of event (success/failed), event type, timestamp, and a brief description.
Secure Internet Connectivity (HTTPS)
- All of the BetterCloud application’s externally-facing services use HTTPS to ensure encryption in transit of all customer information, whether that connection is established with a customer’s local web browser or an API endpoint at one of the many SaaS integrations being managed and secured.
- The BetterCloud application uses Transport Layer Security (TLS) version 1.2 or higher to protect HTTPS communications.