Skip to content

Security & compliance

Our customers rely on BetterCloud to discover, manage and secure mission-critical SaaS applications and the data inside them. To protect our customer’s environments, BetterCloud utilizes the best infrastructure, protected by top Security experts.

Download our Trust & Compliance White Paper to learn more.

If you are here to sign a GDPR Data Protection Agreement with BetterCloud, please click here.
To review the GDPR Data Protection Agreement please click here.


Compliance & certifications

BetterCloud is certified for a number of compliance standards and controls, and undergoes independent third party audits to test for data safety, privacy, and security.

 

AICPA SOC

A SOC 2, Type II attestation reports on controls relevant to security, availability, processing integrity, confidentiality or privacy. SOC 2, Type II is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service.
Please reach out to your Customer Success Manager or Account Executive to receive a copy of BetterCloud’s SOC 2 report.

 

unnamed 1

BetterCloud has been certified to the ISO/IEC 27001:2022 standard. BetterCloud’s ISO 27001 compliance certificate can be viewed and downloaded here.

BetterCloud’s ISO 27001 compliance certification can be verified in Schellman’s directory here.

 

GDPR Image

seal

The BetterCloud Main Subscription Agreement (MSA) and Data Processing Addendum (DPA), as updated from time to time, address the obligations and requirements of the California Consumer Privacy Act (CCPA); European Union General Data Protection Regulation (GDPR); any laws or regulations that amend, supplement, supersede, repeal or replace the GDPR or that are intended to ensure the continued application of the GDPR in the United Kingdom once it ceases to be a member state of the European Union (including the Data Protection Act 2018 (collectively, “UK Privacy Law”), or any successor laws of the above. These documents make it easy for customers to share information with their stakeholders, including compliance and privacy managers, customers and potential auditors. For more information, see the Privacy FAQ section below.

The BetterCloud MSA and DPA are supported by the people, processes and technology necessary for protection of customer personal data in compliance with legal and contractual obligations for regulations such as CCPA and GDPR. The key activities implemented for privacy regulations are listed below.

 

People

  • Provided awareness sessions with customer-facing staff on their roles and responsibilities for compliance
  • Updated company-wide security awareness materials to include new customer personal data protection and privacy practices;
  • Established and assigned data protection roles and responsibilities;
  • Established privacy@bettercloud.com  privacy@bettercloud.com for data subjects to submit requests
  • Appointed DataRep as our Data Protection Representative in the European Union and the UK, and data subjects in the EU or the UK may exercise their rights by sending an email to bettercloud@datarep.com or submitting this webform
  • Californian consumers (as defined by the CCPA) may exercise their rights by sending an email to privacy@bettercloud.com or submitting this webform
  • Retained outside counsel with extensive expertise in privacy and security matters to provide ongoing advisory services for privacy compliance

 

Process:

  • Established and maintains registers of customer personal data collection and processing activities
  • Completed and revises privacy risk assessment to support customer data protection impact assessments
  • Maintains SOC 2 security and confidentiality controls to support processing activities for protection of customer personal data
  • Established and reviews DPAs and CCPA addenda with sub-processors of customer personal data
  • Updated and reviews the BetterCloud Privacy Policy, Product Privacy Statement, and procedures for compliance with privacy laws, regulations and principles
  • Provides MSA, CCPA addendum and DPA upon request from BCLegal@bettercloud.com to support customer compliance

 

Technology:

  • Established a privacy-by-design checklist
  • Implemented features to support data subject requests from customers exercising their rights to erasure and data portability

 

GDPR, UK Privacy Law & CCPA FAQ

1. What personal data is processed by BetterCloud?
BetterCloud processes the following types of personal data:

  • Contact and job information (Name, Email, Phone, Photo, Title, Address, Department, Manager, IP Address)
  • User information (IP address, user activity, helpdesk tickets, satisfaction data)
  • Payment information

2. What categories of individuals (aka data subjects) does the personal data come from?
BetterCloud primarily processes personal data from customers’ SaaS application users, and administrators.

3. Where does BetterCloud store customer personal data?
All customer personal data is stored by BetterCloud on the Google Cloud Platform (GCP) using datacenters located in the United States of America. BetterCloud enters into data processing agreements with Standard Contractual Clauses to provide an adequate level of protection for data transfers from the EU and the UK.

If you have any questions, please contact your Account Executive, Customer Success Manager, or email privacy@bettercloud.com.

4. How do I obtain a Data Processing Addendum?
We make it easy for our customers to formalize and share with stakeholders, including employees, customers and potential auditors, that they use BetterCloud in a way that meets GDPR and UK Privacy Law data processing obligations. The DPA pre-signed by BetterCloud, is a self-serve and easy-to-execute document that only requires an electronic signature from the customer.

After you execute the DPA, it will automatically be sent to the BetterCloud Legal team, and if accurately completed, the DPA will then become legally binding. If you have any questions, please email us at privacy@bettercloud.com.

Sign your DPA here.

5. Does BetterCloud use any third parties (“sub-processors”) to process customer personal data?
Yes, we do. Please see the sub-processors page for a list of third parties with access to customer personal data.

6. Can BetterCloud help me respond to data subject requests?
Yes, we have established standard operating procedures to support customer data subject requests in compliance with GDPR and CCPA requirements. Please submit requests to your Customer Success Manager, Technical Support, or privacy@bettercloud.com.

 


Security

The BetterCloud’s security model is an end-to-end process, spanning application authentication and metadata storage, the hosting services that power our software, and employee data management and physical security.

 

Application Security

Authentication

  • Usernames and passwords are never created, given, or stored by BetterCloud, as all user logins are verified using Single Sign-On.
  • The OAuth 2.0 open standard allows customers to authorize BetterCloud to access their SaaS application without sharing personal account credentials.

 

Role-Based Privileges

  • Role-Based Privileges enable admins to limit the permissions of some users within a team, including Help Desk, HR, or Security.
  • Privileges are built on a multi-tiered system and include functionality to limit users to create, read, edit, or delete actions across applications and specific data objects (such as files or groups).

 

Metadata

  • BetterCloud accesses APIs for metadata around users, user email settings, groups, organizational units, contacts, calendars, calendar resources, documents, domain settings, and third-party application scope approvals.
  • BetterCloud enables customers to scan files in cloud systems such as Google Drive, Box, and Slack, for certain attributes but never stores the content of those searches. BetterCloud only stores the metadata related to those files (e.g. document name, date last modified, owner, document size).

 

Audit Logs

  • BetterCloud logs the relevant activity into a system that is immutable, time synced, and accessible by account admins. Audit logs are fully exportable or can easily be searched through via the application.
  • The event logs contain: BetterCloud user activities, the application affected by event, status of event (success/failed), event type, timestamp, and a brief description.

 

Secure Internet Connectivity (HTTPS)

  • All of the BetterCloud application’s externally-facing services use HTTPS to ensure encryption in transit of all customer information, whether that connection is established with a customer’s local web browser or an API endpoint at one of the many SaaS integrations being managed and secured.
  • The BetterCloud application uses Transport Layer Security (TLS) version 1.2 or higher to protect HTTPS communications.

 

Hosting Security

BetterCloud is built and hosted exclusively on the Google Cloud Platform (GCP) platform. For more information regarding Google Cloud Platform Security, please view Google’s own Security and Privacy Documentation: https://cloud.google.com/security/

Data is actively stored across three availability zones and encrypted at rest. Database and search index backups are performed daily and instantly replicated to geographically distributed data centers.

 

Corporate Security

A dedicated security team, including a senior officer in the company, is assigned with ensuring the security, confidentiality, and integrity of company and customer data. Our security team performs engineering tests and educational campaigns to mitigate attacks and develop a security mindset as part of the culture of the company.

We actively reduce the attack surface by limiting the number of personnel with access to production, auto-locking employees computers after a short period of inactivity, and utilizing commercial tools to provide a multi-layered defense.

 

Vulnerability Disclosure

If you think you’ve found a security vulnerability that affects BetterCloud, please contact us at security@bettercloud.com, and a member of our security team will promptly contact you.