Cloudtoolz Security

Audit Questions

Where is Cloudtoolz hosted?

All data centres used are ISO 27001 certified.

Hosting Centre UK

Leaseweb.com with dedicated servers located in Slough (724-729 Dundee Rd, SL1 4JU), United Kingdom. All data is kept in the UK

London Data Centre LON-01 | UK Data Centers | Leaseweb

Hosting Centre Germany

Strato.de with dedicated server located in Berlin and Karlsruhe. All data is kept in Germany.

Server Place im Rechenzentrum – rundum geschützt | STRATO 

Hosting Centre Asia Pacific

Leaseweb.com with dedicated servers located in Unit A, 200 Bourke Road, Alexandria, Sydney, NSW 2015, Australia. All data is kept in Australia.

Sydney Data Centre SYD-11 | Australian Data Centers | Leaseweb

Hosting Centre Northern America

Leaseweb.com with dedicated servers located at 7207 Boulevard Newman, LaSalle, QC H8N 2K3, Canada. All data is kept in Canada.

Montreal MTL-02(MNE) Data Centre | Leaseweb

Infrastructure

Cloudtoolz uses a multi-tier setup:

  • Webserver
  • Database Server
  • REDIS and Elasticsearch are on a cluster consisting of 3 servers to ensure high-performance.

The database, REDIS and elastic search servers are only accessible via internal networks.

The database connection between the application and the database server uses a SQL server user with a limited privilege set i.e., cannot access database backups, change security, decrypt database etc.

Administrators can only access the servers via VPN from whitelisted IP addresses and all servers are secured with DUO multi-factor-authentication.

All servers are monitored.

How is data stored?

Encryption

Database is encrypted at rest. Transparent data encryption is used for the MS SQL server database

Transparent data encryption (TDE) – SQL Server | Microsoft Learn

Data Retention

Personal or sensitive data is normally not held in Cloudtoolz.

If sensitive data is held, it is additionally encrypted by the middleware.

Right to forget is enabled for all user accounts.

If Cloudtoolz integrates with a CRM it follows the data retention settings as setup in the CRM.

Zentso is only a data processor and not a data controller.

Database backups

Backups of the database are kept on the database server on a separate hard drive.

Differential backups are performed at 1am.

Full backups are performed on Saturday at 1am.

Transaction Log backups are performed hourly.

External access control for the web application

The web server itself only has port 443 open.

All traffic is routed via Cloudflare.com before it hits the web server. The public IP addresses are masked behind Cloudflare preventing DDoS attacks.

User accounts are properly encrypted and hashed. ASP.NET Core user identity is used for user management and MFA is enabled by default for administration accounts.

Introduction to Identity on ASP.NET Core | Microsoft Learn

Standards to ensure security of Cloudtoolz application

Penetration Tests

Every time a major release of Cloudtoolz is released a penetration test is performed with https://pentest-tools.com