THIS SECURITY STATEMENT WAS LAST UPDATED ON: 14TH NOVEMBER 2017. ANY FUTURE CHANGES WILL BE REFLECTED ON THIS PAGE.
SharpCloud is certified in Cyber Essentials Plus - a government-backed cyber security certification scheme that sets out a good baseline of cyber security suitable for all organisations in all sectors. The certification addresses five key controls:
1. Secure configuration
2. Boundary firewalls and Internet gateways
3. Access controls and administrative privilege management
4. Patch management
5. Malware protection
Data Center Security
SharpCloud (https://my.sharpcloud.com) uses the Microsoft Azure platform to host the application, database and file storage. The Azure Platform as a Service (PaaS) is designed from the ground up to be secure, stable and scalable. It is created and managed by Microsoft and we have no direct physical access to the data-centres. Our data is hosted in North US region, but Azure is available in many regions around the globe.
Here is the link to the document on Microsoft Azure security straight from MS website: http://azure.microsoft.com/en-us/support/trust-center/security/.
All the data transmitted to our application is stored on multiple disks to ensure against any hardware failure. Continuous backups provide a mechanism to restore data to any point in time over the past 30 days. Files uploaded within the application are stored on servers that use precautions for bottle necks, points of failure and unauthorised access. Data is encrypted at rest (AES 256).
Secure Socket Layer
SharpCloud uses SSL (AES 256) for all the user interaction with the application, so the information in transit between your computer and our servers is encrypted and sent using HTTPS.
Redundancy of our Servers
SharpCloud uses Microsoft Azure PaaS to make sure our service is always available. Each server is duplicated (twice as a minimum, sometimes more) meaning if one should fail for any reason a backup is available to provide uninterrupted access. The platform itself is constantly patched updated to the latest versions and allows us to continually develop and deploy new versions of our own software without any interruption to the service.
SharpCloud uses Stripe to acquire, store and process your billing information. Stripe passes SharpCloud only the information needed by our systems – whether the payment went through or not.
Your credit card information is transmitted, stored and processed (by Stripe) securely on a PCI-Compliant network. We do not store nor have access to your credit card number.
SharpCloud Application Features
SharpCloud allows each user full control over access to all stories and items created by them. Newly created stories can only be seen by you, i.e. are completely private until you specifically share them in some way.
Our public cloud model stores all the data in a single SQL Azure database, logically partitioned by user. Sharing of stories between users of different companies is possible but can be restricted if not appropriate for your company.
If you prefer a database dedicated to just your company (single tenant), talk to us about private cloud (hosted in your own MS Azure subscription, in a region of your choice) or an on-premises install.
You can’t directly access the database for our public offering but we have lots of tools and services to help you get data in and out of your stories.
Private and on-premises implementations can have direct database access (with SQL logging etc) if required. Contact us to find out more.
We track data at numerous levels (web, database and OS) and under certain circumstances we may provide you with copies of this data. However, if you require full access you should consider a private or on-premises instance.
Each story you create also contains logging of who has viewed or edited what and when. This information is visible to the owner of the story and anyone else who has been granted admin access.
For each user interaction with the application, SharpCloud authenticates the user access to the resource being asked for.
User accounts are free to create and can either be:
- created by signing up from our sign up page (you MUST provide a valid email address and chosen password). Passwords are salt hashed, so we never know what they are.
- or by using Microsoft Azure Active Directory (AAD) / Office 365 credentials, in which case we never know what your password is. Using AAD allows you to implement single sign on (SSO) and have more control over passwords, access control (including multi-factor authentication) etc. across your business
SharpCloud Employee Policy
Every SharpCloud employee signs an employment contract that binds them to the terms of our data confidentiality policies. Access to customer data is restricted to just a few specific employees for maintaining the SharpCloud service to its users.
Our support personnel don’t have access to your stories unless you specifically share them with them. If you have a problem, we can usually resolve it from a screen shot or a good description, but under exceptional circumstances we may ask you to temporarily share the story with us so we can investigate in more detail. In this case you will see any access to the story recorded in the story activity feed as per any other user (see logging).
SharpCloud is committed to consistently improving the security of our service and as such we run regular penetration tests of our application. We are happy to share the results with customers. Contact us to find out more.
Need More Information?
We recognise that some businesses may require much more detailed answers to questions that cannot be answered in a simple web page. If you have further questions, don’t hesitate to get in touch.
Remember, that our alternative deployment options (whether directly or via our partners) allow you install SharpCloud in an environment that suits you.