Effective Date: 14 November 2019
How We Protect Services and Data
Instaclustr is committed to providing a robust and comprehensive security program including the security measures set forth in these Supplemental Terms (“Security Measures”). During the Contract Term, these Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as We deem reasonably necessary.
Security Measures Utilized by Us
As provided for in 14.4 of the Master Services Agreement We will abide by these Security Measures to protect Service Data as is reasonably necessary to provide the Services:
- Security Policies and Personnel. We have and will maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is and will be reviewed on a regular basis to provide for continued effectiveness and accuracy. We have, and will maintain, a full-time information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.
- Data Protection. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Your Data. All Instaclustr services rely on Google GSuite and ZenDesk for customer interactions. Instaclustr has reviewed and are satisfied that these services meet a reasonable level of security for information typically provided to our technical support team. You should review the security practices of Google and ZenDesk to confirm that you are satisfied that the level of protection is appropriate for any data you are considering submitting to Instaclustr.
- Audits and Certifications. Upon Customer’s request, and subject to the confidentiality obligations set forth in this Agreement, Instaclustr will provide copies of certification reports. You are not permitted to provide those reports to any third party, including internal auditors. You will restrict access to Instaclustr compliance reports to only those people in your team with a need to know.
- Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel. We require such personnel to have unique IDs and associated authentication credentials. These credentials are used to authenticate and identify each person’s activities on Our systems, including access to Your Data. Upon hire, Our approved personnel are assigned unique credentials. Upon termination of personnel, or where compromise of said credential is suspected, these credentials are revoked. Access rights and levels are based on Our employees’ job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
- Data Movements. In order to provide you with the most effective response, information submitted to Us via email or our support portal may be sent to any or all members of our support team, in Australia, UK and the US. As such, Instaclustr requires that you ensure that information that is considered Personal Information, Health Information, or PCI related data is NOT submitted to Us via email, our support portal or any chat interface. The only approved mechanism for submitting such data, is directly to a managed cluster.
- Data Protection. Cluster safeguards include the ability to enable encryption of Your Data at rest and in transmission to Your Environment (using TLS or similar technologies) over the Internet, except for any Third Party Services that does not support encryption, which You may link to through the Services at Your election. Some Instaclustr instances do not support encryption. This is clear in the Instaclustr console on cluster creation, and you are responsible for ensuring that the protection required for Your Data is appropriate enabled.
- Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of Our systems or data that includes a response time under which Instaclustr will contact its customers upon verification of a security incident that affects Your Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to service incidents. Unless ordered otherwise by law enforcement or government agency, You will be notified within seventy-two (72) hours of a Data Breach. “Data Breach” is defined as an unauthorized access or improper disclosure that has been verified to have affected Your Data.
- Network Management and Security. The Sub-processors utilized by Us for hosting services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our security team utilizes industry standard utilities to provide defence against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular external vulnerability audits.
- Data Center Environment and Physical Security. The Sub-processors which are utilized by Us, as per Your instructions, for hosting services in connection with Our provision of the Service employ their own security measures. You are responsible for verifying that the measures of Your chosen provider are appropriate for Your use case. We review each supported providers SOC2 report and are satisfied that they meet an appropriate level of protection for both Our and Our Customer’s Data. We recommend that You obtain and review the SOC2 report of the underlying Cloud Provider(s) that You are considering. Where Services are within the scope of Instaclustr security accreditations, Instaclustr will review at least the SOC2 report of the service at least once per year. Any issues will be assessed in accordance with our vulnerability assessment process.
Customer Responsibilities—Baseline Security Controls
At a minimum, we require you to implement and monitor the following aspects of the security of your account and cluster. You are responsible for:
- Configuring firewall rules via the Instaclustr Console.
- Configuring encryption between the client and the cluster.
- Approving user access to the cluster.
- Removing user access to the cluster on a timely basis.
- Providing accurate, current, and complete information in their communications with Instaclustr.
- Reading release notes published on the company’s website.
- Determining the authentication method to the console from those supported by Instaclustr (i.e. password rules or two-factor authentication).
- Cluster capacity planning and cross data center performance considerations.
- Defining and configuring the number of nodes and hence the layers of redundancy required.