Security Policy

This Security Policy was last revised on March 13, 2018.

A certain amount of confidence is needed when relying on third party vendors to manage and handle your online data securely. Cloud security is important, because it is essential for protecting hosted information - we understand that even small gaps in security coverage can put everything at risk including your data, customer information, uptime, and potentially a company’s reputation. Therefore the need exists for a general understanding of what we at CloudMQTT are doing to protect the integrity of your data.

This document will give a brief introduction to the security policies in CloudMQTT. It is a living document that is continually updated. Our security policies are not limited to this document, effective security is a team effort that we evolve all the time. We routinely audits and manages the security of our services and applies security best practices.

Our internal development, operations, and processes themselves have been constructed to provide maximum data security.

  1. System security

    1. Coding standards and development

      A well built environment start with high coding standards that guard against attempted security breaches and are accompanied by code reviews and tests. We have strict development processes and we are following specified coding standards to ensure the best security practices.

    2. Application Security

      System components undergo tests (various black box and white box tests) and source code reviews to assess the security of our application interface, architecture, and services layers before we are adding our code into production. CloudMQTT always control third-party applications to review the security of them before we are adding them into CloudMQTT services.

    3. System Configuration

      Server and system access is limited to some people in CloudMQTT and requires SSH keys when identifying trusted computers along with usernames and passwords. Furthermore, everyone at CloudMQTT are forced to enable 2-step authentication on every cloud platform that are providing it (such platforms as AWS and Heroku). We do not share individual authentication credentials. SSH keys are frequently rotated.

    4. Patch Management

      CloudMQTT always applies patches based on advisory for our servers, and associated devices. Critical patches are applied within 48 hours of release of the patch.

    5. End-point Security

      All end-points (computers, laptops, mobile phones) are using encrypted storage, secure passwords and auto-locking mechanisms. For mobile phones only applications from trusted application stores such as the AppStore and the Google Play Store are allowed. All end-point devices are patched to the latest s§table OS update, and application updates. Malware and anti-virus applications are installed were applicable.

  2. Physical Data Center Security

    Our physical infrastructure is hosted and managed in AWS. We rely on their flexible and secure cloud infrastructure to store data logically across multiple cloud regions and availability zones. The data centers ensures the utmost in data security and protection. They ensure that all data is stored in highly secure data centers. AWS is secured and monitored 24/7. Physical access to datacenter facilities is strictly limited to select cloud staff. They continually manage risk and undergo recurring assessments to ensure compliance with industry standards.

    How specific datacenters are handling fire detection, power loss, climate disasters, temperature control, datacenter management, etc., can be found on the datacenters' websites.

  3. Customer Data Security

    CloudMQTT provides several security capabilities and services to increase privacy. No one will be able to connect or view your Mosquitto instance as long as you take care of your connection credentials.

    We have anonymized all customer information used in development and test environments.

    1. CloudMQTT employees data access

      All employees undergo pre-employment background checks and must agree to company policies including security policies. We provide an ongoing yearly program of security awareness training designed to keep all members of staff informed and vigilant of security risks.

      A few employees at CloudMQTT will have the possibility to access the server and Mosquitto. We ensure that we will not view any messages sent across our servers without permissions. CloudMQTT cannot access message payloads that have been encrypted at client level.

      All electronic devices used by CloudMQTT employees has enabled disk-based encryption.

      1. CloudMQTT Onboarding Policy

        All new employees at CloudMQTT are required to read and agree to both the security policy and the privicy policy.

      2. CloudMQTT Exit Policy

        During employee exit processes is all login details for the resigned employee removed and ssh keys are rotated.

        All data on electronic devices used by the resigned employee are completely removed.

        The resigned employee has signed an agreement to not mention anything about business operations or customers detail after resignation.

    2. Data in Transit (Cryptographic Policy)

      CloudMQTT uses SSL/TLS to secure data in transit. SSL certificates are updated on a regular basis or in an event of a security advisory from external security centers. You have to enable TLS/SSL to and from your application to ensure secure transit between CloudMQTT and your application (read more in section 3.4.3 TLS).

    3. Data in rest

      Messages and it's payload can be encrypted for security of data at rest.

    4. Security capabilities - Customer Best Practices

      This section describe what you can do to protect your account in the best way possible.

      1. Password protection and 2-step verification

        You are responsible for maintaining the secrecy of your unique password and account information at all times. We recommend you to use a strong passphrase and rotate your password once in a while, password rotation can be done from the control panel of your instance. We also recommend that everyone in the team enable 2-step authentication to secure the access to your account even more.

        Use CloudMQTT teams to invite your co-workers to your project rather than sharing user credentials.

      2. Unusual account activity

        We want to keep you in the loop on important actions on your CloudMQTT account. Therefor we will notify you via email if we detected something unusual about a recent access.

      3. TLS and encrypted data

        CloudMQTT do support TLS (SSL) where you can encrypt your data in transit. Protect sensitive data transmitted to and from applications. Note that TLS will only secure messages during the transport. What we recommend for highly sensitive information (HIPAA, PCI etc) is that you encrypt your message bodies on your side and that you have a shared key between your publishers and your consumers.

  4. Technical and Organizational Measures / Security Concept

    The following TOMS are counducetd by 84codes AB

    1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b of the GDPR)

      Physical access control
      No unauthorized access to data processing systems are provided. Data is stored in highly secure data centers. All data centers that run our solution are secured and monitored 24/7. Physical access to datacenter facilities is strictly limited to select cloud staff.

      Logical access control
      No unauthorized system usage. SSH keys are required when identifying trusted computers along with usernames and passwords. 2-step authentication is enabled on every cloud platform that are providing it (platforms as AWS and Heroku). Individual authentication credentials are not shared. SSH keys are frequently rotated. All end-points (computers, laptops, mobile phones) are using encrypted storage, secure passwords and auto-locking mechanisms.

      Data access control
      No unauthorized reading, copying, changing or removing within the system.

      Separation control
      Personal Data is processed in dedicated systems. Data are not shared with other services, applications or corporate entities. Within individual systems and databases, data is segregated with logical access control. Personal Data will not be used for different purposes other than what it has been collected for without explicit customer approval.

    2. Measures to ensure integrity (Art. 32 para. 1 lit. b of the GDPR)

      Transfer control
      No unauthorized reading, copying, changing or removing during electronic transmission or transport. Data in transit is encrypted and encrypted storages are used.

      Input control
      Determination of whether and by whom personal data was entered, changed or removed in data processing systems by logging.

    3. Measures to ensure availability and resilience (Art. 32 para. 1 lit. b of the GDPR)

      Availability control
      Protection against accidental damage or destruction or loss via escalation ways and emergency plans.

      Order control
      No data processing under commission according to Art. 28 of the GDPR without corresponding instructions from the Data controller via explicit contract design, formalized order management, stringent selection of the service provider, obligation to convince in advance, follow-up inspections.

      Resilience
      Systems and services are designed in a way that intermittent high stresses or high constant loads of processing can be ensured.

    4. Measures for the pseudonymisation of personal data

      Use of personnel, customer, and supplier IDs instead of names.

    5. Measures for the encryption of personal data

      Data encryption.

    6. Measures to quickly restore the availability of personal data to them after a physical or technical incident.

      Personal data are stored in database backups in redundant data storages.

    7. Procedures for periodical review, assessment and evaluation (Art. 32 para. 1 lit. d of the GDPR; Art. 25 para. 1 of the GDPR)

      Privacy management to prevent the flow of important information to unauthorized individuals.

      Incident response management plan.

      Data protection by default (Art. 25 para. 2 of the GDPR).

  5. Privacy Policy

    CloudMQTT Privacy Policy can be found here: https://www.cloudmqtt.com/privacy_policy.html

    The privacy policy clearly defines what data is collected and how it is used when you use the CloudMQTT Service. We take steps to protect the privacy of our customers and protect data stored within the platform.