Security & Privacy
The concept of cloud computing is still perceived by many as rather vague. A simple description might be the processes and applications provided over the Internet. However, cloud services can also differ greatly in terms of code base, facilities, hardware, staff and procedures. It is difficult to know who is behind the service and which provider is best suited to your needs. Many of the companies offering cloud services are more than a few years old.
One of the best ways to understand cloud computing is to look at where the business data being stored is going. From a desktop, phone or tablet to a data hall. Let's see how it works at Storegate AB.
Data security at Storegate
Cloud guarantee with privacy and security in focus
Storegate's customer data is stored in a reliable environment where customers can make maximum use of the services in a safe, secure and efficient way. The equipment is owned by Storegate and the data halls are located in Sweden.
Facilities, systems and personnel meet stringent requirements and we offer a fully redundant environment with optimal conditions in terms of power supply, cooling, climate, fire detection and extinguishing systems.
Storegate's services are monitored around the clock via surveillance systems. In the event of operational disruptions, on-call technicians are automatically alerted. Entrances to the data halls are protected by access control systems, internal sections and burglar alarms.
Storegate works with independent consultants for ongoing penetration testing, vulnerability assessment and testing to standards such as OWASP TOP TEN.
Storegate never scans information for business development purposes or to sell advertising.
Account access and authentication
When you create your account on Storegate, we have created the conditions for you to choose a strong username and password that is adapted to your company's policy.
- Password factors (minimum number of characters required by numbers, special characters, capitals, etc.)
- Password reset from the administrator or via support
- Limited number of login attempts (brute force)
- Automatic logout in case of inactivity
- Token-based Oauth login for clients and web
- Two-step verification with apps that support the TOTP protocol, e.g. Microsoft and Google Authenticator
Single Sign On
For Enterprise customers, Storegate offers support for Single Sign on. This gives companies centralized control over user accounts in Storegate. If a company shuts down a user centrally, that person can no longer log in to the service. Similarly, as an administrator, you can manage and control your users. This is done by logging into your administrator account on Storegate.com.
Mobile access
Mobile users can access their Storegate accounts via mobile browsers or a specific Storegate app. When a user connects via a mobile phone (iPhone, iPad, Windows, Android, etc.), HTTPS encrypted authentication is applied. All data sent between the server and the mobile application is encrypted using the TLS banking standard. If a mobile device is stolen or lost, the administrator can block the person's account so that access to the information in the service is blocked in real time.
Uploading and transferring
Once you have logged in to the service via one of our interfaces, you can upload files and folders. The upload itself is simple from the user's perspective, but at Storegate we optimise the performance and security of the transfer itself. All data is encrypted with 128-bit TLS encryption. This means you don't need to use VPN tunnels or similar to access your data from different geographical locations. The same process is reversed when downloading files to your devices.
Permission levels and information sharing
Once your files have reached Storegate and are ready for sharing, collaboration or storage, there are options to decide who and what can access the information. For example, each user can set sharing permissions in collaboration folders. By sharing folders externally, it is also possible to determine who and what partners can access your information and upload information to your account. Sharing can be restricted by time intervals and passwords that the recipient needs to access the content.
Global settings
At a global level, administrators can set certain restrictions on one or more users. In addition, the administrator can determine:
- Who can create folders or upload files
- Which users should be invited to the account
- How much each user can store in the home directory and in the backup section
- Which files should be permanently deleted (active/inactive recycle bin)
- How many versions of each file should be in the account
- When and who should receive backup status reports
- When a user is to be deleted
Storage and encryption
All files stored in the Storegate system are encrypted with AES 256-bit encryption. Furthermore, all files in the systems are stored with scrambled paths and filenames. This means that it is never possible to trace which files and referrals belong to the owner of the files, i.e. the account holder. For all services and protocols on Storegate, 128-bit TLS encryption is also applied during transmission. For Backup Pro, files are optionally encrypted with a user-generated encryption key (256-bit AES encryption). The system has built-in protection against SQL injection and brute force attacks. The system will automatically block failed login attempts that are repeated based on IP address and username.
Deleting stored information
When files are in the trash, they remain until you choose to empty all or part of the trash. If you delete files from the trash, they can never be recreated. If you choose to close an account, the data is stored for 60 days, after which Storegate deletes all data in accordance with the Personal Data Act.
Our guidelines
The security of your information starts in our office, in our data warehouses and with our procedures. All Storegate employees have an employment contract that includes confidentiality towards our partners and customers. Like most online services, we have a small number of employees with police records who must be able to access user data for the reasons outlined in our user agreement (e.g., when we are legally required to do so). But these are rare exceptions, not the rule. We have strict policies and technical access controls that prohibit employee access except in these rare cases. In addition, we employ a number of physical and logical security measures to protect user information from unauthorized access.
Storegate also works to maintain the security of its own office network with:
- Network intrusion detection system
- Application logging, reporting, analysis, archiving and preservation of data
- Continuous monitoring
Administration of your data
Storegate technicians or customer support may temporarily need access to customers' accounts to handle technical issues and support. Again, we have established thorough policies and powers of attorney to help us assist you with as little oversight as possible.
Application and hardware architecture
In each data hall, Storegate maintains full redundancy in terms of load balancers, routers, servers, switches and failover configurations, etc. Data that is written is replicated in real time on multiple servers.
Summary
Storegate's system is a complex environment that requires multiple layers of security. From hardware like storage systems to soft values like the staff working at Storegate. Storegate's top priority is and remains the security of its customers' digital information. If you need more information in a specific area please contact Storegate and we will be happy to answer your questions.
GDPR
When Storegate stores your data
Storegate complies with GDPR and we have a DPO (Data Protection Officer) named Martin Källström who can be reached at dpo@storegate.se. We have also developed an incident management plan, a privacy policy and if you would like a data processor agreement, you can order it here. If you are no longer a customer of ours, you can change or remove the information at any time by notifying and contacting us. Our ambition is to constantly work with relevant content, integrity, honesty, transparency and responsibility.
When you store other people's personal data
As a Storegate customer, we've made sure you can comply with GDPR. First of all, all data is stored in Sweden (GDPR requires storage within the EU). The fact that it is Swedish storage also protects your data from being affected by foreign laws. In addition, there is a logging feature on all business accounts. This means that you can follow what has happened to a specific file and who has done it. Invaluable if you have several people working on the same files and want full control. Below you can read more about important points for your company when it comes to GDPR.
To consider
Personal data you process must have a legal basis. Processing personal data must always be supported by the General Data Protection Regulation. The legal basis can be consent before you process personal data.
Right to know. Your customers and employees have the right to know, free of charge, what information you are processing about them, the purpose of the processing and where the processing is taking place.
Right to object. The right to object includes, for example, the right to unsubscribe from all your newsletters, the law is particularly clear here. You are also not allowed to use personal data that you have processed on an invoice to send emails with offers, unless you have specifically notified the customer to do just that and have confirmed consent.
The right to be forgotten. This rule is perhaps the most difficult to deal with as it places very specific requirements on your business. If you have addresses of customers in e.g. an excel.file or in an email, these should be deleted if the customer requests this. There is a concept called legal basis and it can usually take precedence over the customer's request to be forgotten. For example, if consent has been obtained to store an invoice with name and address, this is a lawful basis. However, after 7 years, this invoice must be deleted as the data will no longer have a legal basis. So there may be different purposes for your processing of personal data, with the storage of invoices being one, and the contact in your address register being another.
The right to be notified of a data breach. Should your storage account be hacked and you hold personal data, the persons concerned have the right to be notified within a reasonable time in certain circumstances.
Not complying with GDPR can be costly. Companies that do not comply with the GDPR risk large fines of up to 4% of their total turnover. It's not just about IT but all personal data handling. For example, if you have a payroll, this contains personal data and it is your responsibility to have rules on how this is cleared if people leave the company.
Here are some tips on how your business can comply with GDPR. Think of all personal data as borrowed and that when you have no purpose for it, it should be deleted. Your company is responsible for all personal data, regardless of where it is stored. It's your responsibility to make sure IT system providers have the right security systems in place to protect your customers' data. You must have procedures for deleting personal data and document where and how your data is stored and handled.
Control questions you can ask in your work to comply with the GDPR:
- Why do we store the data instead of deleting it?
- Has the customer/individual really given his/her consent to storage?
- Why do we save the data? For example, you may not store unnecessary information such as age unless you can justify this as necessary for your business and your customer.
- What is the purpose of the treatment? Categorise these purposes.
- How long is it justified to keep the data? Set up procedures to clean out old data.
- If a customer wants to be forgotten, how do we act? (If you delete a file with personal data, remember that it may still be in the trash)
- If a customer wants to know what is stored, what message do you give?
- How do you know that the person requesting the data is really the person they claim to be?
Please note that you must legally secure your particular activity and that the above text is simplified. If you want to read more about what the Data Protection Authority says about cloud services and the Personal Data Act, you can find it here.
CLOUD Act
Most Swedish companies and organisations have processes and procedures in place to comply with the new, stricter EU data protection legislation (GDPR) introduced on 25 May 2018. However, there are other aspects that are just as important to consider when a company chooses a cloud service to store, share and collaborate with company files.
That same year, 2018, on 23 March, a new US law, the CLOUD Act (Clarifying Overseas Use of Data), came into force, which means that US authorities must be given access to data stored on US cloud services, even if it is stored abroad, and that US cloud services cannot refuse to disclose such data.
To meet GDPR requirements, US cloud services have been forced to offer storage within the EU to Swedish companies. With the CLOUD Act, this means that US law applies to data stored with a US cloud service even if it is within the EU and it can be very costly for a Swedish company to ignore these risks.
Privacy Shield
What does the invalidation of the Privacy Shield mean and what are the consequences?
Some time ago, the European Court of Justice announced that the "Privacy Shield" data protection agreement, which allowed transfers of EU citizens' personal data to the US, has been annulled. This occurred in the context of the ruling in Schrems ll vs Facebook on 16 July 2020.
The ruling means that it is no longer permissible to transfer personal data belonging to EU citizens to US-owned cloud services.
My provider says our current transfer can lean on standard contract clauses?
Several US cloud service providers claim that the transfer of personal data can be considered lawful because they can rely on standard contractual clauses, just as many companies did in 2015 when the European Court of Justice invalidated Safe Harbour (the predecessor of Privacy Shield).
The lawfulness of such a transfer based on standard contractual clauses requires an assessment of the legal system of the country to which the personal data are transferred. That is, in this case, whether the US provides sufficient protection for the personal data of data subjects. This is something that few, if any, companies and organisations in the world are in a position to assess.
The data protection authority has updated its recommendations on transfers of personal data to the US in the light of the ruling. They explain that any organisation that previously relied on the Privacy Shield for transfers must now identify the flows of personal data that exist within the organisation and the cases in which personal data may be transferred to the US. If data is transferred to US-owned cloud services, it should be possible to demonstrate the level of protection in the recipient country in the specific case. The company must then consider whether or not the transfer is justified.
Plan for the long term and choose a sustainable IT provider and a secure cloud service
A logical consequence of the new EU directives and regulations on digital information is that many Swedish companies are now in need of other alternatives to American cloud services and IT solutions. Organisations across Europe are now looking for local providers and in the longer term this could have positive effects for the whole European Union. We are moving towards a digital transformation where companies choose services that offer data storage that complies with European laws and values. In turn, this protects both human rights, as well as Europe's and Sweden's own level of innovation around cloud services.
We at Storegate are a Swedish alternative on the European market. Storegate makes it easy and secure for companies and individuals to store and share files. We care about everyone's privacy and store all information in Sweden in accordance with the GDPR, under Swedish law. Of course, support is included.
You are welcome to try our servicesor contact us for more information.