Your security and privacy is our #1 priority.
Security Best Practices
The following best practices are followed to ensure your data remains private and secure:
- cloudHQ uses industry-standard OAuth password-less authorization protocol when connecting to Google Docs and Dropbox. This means cloudHQ has no access to your passwords for these services.
- For certain services that do not support OAuth, cloudHQ requires users to specify their username and password. These credentials are securely stored on cloudHQ secure storage and encrypted with 256-bit AES encryption.
- cloudHQ does not permanently store your files. When cloudHQ accesses your data via API, it might temporarily cache part of the content, but cloudHQ never stores any of your files permanently on its servers.
- All 256-bit AES keys for encryption and decryption of users’ credentials are encrypted and stored in a special "wallet". This wallet is encrypted using a password that is not stored on any of our servers. The password to open this wallet is known only to the cloudHQ administrator who manages our production server.
- Communication between cloudHQ servers and Google Docs, SugarSync, Basecamp, and Dropbox is always done over a secure SSL channel. Communication between cloudHQ servers and your browser is always done over a secure SSL channel.
- cloudHQ product software and infrastructure are updated regularly with the latest security patches. Our network is protected by an enterprise-class firewall.
Built-in data encryption
Every account cloudHQ protects receives a unique AES 256-bit encryption key. All meta-data saved on our servers for the account is encrypted with that key. The keys are encrypted and stored in a special "wallet". This wallet is encrypted using a password that is not stored on any of our servers. The password to open this wallet is known only to the cloudHQ administrator who manages our production server. stored in a special "wallet".
- All authenticated user interaction (login, service configuration, settings changes, accessing logs, etc.) occurs over a 256-bit encrypted channel (SSL).
- All data transmissions with third-party APIs (e.g. Google Apps, Salesforce) occur over a 256-bit encrypted channel (SSL).
- All meta-data is encrypted using a randomly generated AES-256 bit key unique to each user.
How do we ensure security of your data?
Data Flow Between Cloud Accounts
Here is a short overview of how cloudHQ replicates data:
- cloudHQ process connects to source and target cloud services via API (for example, Google Drive API and Dropbox API). The connection is established via SSL, using OAuth 2.0 for authentication.
- Data is read from source cloud service (e.g., Google Drive) and then uploaded to target cloud service (e.g., Dropbox).
- No data being transferred is stored on our servers.
Authorization with Cloud Accounts
cloudHQ uses an OAuth mechanism to authorize cloud account access. This means cloudHQ has access only to an OAuth token and we never access the user’s password. OAuth tokens are encrypted.
The key to decrypt these tokens is stored in a special file called a “wallet.” This file is encrypted using a key that is not persistently stored. Ultimately, this means that the password to open the wallet needs to be entered each time a sync process or our Web application is started.
This “wallet” password is known only to the system operator maintaining cloudHQ servers. Furthermore, these “wallet” passwords are periodically refreshed.
Authentication of End-Users
By default, cloudHQ users are authenticated via Google OpenID Connect. Access to our service requires that the user be logged in to Google Apps and that Google has already verified the authenticity of the user. This is our default because Google’s authentication framework has many important security mechanisms, such as two-phase authentication and detection of login location (e.g., if login is coming from an unusual IP address). For users who choose to use a login and username to access our system (instead of Google OpenID Connect), we store a hashed password using BCrypt with a 32-byte salt.
cloudHQ monitors and logs all actions of any authenticated user to detect possible unusual activity. cloudHQ requires that a password be at least 8 characters long. In case of a password reset, we require that the user have access to his/her email. cloudHQ support will never reset or change a password via email or support request.
Safe Harbor compliant
cloudHQ is self-certified in compliance with the US Department of Commerce Safe Harbor program. We maintain and enforce privacy practices that comply with the EU Privacy Directive on the protection of customer data. We have controls to give notice to customers when collecting personal data, allow customers to access and update their own information, and provide adequate security around all personally identifiable information.
cloudHQ undergoes regular penetration testing and daily vulnerability scanning to maintain the security of our solution. We’re continually scanning and testing our services internally, as well as contracting with external firms.
Data control and monitoring
cloudHQ gives you advanced admin controls to manage and monitor your data, including:
- Ability to control who in your org can use other cloud apps (i.e., their private Evernote etc.)
- Ability to monitor data shared and stored in cloud accounts
- Audit log of account activity
Additional Security Protections
Protection against Denial of Service (DoS)
cloudHQ uses CloudFlare technology to protect our service against DoS attacks.
Protection against phishing and similar threats
cloudHQ uses CloudFlare technology to protect our service against the following possible problems:
- Only clients’ matching browsers are allowed – browser integrity check
- IP addresses blacklisted by CloudFlare’s network are blocked
- All known threats are detected and blocked even before they are sent to our servers
Regular technical vulnerability assessments and
We regularly monitor and penetrate all ports on our servers. The script ensures that only ports 22 and 433 are open. Each new feature related to security is independently assessed for vulnerability by an external contractor (e.g., possible XSS bugs and similar) before being deployed on production.
Intrusion detection and monitoring
We use Unix tool Fail2ban to detect and subsequently ban any attempt to log in to or access our servers. The server has only two ports open: SSH port 22 and HTTPS port 443. All other ports are blocked using both CloudFlare firewall and external firewall and an internal Unix firewall program called IPTables. Login via SSH is possible only via RSA keys. So any attempt to log in using an invalid RSA key or login/password combination will cause a ban of the IP address using the internal Unix firewall. The HTTPS port is monitored for access, and IP addresses detected as malicious are banned using IPTables. On the application level, we log the history of IP addresses used to access accounts. If an IP address appears to be from a different country, the security response team is alerted. The account might be disabled and all OAuth2 tokens invalidated. All commands executed on the server are also logged.
Physical protection of servers
Our system runs on dedicated and virtual servers provided by leading cloud providers with provide additional physical security for servers. For example, the racks which host our servers have their own physical key and access code, which are needed for physical access to these servers. Personnel of our hosting provider cannot access servers without our providing them with the access code (based on the RSA key). The servers are running chassis intrusion alarm.
Employees of cloudHQ are strictly forbidden from seeing users’ filenames or file content. If, in order to solve a support ticket, we need to have access to filenames or to file content, we are required to ask you for explicit permission to do so. All access will be logged, and you can request audit logs at your discretion. Data is NEVER shared with anybody outside cloudHQ.
cloudHQ may collect and store the following information when running the cloudHQ Service:
- When you register an account, we collect some personal information, such as your name and email address. Payment is handled by PayPal, so we are not storing credit card or other billing information.
- When you use the Service, we automatically record information from your Web browser. This may include the Device’s Internet Protocol (“IP”) address, browser type, the Web page visited before you came to our website, information you search for on our website, and locale preferences.
- cloudHQ also uses “cookies.” A cookie is a small data file that we transfer to your Device. cloudHQ uses “persistent cookies” to save your registration ID and authentication information for future logins to the Service. We also use “session ID cookies” to enable certain features of the Service, to better understand how the user interacts with the service and to monitor aggregate usage and Web traffic routing on the Service.