Security and Data Access Policy for Cloud Management Platform
This document outlines what customer data Cloud Management Platform accesses, why, what data is stored, and how we do that. If you're not using DoiT Cloud Management Platform for the following features, this article doesn't apply.
Enterprise Cloud Accounts (formerly Sandboxes)
Google Cloud Rightsizing
Google Kubernetes Engine Metering
Google Cloud and/or AWS Proactive Quota Monitoring
AWS ASG Optimizer
TL;DR: We only access data required for Cloud Management Platform (CMP) functionality. We store and handle your data in a secure way, encrypted in transit and at rest. We do not provide the data to any 3rd party, with the exceptions required for core CMP functionality and listed below.
What we access
The list below denotes all permissions we require to your Google Cloud Organization and why.
While this provides us permissions to read info about your resources, none of these allow us to access your data, such as GCS objects or a BigQuery table's data.
The following permissions are used to get information about your Google Cloud resource hierarchy and correlate it with billing.
The following permission is required for CMP Sandbox functionality (create Google Cloud projects)
The following permissions are required to provide you with Rightsizing Recommendations for your Google Compute Engine instances across your entire organization
AWS ASG Optimizer analyzes your Auto Scaling Groups based on cost and usage and get recommendations to replace on-demand EC2 instances with Spot instances.
What we store
We only store data required for CMP functionality.
Cloud Billing exports- required for core Billing functionality; stored in BigQuery
User information - required for core CPM functionality; stored in Firestore
Assets created via using CMP (Invoices, Billing Profiles, etc.) - required for core CMP functionality; stored in Firestore
Contracts - required for core CMP functionality; stored in Google Cloud Storage
Service Account Keys - required for core CPM functionality; stored in Firestore and encrypted with KMS
How we handle and store your data
All data we handle are encrypted in transit using industry-standard protocols like HTTPS (TLS).
All data we store are encrypted at rest:
Google BigQuery - using Google-managed encryption keys and Advanced Encryption Standard (AES)
Google Firestore - using Google-managed encryption keys and AES
Google Cloud Storage - using Google-managed encryption keys and AES
Service Account Keys - encrypted using Google Cloud KMS and stored in Google Secret Manager
Who can access your data?
DoiT International employees in customer-facing roles, such as Account managers and Support engineers, can access your data using the CMP platform. Only a small team of core CMP developers is able to access your data directly in the underlying storage.
Service Account keys are only used by backend systems to retrieve relevant data from GCP. Only a small team of core CMP developers has access to the KMS keys used for encryption and would be able to decrypt the keys.
We do not provide your data to any 3rd party, with the exceptions listed below required for core CMP functionality.
CMP Support - We use ZenDesk as a backend for support ticketing functionality. All ticket-related data are stored in ZenDesk and retrieved using ZenDesk APIs .
Payments - We use Stripe for payments. All payment-related data (such as Credit card or bank account details) are stored in the Stripe platform and used via Stripe APIs .
EU and GDPR Compliance - we have many customers in the European Economic Area and we handle your data in compliance with the General Data Protection Regulation (GDPR) .
We're working towards completing our SOC 2 Type 2 audit. We anticipate the Type 2 report being available during Q2, 2021.