Our team is highly skilled and aware of what they are working on. Security practices with our personnel are based on these principles:
- All staff members have to sign a legally binding NDA with Pilvia.
- Employee access to data will only be granted if they have been educated on the security risks and when they have enough competense to fully understand them.
- Access is granted only to the data or service that is essential to the task at hand
Built in security
All our services comes with standard HTTPS certificate to protect the network. Customer access is done only with secure SSH/SFTP connections and unprotected FTP use is completely blocked. Pilvia Ltd’s background is in maintaining Linux-based systems and that is likely to contribute to the security of the service, since users of Linux systems often choose it for security reasons.
All of our services run in the cloud. Pilvia does not run our own routers, load balancers, DNS servers, or any physical servers. Services and data are located in Google Cloud Platform data centers in the EU. If not otherwise mentioned the data center is St. Ghislain, Belgium . Pilvia may move customer site to another data center within the same country, but will not move sites to another country without site owner permission.
Security at Google is state of the art and the proof of that can be found here:
Google Security Whitepaper:
Standards, Regulations & Certifications
data center security
Pilvia Ltd itself does not collect personal information about our customers’ customers, and is therefore not the controller of that data. However we store server access and error logs for a limited time. Every network connection and each entry including information such as the IP address of the connection and the timestamp. These logs do not collect personally identifiable information and we do not edit the data because that would be inconsistent with the requirement of auditability. The logs are used to analyse traffic amounts and in many ways to promote security.
We backup our data to ensure the service availability and integrity. All backups stored in the Google Cloud have the same access rights as the other Pilvia core services. They are carried out for security reasons so that they will always remain a certain time, usually a one or two weeks. At the end of this backup cycle data in backups is completely deleted. At the end of the service the customer site with all including data will be permanently deleted and can not be recovered after the end of the backup recording time.
The data controller is made available to all the information, which are necessary for the demonstration of compliance with the obligations laid down in, and will allow audits and inspections to the extent that is possible without infringing another customer or the provider of data protection and business secrets. Audit and inspection charges may apply, which is proportional to the amount of work entailed the facilitation of inspection.
Since Pilvia services are totally Google cloud based we can not provide any kind of audits to Google data centers or Google services beyond our own access possibilities.
Incident Response Plan
- We have a formal procedure for security events and have educated all our staff on our policies.
- In case of an security event our teams are quickly notified and assembled to investigate and fix the issue.
- We will shortly notify customers when we have verification of a security breach that affects your data. Notification will contain description of the breach and our investigation status
- For future reference we write analysis of the security event after it is fixed.
Application build process
Usually we deploy changes to our code many times a day and the build process is highly automated. That in mind we are confident that in case of security breach we can fix it very safely and fast when it is required.
c/o Logomo Konttori
20100 TURKU, FINLAND