CyberVadis is committed to keeping your data confidential, and you may read more about our commitment and certifications here.
Security is always at the forefront of CyberVadis’ concern, from design to operations. In this article, we would like to share more details about how your data is handled internally.
How is your data classified?
Any customer data are classified as confidential and as such must follow strictly the following guidelines:
Strong transport encryption
Strong encryption with a unique key for each customer
Encryption at rest
Least-privilege access principle with just-in-time access
How is your data transported?
Data is transported using TLS 1.2 strictly; any other version of TLS is declined. TLS 1.3 is currently under evaluation. Encryption is generated against a 2048-bit RSA private certificate Cipher suites negotiation will privilege the strongest encryption first. Some weaker (but not vulnerable) cyphers are still available for now.
How is your data stored?
CyberVadis services are hosted at ISO/IEC 27001-, ISO/IEC 27018-, SOC 1-, and SOC 2-certified Microsoft Azure data centers located within the EU. Microsoft Azure’s data centres are certified to comply with the most comprehensive portfolio of internationally recognized standards and certifications of any cloud service provider. Microsoft takes a layered approach to physical security.
CyberVadis enforces the usage of encryption at rest on any Azure storage by default. Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Azure Active Directory accounts (see Data access and restrictions)
Additionally, documents are encrypted using a one-time symmetric Content Encryption Key (CEK) that is generated by the Azure Storage client SDK. The CEK is then encrypted using a Key Encryption Key (KEK).
CyberVadis generates a content encryption key (CEK), which is a one-time-use symmetric key.
Customer data is encrypted using this CEK.
The CEK is then wrapped (encrypted) using the key encryption key (KEK). The KEK is identified by a key identifier and can be an asymmetric key pair or a symmetric key and is stored in a key vault. The storage client itself never has access to the KEK. It just invokes the key wrapping algorithm that is provided by the key vault.
The encrypted data is then uploaded to the Azure Storage service.
Documents are stored for the duration of your agreement with CyberVadis plus up to three years in accordance with GDPR, but can be deleted once reviews are over at the customer’s demand.
During evidence review, the documents are temporarily shared on a Google Workspace to allow CyberVadis security analysts to review them securely. Documents remain encrypted at every step. Security analyst access is made online exclusively with no possibility to download or modify the documents. The share is automatically deleted 24 hours after the review is validated.
In rare instances, a security analyst might require the download of a document (e.g., image translation). In this event, a senior security analyst must approve the request, and the document is immediately deleted after processing
This double encryption allows CyberVadis to offer best-in-class protection to your documents.
Customers' data in our systems are theirs, and we do not scan those data for marketing purposes nor sell them to third parties. CyberVadis will not process data for any purpose other than to fulfil our contractual obligations. Furthermore, if customers wish to delete their evidence uploaded throughout the assessment process, we commit to deleting it upon receiving a written request at no additional cost.
Data access and restrictions
CyberVadis logically isolates each customer’s data from that of other customers and users. Only a small group of named CyberVadis employees has access to both the encrypted data and the keys required to decipher them. Access to production infrastructure is granted to a limited number of senior personnel, with 2-factor authentication required for all accounts. CyberVadis employs RBAC and follows the principles of need-to-know and least-privilege in enforcing its access matrix. All access to infrastructure resources is properly logged and is subject to periodic audits and forensic exploration.
Is your data being sent to Third-party suppliers?
All data-processing activities are performed internally, and no customer data is being sent to a third-party provider aside from the infrastructure provider (Microsoft Azure). However, CyberVadis may employ third-party suppliers to perform technical operations. Third-party suppliers are required to enter appropriate security, confidentiality, and privacy contract terms, along with employee security training, prior to performing any task on our systems.
The protection of customer documents is a primary consideration in any of CyberVadis’ technical, operational, and procedural choices. CyberVadis is using the best cybersecurity practices to ensure the trust of our customers, and we will always continue to invest in maintaining this level of commitment.
For more detailed information concerning our Certificates, please take a moment to consult our Trust Center.