Privacy Policy for CloudManager

Cloud Technology Solutions Ltd
Lowry House
17 Marble Street
Manchester
M2 3AW

Privacy Policy for CloudManager

Last modified September 2019

We have created this privacy statement in order to demonstrate our firm and continuing commitment to the privacy of personal information provided by our customers when installing and using CloudManager a Solution of Cloud Technology Solutions Ltd. We hold the privacy of your personal information in the highest regard. The following discloses our information gathering and dissemination practices for CloudManager.

We recognize the importance of protecting your privacy and our policy is designed to assist you in understanding how we collect, use and safeguard the personal information you provide to us and to assist you in making informed decisions when using CloudManager. This policy will be continuously assessed against new technologies, business practices and our Customers’ needs.

CloudManager are committed to protect Customer Subjects’ privacy and the confidentiality of Customer Subject data to the maximum extent permitted by law and/or accepted by industry standards.

Our Privacy Policy explains:

  • What information we collect and why we collect it.
  • How we use that information.
  • How you can opt-in or opt-out.

Roles

Data Controller

The Customer is the Data Controller.

Data Processor

Cloud Technology Solutions Ltd. is the Data Processor.

Opt-In

CloudManager will only store information about Customer Subjects where the Customer has chosen to install, activate and configure CloudManager within their Google G Suite Domain.

It is the Customer’s responsibility to (a) ensure that Personal Information is dealt with in a way that is compliant with Article 1(1) of the GDPR; and (b) to justify the processing of the 2 Personal Information is in accordance with Article 6(1) of the GDPR, and communicate that justification to each Customer Subject in accordance with relevant laws. It is also the Customer’s responsibility to have appropriate privacy policies in place with Customer Subjects, and to otherwise comply with applicable law as a Data Controller.

During installation of CloudManager the Customer is notified of the access to Personal Information required by CloudManager and must accept that access before completing the installation.

Installation does not automatically synchronise or store user data, and subsequent configuration actions must be completed by the Customer to achieve this.

The Customer can opt-out at any time and remove CloudManager from their G Suite Domain.

Data Processing

What Information Do We Collect?

There are three types of information collected and processed to provide the CloudManager Services:

  • Device Information
    We collect IP addresses of devices connecting to CloudManager.
  • Log Information
    When you use CloudManager we automatically collect and store certain information in server logs. This includes:
    • User ID of users logging into CloudManager (including their username and login).
    • Details of how you use the service.
  • Customer Subject Information
    We may process the following data that you provide to us about Customer Subjects:
    • Name
    • Job title
    • Company name
    • Addresses
    • Mobile telephone number
    • E-mail address
    • IP address and browser information
    • Job Title
    • Department
    • Web links
    • Profile photograph
    • Instant Message address

This information is not used by Cloud Technology Solutions Ltd. for any purpose other than to facilitate and support the Customer’s use of CloudManager, and shall only be kept for as long as it is relevant to that purpose for which it was collected or for as long as required by law.

As the data owner a Customer has control over which data it collects about Customer Subjects. Therefore, additional Personal Information may be held and processed by us if CloudManager is configured to do so by the Customer.

Who is collecting the data

The data is collected from Customer Subjects by the Customer.

How do we collect the data

The data is collected or added by the Customer using one or more of the following methods:

  • Data upload by the Customer (spreadsheet) relating to Customer Subjects
  • Manual input by the Customer’s Subjects

Why is it the data being collected

The data is collected in order to provide the functionality of CloudManager required by the Customer.

How will the data be used

The data is used by the Customer to manage their G Suite Domain or access/use additional functionality provided by CloudManager. Data collected by Cloud Technology Solutions Ltd. is used to provide the CloudManager Service and better develop the product.

Who will the data be shared with

CloudManager will not access, view or review any accessible Customer Subject data unless:

  • either Customer or a government agency or regulatory body specifically requests us to do so;
  • when performing routine backup and restore operations, virus scan and virus removal, spam and content filtering; or
  • if such access, view or review is urgent and necessary to protect personal safety, perform troubleshooting, restore systems operation in the event of a server failure, remove illegal or offending (e.g. pornographic, violating our policies, etc.) content or prevent a server failure, Service outage or other damage.

Under no other circumstances will CloudManager access Customer Subject data or share Customer Subject data with any third parties without Customer prior permission, except to the extent required by law or governmental or regulatory body or necessary to render our services to the Customer.

How CloudManager secures any information stored

CloudManager is hosted within the Google App Engine platform and therefore benefits from the security measures provided by Google. In addition, to protect the data we process CloudManager has been designed with the following Security features:

Application Hosting

CloudManager is built within the Google App Engine environment and as such takes advantage of the extensive controls and practices Google has to protect the security of Customer information. Google applications run in a multi-tenant, distributed environment. Rather than segregating each Customer’s data onto a single machine or set of machines, Google data from all Google customers (consumers, business, and even Google’s own data) is distributed amongst a shared infrastructure composed of Google’s many homogeneous machines and located across Google’s many data centers.

Access

Access by CloudManager administrative engineers to production environments is similarly controlled. A centralized group and role management system is used to define and control engineers’ access to production services, using an extension of the above-mentioned security protocol that authenticates engineers through the use of a personal x509 certificate that is issued to them.

Data in Transit Protection

  • HTTPS enforced between end user device and service provider
  • Encrypted transmissions between Google servers
  • SSL for Google APIs

Asset protection and resilience

Datacentre locations are available on public Google maps.

All datacentres restricted and covered by Statement on Standards for Attestation Engagements (SSAE) No. 16 Type II / International Standards for Assurance Engagements (ISAE) No. 3402 report (or a comparable report) and ISO/IEC 27001

After a termination of the contract CloudManager data is held for 28 days within Google's systems. After 28 days this data is deleted permanently from the systems.

Additional Links

CloudManager Terms & Conditions
https://www.CloudManagerforwork.com/terms-conditions/

Google Cloud & the General Data Protection Regulation (GDPR)
https://www.google.com/cloud/security/gdpr/

Contact details
cloudmanager@cloudsolutions.co.uk

Google CloudPlatform Model Contract Clauses
https://cloud.google.com/terms/eu-model-contract-clause

Google Cloud Platform ISO27001 Certificate and Scope
https://services.google.com/fh/files/blogs/btd-sec-op-2014-grey.pdf

Google US Privacy Shield Framework Active PArticipant Entry
https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI

Changes

From time to time we may make changes to this policy to reflect any changes to our privacy practices in accordance with changes in legislation, best practice enhancements. We will notify you about material changes to this policy by sending a notice to the email address you provided to us or by placing a prominent notice on our website.

Key terms

APIs

A set of functions and procedures that allow the creation of applications which access the features or data of an operating system, application, or other service.

Customer

In this policy, references to “you” or the “Company” refers to the organisation who submits data to us.

Customer Subject

An individual in respect of whom the Customer provides to us the Personal Information, and who will usually be an employee of the Customer.

Device

A device is a computer that can be used to access Google services. For example, a device could be a desktop, tablet or smartphone.

GDPR

The General Data Protection Regulation (EU 2016/679)

Google App Engine

Google App Engine (often referred to as GAE or simply App Engine) is a web framework and cloud computing platform for developing and hosting web applications in Google-managed data centers.

G Suite Domain

Your domain host is the Internet hosting service that stores the records you need to update when you set up G Suite. These DNS records control where you receive your email, your web addresses, and settings for your domain.

HTTPS

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to.

IP Address

Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.

Multi-tenant

Multi-tenancy is an architecture in which a single instance of a software application serves multiple customers

Personal Information

This is information that you provide to us which personally identifies you, such as your name, email address or IP Address.

Role Based Access

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users.

Server Log

CloudManager stores information for the operation and troubleshooting of the Service. This includes IP Address, user ID, errors, and access times.

SSL

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.

User ID

A unique sequence of characters used to identify a user and allow access to CloudManager.

X509 Certificate

An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.

    Close Menu