Security & Privacy

Security & Privacy: Our Commitment

Introduction

UpCloud stands at the forefront of the European cloud infrastructure industry, rooted in Finland’s rich tradition of technical and business excellence. Every customer who chooses to partner with us isn’t just selecting a cloud hosting solution; they’re placing their confidence, their business, and their aspirations in our hands.

Recognizing the weight of this responsibility, we believe it is imperative to shed light on our operations, ensuring all stakeholders have a clear understanding of both the opportunities and the responsibilities inherent in cloud operations.

This document serves as a testament to our commitment—offering a transparent view of our operations, with a particular focus on security measures, thereby fortifying the trust our customers and  partners place in us.

1. Privacy Compliance

Laws and Regulations

As our company is registered in Finland, we comply with the privacy and data protection laws and regulations of Finland and the European Union (EU). The key piece of legislation in this area is the General Data Protection Regulation (GDPR) which applies to all countries of the European Economic Area (EEA). We are committed to complying with the applicable data protection and privacy laws and helping our customers achieve their compliance objectives in this field.

Our Data Processing Roles

UpCloud processes personal data both in the capacities of Data Controller and Data Processor (as the terms are defined in GDPR), depending on the relationship in which we process that personal data:

• UpCloud acts as a Data Controller when we process the personal data of our customer prospects, customers and service users for the purpose of providing our services, managing customer relationships, charging service fees, and promoting UpCloud services and brand (so-called “Account Information”), which includes, for example, customer’s contact persons and their contact details, user data and other usage data of our services, payment and credit card information, or communications with the customer’s representatives. For more information on how UpCloud processes personal data as a Data Controller, please read our Privacy Notice.
• UpCloud acts as a Data Processor when we process personal data in collection with our cloud infrastructure services on behalf of our customers. This is the data our customers upload and store on our servers to be processed in our data centres (so-called “Customer Data”). The Customer Data may include any type of data, depending entirely on what kind of operations the customer decides to run on UpCloud.

Data Processing Agreement

If the Customer Data contains any personal data, the processing of such data is governed by our Data Processing Agreement (DPA), which is incorporated into our Terms of Service. We have carefully drafted a DPA that reflects the specific features of our cloud computing services and takes into account both parties’ interests. The DPA becomes binding on the parties when the customer accepts the Terms of Service, so there’s no need to sign a separate DPA with UpCloud.

Security of Personal Data

We ensure the security, integrity, confidentiality, availability and resilience of the personal data we process on behalf of our customers. You can find more information about our organisational security measures and the security features of our services on this page.

Subprocessors

We only use our 100%-owned subsidiaries as subprocessors of the Customer Data, all of which are covered by our ISO 27001 certification. The list of subprocessors can be found in Appendix 1 of the DPA. The actual subprocessors UpCloud uses in each case depend on the services the customer decides to order. As regards virtual servers deployed in our data centres located in the EU, we don’t use any subprocessors in the provision of the service.

International Transfers

All Account Information is stored in Finland but it is accessible by the members of our global support and sales teams, some of whom are working outside the EEA. The Customer Data is stored in the data centre which the customer selects through the service control panel. UpCloud doesn’t move the data from the selected data centre without the customer’s explicit request. Our operations team members’ access to the Customer Data is restricted: We have disallowed privileged full operating system remote access, physical access and live server remote consoles to all machines inside the EU for our employees located outside the EU. Non-EU operations team members will still have limited monitoring and troubleshooting capabilities to ensure our 24/7/365 operations, but they are technically prevented from accessing any Customer Data stored or processed on the systems.

In these international transfers, we rely on either the European Commission-approved Standard Contractual Clauses executed between UpCloud group companies or an adequacy decision by the European Commission as the transfer mechanism, depending on the country. You may request a copy of the Standard Contractual Clauses executed between UpCloud group companies by contacting our Legal Team at [email protected]. If you have any questions or concerns about international transfers of personal data, we are happy to assist you. Please contact our Support Team at [email protected]for any queries.

Employee Training & Awareness

We provide our employees with regular training on privacy and data protection matters.

Data Retention

The customer controls the Customer Data and determines the appropriate retention period for it. The customer can at any time delete or retrieve a copy of the Customer Data. UpCloud stores the Customer Data as long as there is a valid service agreement in place between the customer and UpCloud. After the agreement expires or is terminated, UpCloud will delete the customer’s virtual servers and any data contained therein. Account Information is retained in accordance with our Privacy Notice.

Data Breaches

As per our DPA, we will inform customers without delay of all personal data breaches concerning their Customer Data. We will also cooperate with the customer in case of data breach investigations. To minimise the risk of data breaches, we recommend customers take advantage of the additional security features of our products, such as enabling multi-factor authentication.

2. Security Compliance

Introduction

Security isn’t just about technology; it’s about trust. With our commitment to ISO 27001, CISPE code of conduct and broader security compliance, you can trust us to manage your data.

ISO 27001: The Gold Standard in Security

As an integral part of our security framework, we’re proud to be ISO 27001 certified. This international standard not only signifies our dedication to maintaining a high level of information security but also ensures that we adhere to recognized best practices in managing and safeguarding your data. Our Information Security Policy is available here. Our ISO27001 certification is available here.

Continuous Improvement Cycle 

The ISO 27001 standard is not a one-off certification. We undergo regular reviews and audits, pushing ourselves to continuously improve and adapt our security posture in response to the evolving threat landscape.

Risk Management

Part of our ISO 27001 commitment involves a holistic approach to risk management. We don’t just focus on technology; we encompass people, processes, and tech in our security endeavours.

Employee Training & Awareness 

Human error can be a significant security risk. We invest in regular training for our team, ensuring they’re always up-to-date with the latest security protocols and practices.

Regular Audits 

Regularly audited by independent third parties to ensure unwavering adherence to ISO 27001 standards.

Open Dialogue

We believe in maintaining an open dialogue with our customers about our security practices. If you have any questions or concerns about how we manage and protect your data, we’re here to answer them. Contact us via email or live chat.

Beyond ISO 27001

While ISO 27001 remains a core component of our security compliance, we’re also committed to aligning with other global and regional security standards and regulations, ensuring a comprehensive and multi-faceted approach to security. We are aligned with ISO 3100, NIST CSF and CISPE Code of Conduct and our data centre providers have multiple industry certifications on top of ISO 27001:2022.

We also have a bug bounty program and offer a public Vulnerability Disclosure Program for reporting vulnerabilities.

3. Advanced Product Security Features

Your trust is paramount, and our infrastructure is designed to protect against a broad spectrum of potential threats.

Managed Object Storage and Databases for Secure data 

All data, both in transit and at rest, is encrypted using industry-leading protocols. Automated backups and security updates keep the infrastructure secure.

Managed Kubernetes and Loadbalancer carefree infrastructure

Managed services have automated backups and security updates that help you scale your security needs. Managed Load Balancer supports automated SSL certificate renewal and you can integrate it to Kubernetes service.

Multi-Factor Authentication (MFA)

Strengthen access controls with MFA, ensuring that only authorised personnel can access your data.

Site-to-Site VPN Gateway (Beta)

You can connect your office or data centre to the UpCloud SDN network with private encrypted traffic.

No Platform level restrictions

UpCloud allows users freedom to build their infrastructure according to their needs/standards and you can choose between more secure or more performant systems.

Private Cloud available

Private clouds are by design more secure than Public Clouds as compute hardware is dedicated allowing better data isolation, data control and the ability to meet compliance requirements that are not possible in Public Cloud.

Regular Patching & Updates 

UpCloud actively monitors and promptly acts upon vulnerabilities, keeping our systems updated and secure. UpCloud utilises software created in-house to avoid vendor vulnerabilities, make patching vulnerabilities faster, and reduce the software attack surface.

Protected network 

UpCloud protects networks and servers against DDOS attacks. DDOS attacks can be mitigated inside UpClouds own network and in transit providers’ networks.

Large Partner Network 

UpCloud has a large partner network that can help you if you need more specialised security services.

Encryption at Rest

At Rest encryption is available for HDD and MaxIOPS block storage products to make securing your data even easier.

Stay Secure With Us

The security and privacy of your data is not just our commitment; it is integral to our ethos. Trust in our cloud infrastructure and know that we place your security at the forefront of everything we do.