Security Whitepaper
Cloudasta’s Commitment to Security
Cloudasta takes security very seriously. We are committed to protecting our customers’ information from any data exposure and reinforce high-level security standards.
This document outlines our security protocols and best practices to always keep your data safe and secure.
Security Protocols
| Required Scopes | |
| Admin Directory | We use Google’s Workspace API scope to check if a user on a customer’s account is a Super Admin to allow access to our billing application. For more information about this scope, please refer to Google’s Admin SDK documentation. |
| Data Encryption | |
| Device Requirements | All devices using Cloudasta connect through HTTPS connections. |
| Database | Google Cloud encrypts all customer content stored at rest, using AES-256 encryption. For more information, please refer to here. |
| Architecture & Infrastructure | |
| Hosting Provider | Cloudasta is hosted on Google Cloud Platform (GCP) which is highly scalable, secure, and reliable. More information is available from Google here. |
| Architecture Type | Cloudasta operates with Google’s VM-architecture and managed services handled and maintained by Google engineers. |
| Location |
Stored in the United States of America Cloudasta’s application and database are both hosted in the United States of America. |
| Backups |
Data is backed up automatically by Google Cloud Platform. Cloudasta’s database is fully-managed within Google Cloud. For more information you can visit Google’s official documentation here. |
| Authorization and Access Control | |
| User Authentication Method |
Super Admins authenticate via Google OAuth 2.0 to access Cloudasta’s billing application. Cloudasta never stores any OAuth Token. Google OAuth 2.0 is the Google-standard protocol for authorization. Cloudasta will never handle your passwords in any shape or form. |
| 2-Step Verification (2SV) | 2-Step Verification is enforced and mandatory for all Cloudasta employees to ensure no one from outside Cloudasta has access to information. For more information on how 2SV protects accounts, please see Google’s documentation here. |
| Partner Access | Partners are granted access to limited configurations within your domain but your private and sensitive data such as emails in Gmail, Google Drive content is never exposed. This configuration access makes it easier for Partners to troubleshoot any issues you might have with managing Google Workspace. Every reseller action is logged to your Admin audit log and access can be removed at any point as shown in this Google Workspace official support article. |
| Security Compliance | |
| Audit Logs | All security and transactional activity is logged into the customer’s Google Workspace Audit Logs. To learn how to audit these logs, please refer to Google’s official support documentation here. |
| Third party services | |
| Customer Invoicing and Payments |
All payment data is handled via secure PCI-certified third-party payment infrastructures (Stripe or PayPal) which protects PII data. Cloudasta doesn’t have access nor stores any customer payment information. Cloudasta will never ask for credit card information directly. |