DATA STORAGE & ENCRYPTION

Data center:

By default the data is stored in 3 undisclosed Azure locations in the Netherlands (Azure Western Europe region), with a failover in Ireland (Azure Northern Europe region). If a customer has specific data requirements the customer can choose any of the 54 Azure regions worldwide: https://azure.microsoft.com/en-us/global-infrastructure/regions/ at the following locations: https://azure.microsoft.com/en-us/global-infrastructure/locations/. For each customer tenant, all Mavim database(s) are isolated and are only approachable by said customer. The customer is in full control over who has access to their database(s) by using the Mavim Connect Center. We let our customers and partners choose data and app locations so they can ensure their own compliance requirements are met. 

At the moment we can deploy directly in Azure Western Europe region, Northern Europe region, South Central US region and Central Asia region. If you require Mavim to be deployed in another Azure region, we can, but it might take a few days and some additional cost. 

Customer environments and data in Azure are isolated using numerous mechanisms, technologies, policies, processes, and architectural elements. We have a change management process in place for DNS zone file updates. We manage our DNS zones by using Azure PowerShell: https://docs.microsoft.com/en-us/azure/dns/dns-operations-dnszones

Encryption:

We encrypt customer`s data with AES-256 using a unique key per customer. Data in transit and at-rest is encrypted by various protocols like BitLocker, HTTPS, and IPsec.

For data in transit, customers can enable encryption for traffic between their own VMs and end users. Azure protects data in transit, such as between two virtual networks. Azure uses industry standard transport protocols such as TLS (always the latest version supported by Azure) between devices and Microsoft data centers, and within data centers themselves. All connections between Microsoft Azure and Mavim are encrypted.

Key management:

For wild card certificates and SSL private key management a sub-domain is created for each customer and a separate URL. Permission to access keys within the key vault are managed by Azure Active Directory to establish an audit trial and prevent keys from being compromised. Public facing SSL certificates are signed by an external trusted CA. Signature algorithm is SHA-2 and key size is RSA 4096 for the Mavim Portal and RSA 2048 for the Mavim Manager.

We have enabled HTTP Strict Transport Security (HSTS) and have a documented encryption key management procedure, covering a.o. key generation, distribution, storage, escrow/backup, rotation, and accountability/audit. Customer`s data is sanitized by Microsoft Azure, they adhere to ISO 9001 and 27001, SOC 1 and 2. Upon contract termination, data is securely deleted after 6 months as standard (seperate agreements can be made).

Keys are only handled at the server side. Key values are never echoed back to the client side user interface, not even encrypted values. Private SAML certificates are stored in the Azure certificate store.

Data deletion in Azure is according to NIST SP 800-88 R1 “Guidelines for Media Sanitization”
https://devblogs.microsoft.com/azuregov/data-security-qa-with-john-molesky-azure-security-engineering/