Security is an absolute top priority for MacStadium and one that we take very seriously. We hold and maintain top certifications and deploy world-class physical, network, and process-level security at each of our locations. We strive to continuously improve our security practices; our work is never done.
As a provider of Infrastructure-as-a-Service (IaaS), MacStadium has responsibility only up to the hypervisor layer. Our customers hold responsibility for OS, application and data layer security. We give you root access to every aspect of your environment to deploy and maintain security policies as you see fit.
Our default security policies and dedicated infrastructure keep every customer secure. However, we understand every organization is different, and we can meet the needs of even the most stringent teams. We can provide tools to meet any need from isolation to encryption to direct connects and beyond.
MacStadium is independently ISO/IEC 27001:2013 and ISO/IEC 27002:2013 certified as a company across all of our data centers. This can save you time and money from an audit, certification and compliance perspective, and your developers can rest easier knowing that we hold this globally-recognized security certification.
MacStadium’s US data centers maintain SOC 1 Type 1 & 2 and SOC 2 Type 1 & 2 compliance. System and Organization Controls (SOC) audits have stricter requirements than ISO with respect to physical and data center-level cyber security. Learn more about the SOC suite here.
Passed in 2016, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to give EU citizens more control over their personal data. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. Nearly every corporation in the world will need to be ready when GDPR comes into effect on May 25, 2018.
MacStadium is GDPR ready, and our infrastructure, procedures and certifications enable our customers to be GDPR compliant. Given MacStadium’s IaaS role, we urge you to evaluate the GDPR and start reviewing your security, compliance and data protection processes to ensure compliance. If you already have robust compliance, security and data privacy practices in place, your move to GDPR should be simple.
All of our data centers are audited and/or certified by various internationally-recognized attestation and certification compliance standards. Below is the list of our data center locations and the associated certifications. To request an NDA, ISO certification letter, SOC summary report or certificate listed below, or if you have any other compliance related questions, please contact us.
MacStadium’s data centers are housed in secure, restricted access buildings that provide the highest levels of physical security. Our colocation providers (Zayo Group and Equinix) house our infrastructure in secure, restricted areas accessible only by MacStadium-approved employees. Each facility employs:
MacStadium has a defined policy of who has access to our data centers, servers and software. Only select engineering teams have access to the backend hypervisors where virtual servers reside or direct access to NAS/SAN storage systems. We have a centralized process for creating, maintaining and resetting keys and passwords, and we keep records of all changes for auditing purposes. Background checks are conducted on all candidates upon acceptance and contingent of our offer of employment, and all employees are required to sign a NDA to ensure confidentiality.
MacStadium maintains 24/7 security incident and event management (SIEM). We monitor our infrastructure at all times with engineers on call to resolve any security-related events. MacStadium’s security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident
reporting and response procedures.
All access to customer systems is automatically logged and recorded via a privileged access control system/secure jump box. Our logging includes system actions as well as the logins and commands issued by our system administrators.
MacStadium respects your privacy and is committed to protecting the privacy and confidentiality of personal data we collect. Please read our Privacy Notice carefully to understand our policies and practices regarding your information and how we will treat it.
MacStadium is committed to industry best practices approaches concerning security measures to prevent the loss, misuse and alteration of the information in our possession. We use various security measures to protect the information we collect as appropriate to the type of information, including encryption, firewalls, and access controls. If you have any questions about our privacy practices, please contact us at firstname.lastname@example.org.
All communications with MacStadium are transmitted over TLS (HTTPS), and we use SSL (Secure Sockets Layer) encryption to protect visitor data. We provide connectivity to our hardware via SSH and recommend that customers use SSH keys to securely set up their access.
Credit card purchases for MacStadium services are processed by Chargify. When our customers provide their credit or debit card information via our website, the data is sent to Chargify, and the payment data is not stored on our systems.
We understand the need for strict privacy regulations required by certain countries. Under European data protection acts like the General Data Protection Regulation (GDPR), MacStadium operates as the data “processor” and our customer is the data “controller.” We have setup a Data Processing Agreement (DPA) which can be signed by both MacStadium and our customer to meet these regulatory requirements. To obtain the DPA, or if you have any other privacy related questions please contact us.
We provide the dedicated infrastructure – the environment is yours. MacStadium is responsible for providing and maintaining all physical equipment as requested and preventing unauthorized physical access to that equipment. We will complete initial setup (imaging hosts, zoning storage, etc.), provide 24/7 technical support and ensure data center uptime.
As the customer, you are responsible for implementing security measures to protect your systems and data, including configuring and securing all infrastructure (e.g., firewall, vCenter) and virtual machines (e.g., applications, network connections, databases). You will need to ensure encryption of all data and network communications and ensure appropriate backups and failover capabilities are in place.
To assist you in maintaining the security of your systems, we include the following technology with every hosted private cloud:
We can provide additional security measures upon request, including: