Security and safety of your data is something we make an essential preoccupation at Exoscale. We understand that trusting an external entity with your data is a difficult step to take.

Getting in touch

First and foremost, if you need to get in touch with the team in for critical security purposes, we encourage you to send a PGP-encrypted e-mail to security@exoscale.com which will ensure that only security-accredited personnel at Exoscale will be be able to read it.

We ask that you also use this method to contact us should you discover any security issue with the service, and that you apply standard responsible disclosure etiquette.

Our 3072-bit RSA PGP key has fingerprint C17C 154E EAC9 769A E5A3 9300 15AA DCAB A4E3 94E4 it is reproduced below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBFw2VTIBDADqqfVv2GWdi7mpbOJSwUWinMYJVM4d60ZlQtiZzSkZGAWHnz4c
MykZ4FsrgHu2J0Yr1l0UoYzfFCw22EqwTBVw9MZ1bvCtyM+wllZ5hXC7oins0BSx
ErGukzZsazHoYBG2AJHXTNLlGHladyBLybhIQw6NUjVrPhFVS2SDI/LlD2J56TOd
Ay4lQ7bhAwjRtf0PSy0hBpGSEdS58IACWd8q3CGcA4jDXn4wRYtPYTiRE/obk76k
88hj+HtcddTEvPAG9vE+K9yEtI+2YAWiFRkBW5AOTX4ecqcqy/Vds9Qi/KyHmwIJ
BuXXXl3+94AjFebiiTgm8uNsbS45D5UHKN9TKvkyiX0efjGYU4Ch247/E+qRDU2j
cOcBYpy3zjPnbRxtINTbS3P/9t+UCbCZvPy4Vg2yGt8a2RDr2o0bBE1hhr794jmm
OOmKx2idQRVLOmezCUDbUa9CZSOPLqUw0IiGzbq2YX8J16JyYaA048Ulcz0FlIR1
kOSzZtcfIScqKdcAEQEAAbQtc2VjdXJpdHlAZXhvc2NhbGUuY29tIDxzZWN1cml0
eUBleG9zY2FsZS5jb20+iQHUBBMBCgA+FiEEwXwVTurJdprlo5MAFarcq6TjlOQF
Alw2VTICGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQFarcq6Tj
lORRgwwAjMbbXuY8kMhev9WLetKGAq2Y2O3xHYd0EhqNerinMKOTVMHoB8zFv6+H
RFCto7Sgf2Ld+m06ZKPRatcYXdv1KNdwtEUA1lwGh45vj6vFuQ0CDJArqMeqmY22
ou8nyfcCbml6xio9x/8jyLCW61oX44bC/gxUkvH/V36jP97OW0+M7xg0NV2dUsEX
pnGGH5xJwvWTj0QetoXw34lGTtXZwilMAAtc+WIrx1o/NbnUMbKqIIoK4TIdnytJ
XNzGp7dOKVqC6mBBVN/kwe+JtRDeUJ5yrb/Z/rQJbJ+yzJPc5y6vz3dBdh2STE6v
+WHqc1/I8bVXLxFQajXTJZczzVmmzRW3JmIyT3Q1k4LwUlbczD0jjuJkhSWFqOOP
/OEwLc4yl7SY8M8FSZogCytHXzWlYpYHuOztKQP3sz4aJnQazeRQPbnW5aX9xYdT
3bOfl8bZZ1db5s0yL+5ajdd2ZIoplaW2j1QNb9eiTr3s0sqHVx9qKnmDuQovQ7zO
gpsRhJp0uQGNBFw2V1oBDADBPVTMBrREa7M9e+CgRnMxgOBQIrl7x8sHUdvAmkGo
pm3BeAyNaTw3CINq6hszbXDXgsFsp9cLxTUPc9FdYrh82zb6zRf0BZEqEHTcy6hD
O8KNpdwyXA9nGf/1atRO3sa1xpmPZSuXWA4tNWX64Ho4gW7Zqj9ucsBwr+vnk8SI
b9teKxqzuRZ399pe1s7mDAGRdA7nlKAnxkjTw0/QyctiMmIgh/ugGyZKq+2hD6Sw
UbYCIqiXAgkqvlOqeVU6LkG+TCcW3B8GAs9x6LBU9S6S44k7zWc3mv/lQW/ZJZoY
tBY8TaZGRgHyrjnb4d/tgdl/CNmYqQqrKeIscewbGRAbCEkid2FWR0TTzMAsJbzQ
Hwv8e8Q6/gpVrmfHQZM7n7Oo3wYotJfhuMkNSWBI4C23l5J02uo8ucMZ7fh5W2FR
zm0ticy5ydKHK+RV4M4nVY8TDV/7AKvVTK2wqjemiQFW8hafZX7vc3QaFY6S5c0I
8iAea02yR9XIWBILXoOP4UkAEQEAAYkBvAQYAQoAJhYhBMF8FU7qyXaa5aOTABWq
3Kuk45TkBQJcNldaAhsMBQkJZgGAAAoJEBWq3Kuk45Tk0KYMAKmeb07sWYMY0+Jg
dPu+1mNfUZG8AiJr4765rb+5WtxyMiEC6mL9s42XIIXwSBAS58bAkD2xqcbXdOAN
doduoW7rwrHrhQ1c3Weu+TRf4P+eACpqSoqJcVj2FX+28mllT5OVan0NTbxftPHE
36u2futqxMXybsPeJCPmXMVPCrX1it3OerrKWSvO2gSgDvxsKf6DRXRPWccRPUcg
3mqZeWE30fGCSabirMFI7fqGySWFjA8yLRfvbIHQfFaMwut/jDsR+TtCOtZvHixT
zAT45p8y7IJ5BwvR0qqTzF0jMigX9S/DJu+Ftb5mwWZ0MTzmERoC9SxAiqLqlaf5
WRnC+uHUoTh+wJDUWRP94Vn/4dl0xsTwku8pWyIgUZn89A6mxYOi9kmdjlRdoyi9
sXTH1QJ/FeZeJczJgT5nXYU4GAZf1H+//YYqs5nPkyp4UzaRswQngj41WppCdPam
lJ9KZ4RUH2WcYs6pLUbA1h2fvUdXgiazTYn73FZ6/Ln5zzRgnw==
=llBC
-----END PGP PUBLIC KEY BLOCK-----

Our security model in plain English

Who has physical access?

We only operate from locations conforming to the most restrictive security standards (ISO27001) and we are part of the Cloud Security Alliance (CSA).

Conforming to recommendations made in these frameworks and standards, we track all access to datacenters. Only Exoscale staff and accredited Datacenter personnel has physical access. We keep an audit trail of access to individual datacenter racks and work with trained staff for operations such as disk changes or hardware reboots.

When drives are decommisioned they are destroyed or cryptographically locked.

Who has logical access?

The operations team at Exoscale is the only team which has actual access to hypervisors and storage nodes. Strict access control is maintained and tracked, as well as regular credentials cycling.

External Services

We rely on very few external services to maintain the highest possible level of security, and reduce our threat-model to a minimum. We still can’t do everything by ourselves and thus rely on a few external providers.

Payment information

We rely on two services which are PCI-DSS for processing payments:

  • PostFinance which processes Credit Card and Postcard payments.
  • Paypal which processes Paypal payments.

We do not store any Credit Card information only anonymized tokens, as provided by these services.

We additionally use the online accounting solution provided by Bexio, a Swiss company with a dedication to security similar to ours to provide faster reconciliation of wired payments. As such invoice information is duplicated on Bexio.

Website analytics

We only gather website analytics for our public websites (this website, as well as https://community.exoscale.com). No activity within our customer portal is ever tracked. Our provider for website analytics is Google.

Newsletter

We use Mailchimp to send Email campaigns and newsletters. We do not store address lists at mailchimp, but synchronize on a per-campaign basis to avoid storing your email addresses permanently there.

Below this point, we dive in deeper detail on the exact frameworks and standards we adhere to. You can read on if you are interested in the fine print.

Frameworks:

Exoscale has elected the Cloud Security Alliance (CSA) framework in order to structure and enforce the compliance controls regarding all aspects of security with 100 control points dealing with:

  • Data Governance
  • Facility
  • HR
  • Information Security
  • Legal
  • Risk Management
  • Security Architecture

We conform to the OCF Level 1, having completed our Cloud Control Matrix which maps to the following selected frameworks:

  • COBIT
  • HIPAA / HITECH Act
  • ISO/IEC 27001-2005
  • NISTSP800-53
  • FedRAMP
  • PCI DSSv2.0
  • BITS Shared Assessments
  • GAPP

Roles and responsibilities

Roles and responsibilities vary upon the cloud model chosen: these are defined by the SPI stack, as defined in the CSA guidance.

“The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.”

Therefore we attract our readers on the fact that as a IaaS provider with Exoscale, most responsibilities and data access control enforcement are on the customer side. Nevertheless we impose ourselves a high level of security on all infrastructure layers, as described in the following sections.

Laws and Regulation

At general level, concerning data and activities conducted in our swiss datacenters we shall mainly be subject to the Swiss Code of Obligations.

The purpose of this section is to answer general questions within the context of Exoscale, providing IaaS Cloud Computing Services to the customer. We would like to bring particularly to your attention the Data Protection and Export Control obligations.

Data Protection

Concerning data and activities conducted in our swiss datacenters we shall mainly be subject to the Swiss Federal Data Protection Act (“DPA”) and the Swiss Federal Data Protection Ordinance (“DPO”). Unlike most other countries, the Swiss data protection laws and regulations apply to individuals, but also to legal entities.

Collecting and Processing Personal Data

When collecting data, the collector shall ensure that he

  • informs data subjects about the data processing and its intended purpose;
  • informs data subjects about whether the data will be disclosed to third parties and whether a transfer outside Switzerland is contemplated; and
  • obtains any consents required for the data processing.

The DPA provides that the mere act of collecting personal data constitutes the processing of personal data. Therefore, all legal requirements which apply to the processing of personal data also apply to the collection of personal data. Among others, the following provisions shall be complied with in the processing of personal data:

  1. Personal data must be processed in good faith; Personal data must not be collected by misrepresentation or deception; The processing of personal data must be proportionate.
  2. Personal data may only be used for the purpose intended at the time of collection.
  3. The collection of personal data and the purposes for which the personal data is processed must be obvious to the person/entity from whom personal data are collected.
  4. Anyone who processes personal data must not breach the privacy of the data subjects.
  5. As a rule, no justification for processing personal data is required if the data subjects have made the data generally available and have not expressly restricted the data processing.
  6. A lawful justification for data processing exists if the data subject has consented to it, the law provides for it, or the data processor has an overriding interest in the data processing.
  7. The data processing must comply with technical and organizational security requirements, especially when processed electronically. Personal data must be protected against intentional or accidental deletion, accidental loss, technical errors, falsification, theft and unlawful use, unauthorized access, changes, copying, or other unauthorized processing.
  8. Data processing may be delegated to a third party under an agreement, provided that the third party data processor processes data only to the same extent as the person employing the third party data processor was authorized to do and that no legal or contractual confidentiality obligation prohibits the outsourcing.

Disclosing of Personal Data

The DPA does not permit the disclosure of sensitive data or personality profiles to third parties without lawful justification. The consent of the data subject can constitute a lawful justification. Companies within the same group as the disclosing entity, i.e. the parent company or subsidiaries are considered third parties and the sharing of personal data within a group is deemed to be a disclosure to third parties for the purposes of the DPA.

Transfer abroad

The DPA prohibits a transfer of personal data abroad if it could seriously endanger the personality rights of the data subjects. If the legislation of the foreign country does not afford adequate protection for the personal data to be transferred or accessed, under Swiss data protection laws and regulations, transfer or access outside Switzerland is not allowed, except in certain restricted cases which have to meet specific requirements with respect to such disclosure abroad. In the latter case, the Federal Data Protection and Information Commissioner must be informed of the safeguards or rules used before the first transfer of data is made or, if that is not possible, immediately after the disclosure has occurred. Please note that we do NOT transfer data abroad. The data is stored in Switzerland only.

Export Control

Products, software, and technical information provided or used in connection to the services may be subject to export laws and regulations of Switzerland and other countries, and any use or transfer of the products, software, and technical information must be in compliance with all such applicable regulations.

Disclosure Procedures and Policies

The procedures and policies for responding to a request for data or information disclosure from governmental authorities depend mainly on the treaties entered into with the requesting country requesting. In broad terms, exchange of information between countries may be requested within the context of:

  • criminal proceedings or
  • tax fraud or tax evasion.

More precisely:

  1. In case of criminal proceedings, information can be exchanged by way of mutual legal assistance in criminal matters (“MLA”) based on multi- or bilateral agreements or in accordance with the Federal Act on International Mutual Assistance in Criminal Matters. For instance, with respect to the Schengen States, the Federal Law on Exchange of Information between Criminal Proceedings Authorities between Switzerland and the Schengen States shall apply.
  2. In case of tax fraud or tax evasion, when foreign tax authorities are involved, the exchange of information is carried out by means of administrative assistance within the legal framework of bilateral double taxation agreements (“DTAs”). In the case of tax related criminal proceedings, information can be exchanged also, alternatively, according to section (i) above. In particular, the OECD has concluded a model double taxation agreement with Switzerland, which provides pursuant to Article 26 for a system of administrative assistance among the tax authorities of the signatory countries, according to which States shall exchange information that is foreseeably relevant to the correct application of a tax convention as well as for purposes of the administration and enforcement of “domestic tax laws” of the contracting States upon specific request. Any information received thereunder by a contracting State shall be treated as secret. Such persons or authorities shall use the information only for such purposes. They may disclose the information in public court proceedings or in judicial decisions. To date, Switzerland has adopted or renegotiated over 35 Article 26-friendly DTAs. However, the cases where we would directly be requested to transfer data that is stored on our cloud but that is owned by the customer seem to be extremely limited. One possible hypothesis would be a case where the customer refuses to transfer data stored by us as requested by competent authorities and such authorities would then request us directly to provide the relevant information. In such event, we would obviously comply with the laws, but would, to the extent legally possible, promptly inform the customer of the situation.

The “USA Patriot Act”

The USA Patriot Act applies to

  • US entities,
  • affiliates and subsidiaries of US entities throughout the world,
  • servers located in the US independently from the nationality of the entities which operate them, and
  • as well as to data hosted in Europe by US entities.

Our company is based in Switzerland and does not have any affiliate or subsidiary in the US. Further, our cloud is hosted in leading data center companies in Switzerland. The data is stored in Switzerland and not in the US. Thus, we are not governed by the USA Patriot Act. If however the customer is related to entities in the US or servers located in the US then the customer’s data may be subject to the USA Patriot Act.