Executive Summary & Quick Reference
Cloudsania delivers enterprise-grade security across all services with defense-in-depth architecture, continuous monitoring, and compliance-ready infrastructure. This document provides transparency on our security practices, data handling, and shared responsibility model.Key Security Features
- Encryption: AES-256 at rest, TLS 1.2+ in transit
- Access Control: MFA, RBAC, SSO integration
- Monitoring: 24/7 continuous monitoring with real-time alerts
- Compliance: SOC 2, ISO 27001, GDPR alignment
- Data Residency: Multi-region support (AWS, Azure, GCP)
- Incident Response: Structured response with SLA-backed communication
Compliance Status
- SOC 2 Principles: Security, availability, and confidentiality controls implemented
- ISO 27001 Practices: Risk management, secure development, operational security
- GDPR Alignment: Data minimization, transparency, and user control supported
- Industry Standards: PCI DSS alignment for e-commerce, HIPAA practices available
Quick Contacts
- Security Team: security@cloudsania.com
- Incident Reporting: incidents@cloudsania.com
- Compliance Queries: compliance@cloudsania.com
- Emergency Hotline: Available 24/7 via support portal
Service Selection Guide
Basic Service Comparison Matrix
| I Want To… | Use This Service | Why This Choice | Alternative Considered |
|---|---|---|---|
| Deploy e-commerce quickly | App Service (E-commerce APS) | Pre-configured, PCI-ready, managed SSL | Konstacks (more complex setup) |
| Build custom infrastructure | Konstacks | Full control, any architecture pattern | App Service (limited to e-commerce) |
| Connect existing cloud accounts | Cloud Connectors | Leverage existing AWS/DO investment | Konstacks (rebuild from scratch) |
| Automate deployments | CI/CD Pipelines | Integrated build, test, and deploy workflows | Manual deployment processes |
| Manage domains/DNS | DNS Configuration | Integrated with Cloudflare/Route53 | External DNS management |
| Add managed databases | Add-Ons | Automated PostgreSQL/MySQL setup | Self-managed databases |
| Version control integration | Code Repository | Secure GitHub/GitLab connections | Direct git access |
Service Complexity & Time Comparison
| Service | Best For | Setup Time | Complexity | Control Level |
|---|---|---|---|---|
| App Service | E-commerce, quick deployment | 15 - 18 minutes | Low | Medium |
| Konstacks | Custom infrastructure | 20-30 minutes | Medium | High |
| Cloud Connectors | Migration, existing accounts | 3 minutes | Low | Medium |
| CI/CD Pipelines | Automated workflows | 15 minutes | Medium | High |
| Add-Ons | Database services | 5 minutes | Low | Low |
| DNS Configuration | Domain management | 3 minutes | Low | Medium |
Introduction
The Cloudsania Security, Privacy & Compliance Overview is designed to provide clarity on how we protect our users’ data, secure our infrastructure, and align with industry best practices. At Cloudsania, we understand that trust is the foundation of any technology partnership. Our mission is to deliver flexible, scalable, and secure cloud-native solutions while ensuring that security, privacy, and compliance are built into every layer of our services. This document explains our approach to security, data handling, compliance, and the shared responsibility model between Cloudsania, our clients, and trusted third-party providers. It is not a replacement for legal agreements or technical specifications, but a transparent overview to help clients make informed decisions about using Cloudsania.Shared Responsibility Model
At Cloudsania, we believe in clarity & transparency: securing modern applications and infrastructure is a shared effort. While we provide enterprise-grade security for the services we manage, clients and third-party providers also play essential roles in safeguarding the ecosystem.Shared Responsibility Summary Table
| Security Domain | Cloudsania Responsibility | Client Responsibility | Third-Party Responsibility |
|---|---|---|---|
| Infrastructure | Server security, network controls, and monitoring | Account access, user management | Data centre physical security |
| Platform | Service security, API protection, compliance | Application logic, access policies | Service availability, API security |
| Data | Encryption, backup, secure storage | Data classification, access control | Regional compliance, data residency |
| Identity | Platform authentication, audit logs | User credentials, MFA setup | Identity provider integration |
| Applications | Runtime security, container isolation | Code security, dependency management | Repository security, scan results |
Detailed Responsibilities
Cloudsania’s Responsibility: We secure the core infrastructure and platforms—including servers, clusters, pipelines, networking, monitoring, and compliance enforcement. Our role is to ensure that every service we offer is built with defense-in-depth, regular audits, and continuous monitoring. Client’s Responsibility: Clients are responsible for protecting their accounts, access credentials, user devices, source code, and end-user data. This includes enforcing secure password policies, managing user permissions, and following best practices for application security within their environments. Third-Party Providers: Cloudsania integrates with trusted providers such as AWS, Cloudflare, GitHub, and DigitalOcean. These providers maintain responsibility for their own infrastructure security (e.g., AWS securing data centers). Cloudsania ensures that all integrations are configured following industry best practices to maintain end-to-end security.Security Practices
At Cloudsania, we design our systems with security-first principles, making sure protection is built into how we manage infrastructure, pipelines, and user access. Our focus is on preventing risks early, monitoring continuously, and limiting exposure in case of an incident.Key Practices
Continuous Monitoring & Alerts – We keep track of platform activities such as deployments, authentication attempts, and system health. Alerts are generated for suspicious or unusual events so our team can respond quickly. Secure DevSecOps Pipelines – Our deployment pipelines include checks to reduce risk, such as scanning dependencies, controlling secrets, and verifying artifacts before they are pushed live. This ensures code moving from the repository to production is handled securely. Role-Based Access with MFA – Access to Cloudsania services is based on roles and least privilege. Administrative actions require stronger authentication, such as Multi-Factor Authentication (MFA), and integrations can use secure OAuth flows. Vulnerability Management – We regularly update and patch components we control, such as container images and configurations, and work with clients to ensure their workloads also follow good security practices. Network & Firewall Controls – Environments are segmented to reduce risk. Access to resources is restricted to what is necessary, with additional protection provided through our cloud provider’s security services.Practical Security Guidance for Clients
Common Security Misconfigurations to Avoid
| Misconfiguration | Risk Level | How to Avoid |
|---|---|---|
| Weak passwords/No MFA | High | Enable MFA on all accounts, use a password manager |
| Overprivileged IAM roles | High | Follow the least-privilege principle, regular access reviews |
| Public repositories with secrets | Critical | Use environment variables, never commit credentials |
| Unencrypted data transmission | Medium | Always use HTTPS/TLS, verify SSL certificates |
| Default security group rules | Medium | Restrict inbound traffic to necessary ports only |
| Shared service accounts | Medium | Create individual accounts, avoid sharing credentials |
| Unpatched dependencies | High | Regular dependency scanning, automated updates |
Recommended MFA Setup Steps
- Primary Account Protection
- Enable MFA on your Cloudsania account immediately after signing up
- Use authenticator apps (Google Authenticator, Authy) rather than SMS
- Store backup codes in a secure password manager
- Team Account Management
- Require MFA for all team members with Admin or Member permissions
- Set up SSO integration for centralised MFA management
- Regular MFA compliance audits for team accounts
Data Handling & Storage
At Cloudsania, data belongs to the client at all times. Our role is to ensure it is stored securely, reliably, and in a way that supports both performance and compliance requirements. Data Ownership: Clients retain full ownership and control of their data. Cloudsania does not access or use client data except where explicitly required for service operation or support. Storage Locations: Data is stored on trusted cloud providers (AWS, Azure, or Google Cloud), depending on the service configuration. Clients can request specific regions to meet compliance or latency needs. Backup, Recovery & Retention: Automated backups are performed on a scheduled basis to minimize data loss risks. Recovery processes are periodically tested to ensure reliability. Retention policies are configurable depending on service type and client requirements. Data Deletion & Portability: Upon request or service termination, client data can be exported in standard formats and permanently deleted from our systems. We follow industry practices to ensure secure and verifiable deletion.Encryption Policies
Cloudsania ensures that data is protected both in transit and at rest using industry-standard encryption protocols. Encryption practices are implemented across all services to safeguard sensitive information from interception, tampering, or unauthorised access. Encryption in Transit: All data moving between clients, services, and integrated third-party platforms is encrypted using TLS 1.2+. This ensures end-to-end protection against eavesdropping and man-in-the-middle attacks. Encryption at Rest: Client data stored in databases, file systems, or object storage is encrypted using AES-256. Encryption keys are managed securely and rotated in line with cloud provider best practices. Key Management: Keys are stored and managed by trusted providers (AWS KMS, Azure Key Vault, or GCP KMS). Access to encryption keys is restricted to authorized services only and is logged for auditing. Service-Level Integration: Each service within Cloudsania (e.g., Konstack clusters, CI/CD artifacts, App Service databases) inherits encryption policies automatically, ensuring consistent security across the platform.Access Control
Cloudsania enforces strict access control policies to ensure that only authorised users and systems can interact with client environments. Access control is applied across our infrastructure, services, and integrated third-party tools. Multi-Factor Authentication (MFA): All Cloudsania admin and management accounts require MFA. Clients are strongly encouraged to enable MFA for their accounts to reduce risks from compromised credentials. Single Sign-On (SSO) & OAuth Support: Cloudsania integrates with identity providers (e.g., Google Workspace) to allow secure federated access through SSO. OAuth is used for delegated access where services interact (e.g., CI/CD pipelines connecting to GitHub). Role-Based Access Control (RBAC): Access rights are granted based on the principle of least privilege, ensuring users only access resources they need. Roles can be customized to align with organizational structures. Granular Permissions: Service-specific access (e.g., CI/CD pipeline secrets, Konstack cluster configs, DNS settings) is controlled at the resource level. Audit Logs: All authentication attempts, configuration changes, and access to sensitive resources are logged. Logs are available for client review and monitoring.Compliance & Standards Cloudsania aligns its security and privacy practices with globally recognised standards and regulatory frameworks to help clients meet their own compliance obligations. While Cloudsania does not replace an organization’s internal compliance responsibilities, our platform is designed to support compliance-readiness.
Key Practices
GDPR Alignment: We follow principles of data minimization, transparency, and user control to support clients who operate under the EU’s General Data Protection Regulation. SOC 2 Principles: Our controls are mapped to SOC 2 trust principles (security, availability, confidentiality), focusing on access management, monitoring, and system integrity. ISO 27001 Practices: We adopt key controls from ISO 27001 such as risk management, secure development, and operational security. Industry-Specific Standards: For services like our E-commerce App Service (APS), Cloudsania supports PCI DSS alignment for handling payment-related data. Where healthcare data is involved, HIPAA practices can be supported through client-side configurations.Important Note
Cloudsania does not certify client environments on behalf of their organisations. Instead, we provide the tools, infrastructure, and documentation clients need to pursue compliance independently or with their auditors.Incident Response & Continuity
Cloudsania has a structured approach for managing security incidents, system outages, and unexpected events to minimize disruption and maintain client trust. Our processes focus on rapid detection, transparent communication, and service continuity.Incident Response Process
Security Incident Reporting
How to Report Security Issues:- Primary: Email incidents@cloudsania.com with “SECURITY INCIDENT” in the subject
- Emergency: Use the 24/7 support portal for critical security breaches
- Phone: Emergency hotline available through the customer portal
- Detailed description of the suspected security incident
- Affected services, accounts, or data
- Timeline of when the issue was first noticed
- Any evidence or logs you can safely share
- Your contact information for immediate follow-up
Our Response Process
Incident Detection & Alerts: Continuous monitoring of infrastructure and services allows us to identify abnormal activities, performance degradation, or potential security breaches in real-time. Client Notification: In the event of a confirmed incident affecting client services, Cloudsania will notify impacted clients promptly, providing clear details of the issue, scope, and remediation steps. Containment & Resolution: Security and engineering teams follow predefined runbooks for isolating threats, mitigating impact, and restoring affected services as quickly as possible. Disaster Recovery (DR): Critical workloads are protected with backup and replication strategies. In the event of infrastructure failure, services can be restored from backups within defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Business Continuity: Cloudsania services are architected with redundancy and failover mechanisms across regions where supported, reducing downtime risks. SLA-backed Uptime: Clients benefit from SLA guarantees for uptime, backed by monitoring and operational readiness. Note: While Cloudsania manages the underlying infrastructure continuity, clients are responsible for their own business continuity planning, including application-level backups and redundancy.Third-Party Integration Security
Cloudsania integrates with multiple trusted third-party providers to deliver comprehensive cloud services. Each integration is designed with security-first principles and follows industry best practices for data protection and access control.Integration Security Models
GitHub Integration
Security Model: OAuth 2.0 with limited scope permissions- Data Access: Repository metadata and code content (read-only during deployments)
- Authentication: Personal access tokens or GitHub Apps with minimal required permissions
- Data Residency: Code remains in GitHub; only deployment artifacts are temporarily processed
- Encryption: All API calls use HTTPS/TLS 1.2+
- Audit Trail: All GitHub interactions logged in Cloudsania audit system
- Token Management: Automatic token rotation and expiration enforcement
AWS Integration
- Security Model: IAM roles with least-privilege access
- Data Access: Infrastructure provisioning and monitoring data only
- Authentication: Cross-account IAM roles, no long-term credentials stored
- Data Residency: Client data remains in the client’s chosen AWS regions
- Encryption: All AWS API calls are encrypted, and resources are deployed with encryption by default
- Audit Trail: CloudTrail integration for complete infrastructure change tracking
- Permission Boundaries: Strict IAM policies preventing access to unrelated resources
Cloudflare Integration
- Security Model: API key-based authentication with scoped permissions
- Data Access: DNS records and proxy configuration only
- Authentication: Encrypted API keys with domain-specific scope
- Data Residency: DNS data is distributed globally per Cloudflare infrastructure
- Encryption: All API communications via HTTPS, DNS queries support DoH/DoT
- Audit Trail: DNS changes logged in both Cloudsania and Cloudflare systems
- DDoS Protection: Automatic security benefits from Cloudflare’s global network
DigitalOcean Integration
- Security Model: API token authentication with resource-level permissions
- Data Access: Droplet and infrastructure management data
- Authentication: Personal access tokens with minimal scope, regular rotation
- Data Residency: Client selectable regions (NYC, SFO, Amsterdam, Singapore, etc.)
- Encryption: All API communications are encrypted, and resources are deployed with security defaults
- Audit Trail: Complete infrastructure provisioning and management logged
- Network Security: VPC isolation and firewall rules applied automatically
GitLab Integration
- Security Model: OAuth 2.0 with project-specific access
- Data Access: Repository content and CI/CD pipeline data
- Authentication: OAuth tokens with read/write scope limited to selected projects
- Data Residency: Code remains in GitLab; processing occurs in client-selected regions
- Encryption: All API interactions use HTTPS/TLS 1.2+
- Audit Trail: GitLab webhook events and API calls are fully logged
- Access Control: Integration permissions respect GitLab project access controls
Integration Security Best Practices
Token Management:- All integration tokens are encrypted at rest using AES-256
- Automatic token expiration and rotation where supported
- No long-term credentials stored in Cloudsania systems
- Token access is logged and monitored for unusual activity
- Integrations request only the minimum permissions required for functionality
- No permanent storage of third-party data beyond operational requirements
- Regular permission audits to ensure continued least-privilege access
- All third-party communications via encrypted channels (HTTPS/TLS 1.2+)
- API rate limiting to prevent abuse
- IP allowlisting, where supported by third-party providers
- Network segmentation between integration services
- Real-time monitoring of all third-party API calls
- Alerts for failed authentication attempts or unusual access patterns
- Regular security scans of integration endpoints
- Automated detection of deprecated or vulnerable integration methods
Service-Specific Security Notes
Cloudsania’s platform is built on multiple interconnected services, each with unique security considerations. This section explains how we secure each service, what clients are responsible for, and how third-party integrations fit in. For clarity, each service is documented with: Overview: What the service does, how it works, and its role in Cloudsania. Security Controls: Technical and operational measures implemented by Cloudsania. Client Responsibilities: What clients must do to maintain secure use of the service. Integration Notes (if relevant): How third-party tools interact with the service.App Service (E-commerce APS)
Overview: The App Service (E-commerce APS) enables users to deploy fully managed, production-ready applications—like e-commerce platforms—on Cloudsania using pre-configured Konstack (ECS on AWS). Each deployment provisions container instances, load balancer with SSL termination, auto-scaling, and a container registry, all within secure VPC subnets. Under the hood, Cloudsania automates network, compute, and storage setup so users focus solely on their application. Security and Privacy Practices: Data is secured both at rest and in transit: container traffic is protected via SSL/TLS, while underlying storage (e.g., object or file data) is encrypted. AWS IAM roles secure task execution permissions and access to logs or secrets manager. Network access is restricted through VPC configurations, security groups, and custom firewall rules. Additionally, pre-configured defaults follow best practices, including auto-scaling policies and health checks for reliability. Compliance and Trust: The consistent architecture across App Services aligns with foundational frameworks such as ISO 27001 and SOC 2, by design—reflecting secure defaults and auditing ability. Sensitive application data must be handled in compliance with local regulations (e.g., GDPR consent or PCI DSS, depending on payment data handling), with Cloudsania providing the infrastructure to support such policies. The client remains responsible for application-level controls, such as input validation, session security, and integrating only compliant third-party services.Cloud Connectors
Overview: Cloud Connectors serve as secure bridges between your Cloudsania environment and external cloud provider accounts. They enable operations such as provisioning infrastructure, managing workloads, and monitoring resources in cloud accounts—including AWS, virtual private servers (VPS), and DigitalOcean—without exposing raw credentials. By applying configured policies and adhering to provider best practices, these connectors streamline integration, reduce setup complexity, and maintain operational security. Security and Privacy Practices: When a connector is deployed, it acts as a cloud user account with least-privilege access, meaning it only has permissions explicitly required to operate on selected workloads. Configuration is straightforward and guided, but allows fine-tuning to follow the principle of least privilege. Activities, deployments, and configuration changes done through the connector are captured in audit logs, ensuring traceability. Where supported, connectors initiate periodic security scans to identify vulnerabilities in connected cloud environments, enhancing visibility and governance. Compliance and Trust: Using Cloud Connectors helps maintain CloudOps best practices without manual setup errors that could undermine compliance. Because access is scoped and auditable, it supports oversight needed for frameworks like SOC 2 or ISO 27001. Clients retain control over the cloud-side permissions and must ensure their environments meet any industry-specific regulations. Cloudsania does not manage or access customer cloud accounts except through connectors configured by the client.Konstacks
Overview: Konstacks are purpose-built infrastructure templates in Cloudsania that simplify the provisioning, configuration, and ongoing management of cloud compute resources. With just a few clicks, users can deploy environments using ECS (Fargate-based container orchestration) or EC2 (traditional virtual machines). Each Konstack includes networking (VPCs, public/private subnets), auto-scaling rules, load balancers, and reproducible infrastructure grounded in Terraform-like version-controlled templates. Security and Privacy Practices: Konstacks include secure defaults by design: each deployment uses dedicated IAM roles scoped with least privilege, network isolation via VPC segmentation and security groups, and SSL/TLS-enabled communication. The infrastructure is provisioned via Infrastructure-as-Code, enabling reproducibility and auditability. Autoscaling and load balancing policies help maintain availability under load, while ensuring consistent configuration across environments. Compliance and Trust: By enforcing industry-standard security best practices—network isolation, role-based access, TLS encryption—Konstacks align with foundational controls found in standards like ISO 27001 and SOC 2. Cloudsania ensures that the underlying compute and infrastructure layers are hardened. However, users are responsible for securing application-level logic and workload behaviours within the deployed clusters or instances. Configuration templates are version-controlled, helping clients maintain compliance and traceability.Code Repository
Overview: Code repositories are the backbone of development workflows on Cloudsania. By connecting GitHub or GitLab, users can securely manage their source code, apply version control, and collaborate effectively with their teams. These integrations make it easier to centralise code management while keeping ownership with the user. Security and Privacy Practices- Repository connections are authenticated via secure OAuth or personal access tokens.
- Sensitive credentials (such as tokens and SSH keys) are encrypted with AES-256 before storage. Role-based access ensures only authorised users can link repositories or adjust settings.
- Cloudsania does not permanently store or alter source code. It remains within the user’s chosen Git provider at all times.
- System logs are designed to exclude raw code content, protecting intellectual property from accidental exposure.
- GitHub and GitLab maintain compliance with major frameworks (SOC 2, ISO 27001, GDPR).
- Cloudsania ensures integrations follow least-privilege principles, encrypted transmission, and token rotation.
- Users retain full ownership and control of their repositories.
- Audit logs in Cloudsania provide visibility into repository connections and activity for added transparency.
CI/CD Pipelines
Overview: Cloudsania’s CI/CD Pipelines automate the process of building, testing, and deploying applications. By connecting to repositories, developers can push code changes and have them automatically validated and released across environments with minimal manual intervention. This reduces human error, speeds up delivery, and ensures consistent deployments across staging and production. Security and Privacy Practices- All pipeline executions run in isolated environments (ephemeral containers or VMs) to prevent cross-project interference.
- Secrets (API keys, database passwords, cloud credentials) used in pipelines are stored in secure vaults and injected only at runtime.
- Build artifacts are verified for integrity before being pushed to the next stage of the pipeline.
- Logs generated during pipeline runs exclude sensitive environment variables to prevent leakage. Pipelines enforce role-based permissions, ensuring only authorised users can modify or trigger deployments.
- CI/CD operations follow industry best practices for secure DevOps (DevSecOps), embedding security checks early in the pipeline.
- Integration with third-party tools (e.g., AWS, GitHub, GitLab) adheres to their compliance and security requirements.
- Users retain full visibility over pipeline executions through audit trails and build logs.
- Compliance features such as code signing, dependency scanning, and vulnerability reporting can be enabled to meet regulatory needs.
DNS Configuration
Overview: Cloudsania supports domain and DNS configurations through integrations with Cloudflare, AWS Route 53, and DigitalOcean DNS, simplifying how applications are exposed to the internet. Security and Privacy Practices- Integrations are handled securely via encrypted API credentials.
- Through Cloudflare, users can benefit from built-in features such as DDoS protection, SSL/TLS encryption, caching, and proxy support. API keys are encrypted and stored securely within Cloudsania.
- Route 53 provides access to a global DNS network, health checks, and traffic routing functionality.
- DigitalOcean DNS enables fast propagation, simple record management, forwarding, and load balancing support.
- Access is governed by role-based permissions, and all changes are logged for auditing purposes.
- DNS providers themselves adhere to major compliance standards like ISO 27001, SOC 2, and GDPR.
- Cloudsania handles the integration securely, while the core DNS and security features (like DDoS protection or SSL) remain within the provider’s service.
- Users maintain control: DNS records are not stored in Cloudsania, only synced securely with the chosen provider. Logs provide visibility and traceability when domains are modified.
Add-Ons
Overview: Cloudsania’s Add-Ons feature allows users to extend their environments with pre-configured, managed services such as PostgreSQL and MySQL. These add-ons are deployed as isolated, containerized instances alongside primary workloads, simplifying the setup of essential infrastructure like relational databases. Security and Privacy Practices- Each Add-On runs in its own secure container, ensuring logical isolation from other workloads.
- PostgreSQL instances support automated backups and high-availability configurations to safeguard data and ensure resilience.
- MySQL add-ons include automated maintenance routines, performance monitoring, and encryption of stored data at rest.
- Add-ons support one-click provisioning with managed updates, performance metrics, and crash recovery capabilities.
- Built-in backups and isolated deployment align with standards like SOC 2 and ISO 27001, supporting data reliability and operational security.
- Encryption at rest for MySQL ensures that sensitive data remains confidential even if the underlying infrastructure is compromised.
- With performance monitoring and logging, users can maintain oversight of their database operations to meet internal or regulatory audit requirements.
- It remains the client’s responsibility to manage database access credentials, schema-level permissions, and application-level security.