Information collected and used
* Your customer information (email, password of your customer account, and possibly business name, first and last name of contact, address, postal code, country and VAT number) are stored after entering your registration. This information allows us to bill the service, if you chose the paid offer.
* If you have subscribed to the paid offer, we also store the following information: Your SEPA mandate if you have chosen the SEPA payment, the last 4 digits of your card if you have opted for card payment. The full details of your credit card, required for payment by card, are not stored by us, but at our payment provider Stripe (the world leader in online payment). We are not aware of it, each sample passes through a request that we send to this provider. When you fill in your bank details, they are sent directly to Stripe and are therefore not stored on our servers.
* You have the option to request the deletion of your account and the above information at any time.
* The Privacy Policies and GDPR referral contact for our services is: Data Protection Officer firstname.lastname@example.org
Data Storage and Backups
* The storage of collected data (see ‘Information collected and used’) is done in a database. The password is not stored, but to enable the validation of your connection to your space bind, we store the encrypted borrowing of this password, generated by the SHA256 non-reversible encryption algorithm.
* Once you have subscribed to the paid offer, a backup is made daily and stored on independent storage disks hosted by OVH in Europe (France). Only the last 30 days are kept.
* Our services relies on the following subcontractors and service:
** The host of computer servers, which is OVH. These servers are hosted in Europe (France). No customer information is communicated to this subcontractor who only provides the hardware and network layer, the installation and operation being carried out by us directly.
** The online payment service Stripe, which is used, to ensure regular payment of the subscription. When you fill your credit card details, they are sent directly to Stripe when entering the number to make the payment (it means we never know your credit card data. Stripe give us only the last 4 digits, which allows us to be able to identify / analyze payment problems). ** The Sendgrid emailing relay service, which is used to relay GLPI email notifications when “PHP” mode (by default) is used and you do not specify your own SMTP in the GLPI configuration.
* Our GLPI Cloud architecture is protected from the Internet by the OVHCloud Firewall Network (which also takes care of Anti-DDOS) with strict security rules. Only well-defined protocols are allowed (HTTPS only), everything else is blocked even before arriving on GLPI Cloud instances (whether they are on the Public or Private offer). The Linux firewall is also activated on each instance (to protect instances inside OVHCloud networks), with the same protocol restrictions as on upstream firewalls. (Private) External HTTPS access can be filtered on public IP ranges identified by the client.
* Maintenance access for TECLIB teams is only possible from a dedicated TECLIB SSH Bastion. Access to this bastion is only possible with a VPN connection authenticated by a nominative certificate, renewed each year and revoked in the event of a problem or the departure of an employee
* Server maintenance is carried out and supervised from the Ubuntu Landscape tool, in line with our inventory tool dedicated to Cloud instances (GLPI, of course) on which we carry out impact measurements, alerts on versions, disk spaces , domains, certificates, tracking changes / problems / incidents / etc.
Security fixes (GLPI application)
* As part of our bug fixing commitment, we deploy security patches on Cloud instances even before the code is published on the community development space (Github).
Security / supervision tools
* Our installations comply with at least the reinforced level described in the document “SECURITY RECOMMENDATIONS RELATING TO A GNU / LINUX SYSTEM” published by ANSSI: https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ .
* We use the following tools:
- rkhunter (antirootkit)
- afick (file integrity controller)
- AppArmor (security profiles per application)
- fail2ban (intrusion prevention, 404 anti-flood, anti-discovery)
- ModSecurity (web application firewall, Apache module)
- lynis (audit of compliance with safety instructions)
- fluentd (log collection)
- graylog (aggregation / log alerts)
- uptimerobot (external availability probe)
- datadog (monitoring of resources)
- healthchecks (cron monitoring)
- GLPI (inventory / CMDB / project / change / incident / problem)
- mattermost (centralization of notifications / team chat)
* Our services runs on Linux Ubuntu systems and software. They benefit from regular security updates when the operating system editor (Ubuntu Canonical) publishes them.
* Our services are accessible in HTTPS (HTTP encrypted) only, encrypted with SHA256 certificates.
* Our technical platform are protected by various state-of-the-art devices in terms of computer security: FireWall, Banishing Tools, System detection of use of SPAM and DOS Protection, anti-injection software protection, anti-XSS on software used for the customer area and provided to users. Testing of these software components is done automatically via the PHP-Unit and Travis-CI tools.
* In case of suspicion of a theft of the data we have collected (see first point ‘Information collected and used’), customers will be informed by email, at email corresponding to their customer account