CIPO Cloud runs in the Microsoft Azure datacenters. The policies described here cover:
The following is a high-level diagram of CIPO Cloud. Two datacenters are normally involved:
CIPO Cloud is an advanced, highly configurable construction project management system made for owners.
Securing your data and the data you create within CIPO is top priority to us. CIPO Cloud leverages robust policies, controls, and systems to protect your data. CIPO Cloud leverages Microsoft Azure to create a secure system.
This is your data. We give you extensive control for privacy and availability. CIPO Cloud is open and transparent; we will tell you exactly how CIPO Cloud accesses data in your systems, where data is stored, and how data is transmitted. If you end your subscription, you can take your data with you.
CIPO Cloud is hosted in Microsoft Azure infrastructure, thus we inherit all the security of Microsoft Azure including physical security and threat protection. More information is available here: https://www.microsoft.com/en-us/trustcenter/CloudServices/Azure
CIPO Cloud takes the security of your information very seriously. The actions we take are detailed below:
CIPO Cloud personnel require administration access to the computing resources which deliver CIPO Cloud SaaS. Administration requies access to the Azure Console, the Azure Services and Data Storage used to run CIPO Cloud Software. The access details are as follows:
CIPO Cloud limits access to the Azure Console to the following CIPO Cloud roles:
Authentication to the console utilizes two factor authentication: username/password and a physical device. Communication with the console is https.
CIPO Cloud IT personnel access Azure via the internet using Google Chrome. By policy all CIPO Cloud IT personnel use CIPO Cloud issued computers with anti-malware and anti-virus software. When an employee ceases employement at CIPO Cloud, all access to CIPO Cloud systems is terminated for that employee.
Azure Monitoring is used to assure the proper functioning of the systems. The monitoring includes alerts on key operation metrics. Alerts are sent directly to the CIPO Cloud support desk.
Azure Log and Audit is enabled to facilitate troubleshooting issues and incidents. The following logs are enabled:
The CIPO Cloud application uses HTTPS, accessible by any IP Address.
CIPO Cloud also inherits threat management from Microsoft Azure. Microsoft continuously monitors servers, networks, and applications to detect threats. Threat risks are reduced through the following technologies:
CIPO Cloud also leverages Microsoft’s anti-Malware to further reduce the threat risk. This is a standard extension of Azure. You can read about it here: https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware.
CIPO Cloud at this time is developing an incident response plan.
CIPO Cloud leverages Azure Active Directory to manage users and to provide authentication, identity management, and access control. CIPO Cloud also supports federating with the customer’s identity Provider. This gives the customer full control of authentication methods, users with access, and the access rights of the user.
CIPO Cloud supports three identity models for set up and user account management; all leverage Azure Active Directory:
Cloud Identity uses Azure Active Directory (AAD). This allows you to setup CIPO Cloud users and groups that are unique to CIPO Cloud and requires no on premise Active Directory (AD). This is convenient for managing smaller teams or when synchronizing with the customer’s identity provider is not desired.
Synchronized identity allows synchronizing your AD identities with AAD. This has the convenience of managing your users on premise while giving them access to CIPO Cloud. Users still need to log on to CIPO Cloud via AAD but they can use the same password they use to log into your on premise systems.
Federated identity goes a step beyond synchronized identity. The users can sign into CIPO Cloud with their on-premises password, but while they're on the corporate network, they don't even have to enter their passwords.
CIPO Cloud supports Azure Multi-Factor Authentication (MFA). CIPO Cloud supports the following MFA methods:
CIPO Cloud encrypts data at rest and in transit.
For data in transit, CIPO Cloud used industry standard TLS/SSL, between all client browser and the CIPO Cloud application server. This includes CIPO Cloud browser based applications such as CIPO Cloud Workbench and all CIPO Cloud Connectors. Optionally CIPO Cloud can integrate with a corporate VPN.
CIPO Cloud utilizes public-private key for TLS/SSL. The domain name is cipo.io. The private certificate for TLS/SSL is managed with Azure Key Vault. The public and private key are trusted by a root certificate authority.
Data at rest, are the data that CIPO Cloud stores and accesses as part of viewing data or working with the data. By default, data is encrypted using Microsoft Managed Keys for Azure Blobs, Tables, Files and Queues. For data stored in the Azure SQL database, Transparent Data Encryption is used which performs real-time encryption and decryption of the database, associated backups, and transaction log files
CIPO Cloud automatically performs backups of all data daily; backups do not disrupt CIPO Cloud avaialbility. The backups are used for disaster recovery and other system level issues.
Backup files are stored on Microsoft Azure Storage. Azure Storage provides two important features:
Some features may require additional costs.
CIPO Cloud Access to Your Data
By default, CIPO Cloud personnel have no standing administrative access and no standing access to customer’s data. Tasks, such as backups are automated. Support scenarios involving specific data analyses or data visualization may rquire access to customer data. CIPO Cloud will always leverage web meetings and the customer controls all access. A CIPO Cloud engineer may have limited, audited, secured access for a limited amount of time, when necessary for service operation. Access must be approved by CIPO Cloud senior management.
CIPO Cloud collects usage data. CIPO Cloud uses this data to make the product better and to better support our customers. This data contains no sensitive customer information. Customers may opt out of providing this data. Details are available in the CIPO Cloud Privacy Notice.
CIPO Cloud will dispose of all customer data no later than 3 months after subscription term or upon written request.
CIPO Cloud runs on Secured Infrastructure which supplies a level of protection to the application. CIPO Cloud also incorporates a high level of automated tests as part of the CIPO Cloud Software Development Lifecycle. The CIPO Cloud test plan is available upon request.
CIPO Cloud also leverages an inherently secure architecture:
The CIPO Cloud Development process includes use of code analyzers to identify and/or measure:
CIPO Cloud actively monitors infrastructure and CIPO Cloud processes and performance.
Change and Patch Management
CIPO Cloud’s policy is to keep all software up-to-date with the latest release including all patches.
CIPO Cloud runs on Microsoft Azure and therefore benefits from Microsoft’s compliance approach described here. Microsoft has the following Compliance offerings and these are available to our customers:
CIPO Cloud at this time has no compliance certifications. CIPO Cloud will work with our customers on setting compliance priorities.
CIPO Cloud gives our customers visibility into how we handle your data. CIPO Cloud runs in Microsoft Azure and thus benefits from Microsoft Azure’s trust and transparency.
CIPO Cloud makes our policies clear and accessible to you.
Where your Data is Stored
CIPO Cloud runs in Microsoft Azure Datacenters. CIPO Cloud can inform you of specific regions your data is stored; CIPO Cloud can also store your data in supported regions by request.
Upon request CIPO Cloud can supply a complete system backup containing all data that is associated with your tenant and contained in CIPO Cloud; CIPO Cloud will provide the system backup within 3 business days of written request.
Response to Government Requests
If a government or law enforcement agency makes a lawful demand for customer data from CIPO Cloud will follow these practices:
If you have any questions about CIPO Cloud's Trust Policy, please contact us at email@example.com.