Cintoo Cloud Hosting Options & Cybersecurity

Created by Cyril Deguet, Modified on Mon, 22 May 2023 at 10:28 AM by Cyril Deguet

Introduction

Cintoo Cloud™ Reality Data management and collaboration solution is delivered to you via the cloud.


The cloud provides the flexibility, scalability, and reliability you need, to simply switch on more computing power, storage or new services as you require them, so Cintoo Cloud™ can grow with you.

Security in the cloud is also recognized as better than on-premises, with broad security certification and accreditation, data encryption and strong data center physical security, all providing a more secure way to manage your business’ IT infrastructure.


Different organizations have different cloud requirements, and these are often determined by your IT strategy, existing infrastructure, and security policies. Cintoo provides flexibility around cloud options, relying on Microsoft Azure and Amazon Web Services (AWS), the two largest providers of cloud services globally.


This document describes those various options and the overall cybersecurity measures that have been put in place by Cintoo to ensure the most secure cloud service to our customers. Further information can be disclosed upon the signature of a Non-Disclosure Agreement (NDA).



Customer Metadata Versus Customer Files

Cintoo Cloud™ divides customer data into two distinct types: 

  • The Customer Metadata is all the data that concerns users, members or viewers. 
  • The Customer Files are the data uploaded by the customer and the data generated by the customer when using Cintoo Cloud tools.



Cloud Hosting Options for Customer Data

Preamble: 

  • All the customer data is stored in different ‘Data Center Regions’ in Microsoft Azure or Amazon Web Services (AWS) data centers.
  • Customer Files are stored in object stores (Microsoft Azure Blob or AWS S3 or any compatible storage).
  • Customer Metadata is stored in an SQL database currently hosted in Microsoft Azure.
  • There is no Customer Metadata or Customer Files on local servers or repositories at Cintoo offices.


Definitions: 

  • A ‘Data Center Region’ is a collection of one or more data centers interconnected by a low latency, high-bandwidth network, and is usually within a discrete market or ‘geography’, typically containing two or more regions, that preserves data residency and compliance boundaries. This allows organizations with specific data-residency and compliance needs to keep their data and applications close.
  • Content Delivery Network (CDN) may be activated or not when selecting the hosting option for a given project. CDN is a geographically distributed network of proxy servers and their data centers. CDN provides high availability and high performance to end-users.
    • When CDN is used, data is temporarily cached in the CDN to improve streaming performances for end-users that may be located anywhere around the globe. Data is removed from CDN after 30 days following the last access.
    • When CDN is not used, data will always remain in the selected data center region with no distribution in proxy servers.

Cintoo Cloud hosting architecture:

 

Hosting options: 

  • The Customer Metadata is currently stored in a managed SQL database hosted in:
    • Either Central US (Iowa), with a backup in East US (Virginia).
    • Or West Europe region (Netherlands - Amsterdam) with a backup in Azure North Europe (Ireland - Dublin).
    • The customer may request to Cintoo to select either one of these 2 options (US / EU) prior to the first project creation.


  • The Customer Files are stored in one of the following cloud ‘regions’, depending on the hosting option chosen by the Customer’s Project Manager when creating a project.
    • If CDN is used, hosting is either in Europe or in the US depending on the customer location, with potential caching in any CDN point of presence.
    • If CDN is not used, the following cloud options can be selected by the Project Manager for each project individually:
      • AWS - Asia Pacific (Sydney)
      • AWS - Asia Pacific (Jakarta)
      • AWS - Canada (Central)
      • AWS - Europe (Frankfurt)
      • AWS - Europe (London)
      • AWS - US East (N. Virginia)
      • AWS - US West (Oregon)
      • Azure - Australia East (Sydney)
      • Azure - Brazil South (Sao Paulo State)
      • Azure - Canada Central (Toronto)
      • Azure - France Central (Paris)
      • Azure - Norway (Oslo / Stavenger)
      • Azure - Southeast Asia (Singapore)
      • Azure - Switzerland North (Zurich)
      • Azure - UK South (London)
      • Azure - West Europe (Netherlands)
      • Azure - West US (Washington)
    • If the region that you really need for your project is not available in this list, please contact the Cintoo team at support_at_cintoo.com to check the availability of other regions proposed by Azure and AWS (extra fees may apply):
      • Click here for a list of all current Azure datacenter regions
      • Click here for a list of all current Amazon Web Services datacenter regions
    • Some of the US regions from Azure and AWS have a FedRAMP (Federal Risk and Authorization Management Program) certification, which may be required for projects dealing with US Federal & Government Agencies. 
      • More about FedRAMP here
      • More about FedRAMP at Microsoft Azure here
      • More about FedRAMP at Amazon Web Services here.


Service scalability is guaranteed by our usage of elastic cloud resources, which are closely monitored in real time. Application performance is continuously monitored and improved to ensure that the platform remains scalable in terms of users, projects, scans, etc.



Hybrid Cloud Option 

The Hybrid Cloud option is available for organizations that need to ensure that the Customer Files are stored in the organization’s own network.

  • All the Customer Files remain stored in the organization’s private instances of Azure or AWS, with Cintoo Cloud™ streaming this data directly from this private storage to the user’s browser.
  • Cintoo then provides access to the Cintoo Connect application within the customer’s own cloud environment, enabling users to access and collaborate on Customer Files directly in the customer’s cloud.
        

Customer Metadata remains hosted in either Central US (Iowa), or in West Europe region, depending on the selection made by the Account Admin when creating the Cintoo Cloud account. Backups are stored in different location.


Additional fees will apply to implement this Hybrid Cloud option. 



Data Segregation 

For Customer Metadata

  • As Cintoo Cloud is a community platform, it handles the data of multiple customers who may provide access to users that have already a Cintoo account from other customers or from previous jobs.
  • For users accessing Cintoo Cloud via the generic URL (aec.cintoo.com), there is a default tenant that allows to share users between various accounts or customers: 

  • For users accessing Cintoo Cloud from a custom URL (company.cintoo.cloud), there is one tenant per customer: 


For Customer Files

  • Segregation of data for each project is ensured by storing Customer Files in a dedicated folder in the object store for each project (or even in a dedicated object store).
  • If the Hybrid Cloud hosting option is chosen, Customer Files can be stored and controlled by the customer himself. 



Access Management and Authentication

The default authentication method on the Cintoo Cloud platform is based on login/password, with the best recommended security measures and practices in place. 

User access management is built in the Cintoo Cloud platform. It is handled by customers with the account admins and roles and permissions features These features are customizable to offer the right level of granularity to the administrators setting up roles and permissions for their users.

 



In addition to these 5 preset roles, Account Admins can also define custom roles for more granularity.


An audit track of all the user invitations to a given project is maintained and visible in the application. Account Admins can export Usage Reports from the Administration tools of Cintoo Cloud, providing information on all users in all projects for each day over the last week, last month or last 3 months, Available information is the following:

Every access to customer data and login attempts are logged, so suspicious activities can be tracked, investigated and audited. However, the responsibility of assigning the right roles / permissions to the right users is up to the Administrators and the co-Administrators.


Cintoo’s own applications are all secured using Azure AD Single Sign On (SSO) with mandatory MFA enabled for all users. 


Customer’s data can be accessed only by Cintoo’s support engineers after explicit customer approval, and only in the case when this is required to investigate production incidents and bug fixes. Such access is logged and can be audited.



Corporate Single Sign On (SSO) 

Cintoo Cloud can be integrated with your corporate Single Sign-On (SSO) solution, in order to fulfill corporate security requirements and simplify user management. The advantages of Corporate SSO are beyond having a single password to remember. It’s about adopting the company’s policy for user access, authentication, and password controls (e.g.: password changes every 3 months, password configurations, no-reuse of former passwords…). By implementing the Corporate SSO, Cintoo Cloud becomes compliant to this policy by essence.


Cintoo Cloud supports OpenID Connect (OIDC) and SAML protocols, and is known to work with the following identity providers: 

  • Azure AD (preferred provider)
  • Microsoft ADFS
  • Okta / Okta MyID
  • Ping Federate 

Contact your Cintoo sales representative or sales@cintoo.com to subscribe to the SSO option for your Cintoo account. Extra fee will be required for this implementation.



SOC 2 Compliance

Cintoo has developed an Internal Control Framework based on COSO, COBIT 5 and ISO 27001, which is validated every year by a SOC 2 Type 2 Audit. The latest audit can be made available to Customers upon the signature of a Non-Disclosure Agreement.

Cintoo’s Information System Security Policy (“ISSP”), IT Policy, Operating Procedure, and Security Procedure define an organization-wide approach to how systems and data are protected. These include policies around how the service is designed and developed, how the system is operated and managed, and how employees are hired and trained The “ISSP” and its controls are reviewed on a yearly basis to ensure the highest level of security and compliance 



Penetration Testing 

In addition to daily oversight, Cintoo engages with third-party company to perform bi-annual penetration testing. Penetration testing reports can be made available upon the signature of a Non-Disclosure Agreement. 



GDPR

Cintoo’s services and security commitments to customers relating to its Cloud platform are documented and communicated via the following documents, all accessible online via Cintoo Cloud. 

  • Terms of Services
    • The Terms of Services govern access to and use of Cintoo Cloud and related services by Cintoo’s customers.
    • All Cintoo Cloud users need to accept such Terms of Services when creating their account.
  • Data Processing Agreement
    • The Data Processing Agreement is an addendum to the Terms of Services between Cintoo and its customers. This agreement documents and communicates requirements around customer data handling and processing, including data security and incident handling requirements as well as customer responsibilities as part of the EU’s General Data Protection Regulation (“GDPR”).
    • The Data Processing Agreement must be accepted by the Account Admin when creating the Cintoo Cloud account.  


Data Retention and Deletion

For Customer Metadata

  • Deleted Customer Metadata stored in the SQL database is kept for 3 months for audit purpose.
  • In case the customer explicitly asks for deletion, this data will be kept in the database backups for 30 days only. 

For Customer Files

  • When a project is deleted from Cintoo Cloud (either explicitly by the customer or following subscription termination), an automated process deletes all the Customer Files from the object store 1 month after (or sooner if explicitly asked by the customer) if the default public cloud hosting is used.
  • In case the Hybrid Cloud option is chosen by the customer, the customer is then responsible for managing Customer Files, including their deletion.

 


Data Backup & Recovery

Cintoo maintains formalized backup and data recovery procedures. Customer files are stored and replicated in real-time in several data centers based on availability zones or regions. Furthermore, customer data has a 30-day incremental backup recovery period, which means that any client can at any time recover the integrality of modifications made in the previous 30 days.



Disaster Recovery and Business Continuity

Cintoo’s overall Disaster Recovery (DR) and Business Continuity (BC) strategy is to offload all our critical internal IT to the cloud, so that a disaster in our office would have a minimal to no impact. All employees can operate and monitor the service in any situation. A careful knowledge management is in place to guarantee business continuity. The person in charge of the DR / BC strategy is clearly assigned within the organization.


Our DR plan for Cintoo Cloud service mainly relies on geographic replication of all our Azure and AWS storage resources, thanks to the usage of availability zones or paired regions. The SQL database for the Customer Metadata is replicated in real time in another Azure region, allowing for a fast recovery in case of regional outage. The whole cloud infrastructure deployment is automated using infrastructure as code, so can be recreated from scratch within 1 hour. The failover to another region of an Azure storage account takes about 1 hour as well.


The DR plan is tested annually to ensure that the high availability architecture is working as expected.


The SQL database is backed up in real time in another cloud region, and backups can be restored from any point in time in the last 30 days. Restore tests are performed annually as part of the DR plan testing.

The Recovery Time Objective ("RTO") and Recovery Point Objective ("RPO") details can be provided upon the signature of a Non-Disclosure Agreement (NDA). 



Service Level Objectives 

Cintoo Cloud service comes from a High Availability architecture, ensured by redundancy at all the levels of the infrastructure and the usage of managed cloud services.


Cintoo will provide the services twenty-four (24) hours per day, 365 days per year with an Availability of 99.5% per month (SLA), excluding scheduled maintenance. Cintoo provides its customers with its maintenance schedule and will notify them in advance of any non-scheduled maintenance. 



Encryption 

All the data stored in Azure storage and AWS is encrypted at rest using AES 256. The encryption keys are managed by Azure and AWS and stored separately from the encrypted data: 

  • https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption
  • https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html

Evidence of proper key management can be found in Azure and AWS SOC 2 reports. 


All the network transfers are secured with TLS 1.2+. Data in public clouds and encrypted in motion using TLS 1.2+. 



Software Development

Cintoo follows all the secure coding recommendations and best practices of the OWASP.


These best practices are ensured by systematic code reviews which are mandatory before promoting new code to the development environment.


Technical vulnerabilities are regularly assessed by code reviews, automated QA tests and manual penetration tests. Any vulnerability is tracked addressed to the highest priority.


All the employee workstations are equipped with antivirus software and kept updated to the latest OS security patches. A procedure is in place to ensure the logs analysis or uncommon events detection and contribute to ensure protection against external attackers.


The only access to Cintoo internal network from the outside is done through a VPN and a firewall configured with a deny-by-default policy.  

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article