How Cloud-IAM provides world-class security for companies and their users

decorative shield

What is GDPR?

The General Data Protection Regulation (GDPR / DSVGO) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was approved by the EU Parliament in April 2016 and came into effect on May 25, 2018.

What are your sub-processors, as defined by the GDPR?

Cloud-IAM uses certain sub-processors to assist it in providing to its customers the Application Services as described in the Master Services Agreement or Terms of Use available at terms-of-service or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”). Defined terms used herein shall have the same meaning as defined in the Agreement.

What is personal data?

GDPR is especially concerned about protecting personal data of individuals. Personal data (Art. 4 GDPR) consists of any information that allows us to identify a person directly or indirectly and can be anything such as a name, email address, credit card number, or documents with personal information.

How we process personal data

When you visit our websites or use our services we will most likely process your personal data in one way or another. You can find all relevant information about which data we process, our legal basis for processing, and your rights regarding your personal data in our privacy policy.

How about sub-processors?

A subprocessor is a third party data processor engaged by Cloud-IAM, including entities from within the Cloud-IAM group, who has or potentially will have access to or process Customer Content (which may contain Personal Data). Cloud-IAM engages different types of subprocessors to perform various functions as explained in the tables below.

Cloud-IAM use the following sub-processors to provide Cloud-IAM's customers cloud infrastructure environment and storage for Cloud-IAM's Keycloak Clusters. Personal data of Cloud-IAM's customers's customer will only be stored there:

Subprocessor Country of processing Purpose
Scaleway. Europe Cloud-IAM's customers Keycloak deployments
Google Inc. USA, Europe, Asia Cloud-IAM's customers Keycloak deployments
Amazon Web Services, Inc.. USA, Europe, Asia Cloud-IAM's customers Keycloak deployments

Processing of Cloud-IAM's Customer Content.Cloud-IAM work with various subprocessors that monitor, maintain and otherwise support the Cloud-IAM control-plane (Cloud-IAM's dashboard and Cloud-IAM's REST API). In order to provide this functionality these subprocessors may, but not necessarily will, have access to Cloud-IAM's Customer Content but never Cloud-IAM's customer's customer content.

Subprocessor Country of processing Purpose
Brevo Europe Automated mailing
BetterUptime Europe, Czech Republic Uptime monitoring, status page and on-call management
Crisp Europe, France Customer relations management
G Suite United States Internal company infrastructure
Matomo Paris, Europe User experience understanding in Cloud-IAM websites and products
Netlify United States Cloud-IAM dashboard static files hosting
Scaleway. Europe Cloud-IAM main infrastructure (REST API, database (Cloud-IAM's own users), logs (without PII), metrics (without PII), data exports)
Sentry United States Application monitoring and error management
Stripe United States Online payment processing services
Webflow United States CMS used for Cloud IAM's web site
YouSign France, Europe Electronic signature platform used for quote

* Note, the list of subprocessors applies to any new Cloud-IAM customers as of that date, or existing Cloud-IAM customers who have not otherwise received notice of a different effective date of this list.

Always in control

As a French SaaS we can provide the highest degree of GDPR compliance. We rely on best-in-class global companies to provide our customers with the best possible confidentiality, integrity and availability. We understand that you might not want to rely on our or our sub-processor's controls and measures to safely handle personal data of you and your customers. We can provide high-quality, that include access to our support services without accessing your data.

Guaranteed compliance with GDPR

We have batched analyzing last date of connection and activity from our customers, as well as batch deletion after 6 month of inactivity.

There are no data transfers between your deployment outside UE (I assumed your deployment will be in UE). The only data transfers that exists with our customer deployment are the cold backup we generate for disaster recovery and they are stored in a French datacenter. Furthermore, all our operatives and consultants that might access your deployment are UE located.

Cloud-IAM does not manage these users for GDPR. Regarding your own user database (i.e., your deployment), you must establish the required processes to comply with GDPR yourself and declare all data transfers that you handle independently. In this case, Cloud-IAM acts as a subprocessor, and our DPA specifies what we do.