Data Security

Commitments made by OVHcloud to benchmark its security framework for confidentiality, availability, and integrity as a cloud services provider.

To verify compliance and evaluate our systems' performance, OVHcloud conducts security audits on a periodic basis. These security audits include the following:

• External audits (certifications and attestations);
• Internal audits, carried out by internal or external auditors;
• Technical audits (penetration testing, vulnerability scans, and policy compliance audits), carried out by internal or external auditors; and
• Data Center audits are carried out by internal and external auditors.

If a non-compliance instance is identified, corrective measures are applied to action plans, as applicable. Corrective measures are tracked and regularly reviewed until resolution.

Recommendations for the customer in charge of processing

Customers must ensure that their contact information is accurate, so that OVH can notify them of any changes that could potentially have an impact on their solutions. Where appropriate, customers are responsible for making the necessary modifications to the configuration of their services in order to take these changes into account.

Commitments made by OVH in its capacity as a hosting provider

A formal change management procedure is put in place:

• roles and responsibilities are clearly defined;
• criteria for classification are set out in order to identify the steps to follow as part of implementing the change;
• priorities are managed; the risks associated with the changes are analysed (if a risk is identified, the security manager and risk manager work together to validate the change);
• intrusion tests may be carried out (where applicable); the change is planned and scheduled with the customers (where applicable);
• the change is rolled out gradually (1/10/100/1000) and, if there is a risk, a rollback procedure must be planned for;
• a retrospective review of the various assets concerned by the change is carried out;
• all steps are documented in the change management tool.

Commitments made by OVH in its capacity as a hosting provider

Processes for OVH developers are set up and documented. These processes contain the principles of secure development, “privacy by design” measures, and a code review policy (vulnerability detection, error processing, managing access and entry and protecting storage and communications).

• Code reviews are also carried out on a regular basis:
• new features are validated prior to launch, tested in a validation environment (where applicable) and rolled out gradually (1/10/100/1000);
• a distinction is drawn in terms of roles and responsibilities between developers and the persons responsible for launching production.

OVHcloud is committed to monitoring its services and infrastructure in its capacity as a cloud services provider.

OVHcloud has a monitoring system for all its services and infrastructure. This program has the following objectives:

• Detect production and security incidents;
• Monitor for critical alerts being escalated;
• Communication with subject matter experts to trigger appropriate procedures;
• Ensure continuity of services of automated tasks; and
• Ensure the integrity of the systems being monitored.

OVHcloud is committed to maintaining an incident management process in its capacity as a cloud services provider.

OVHcloud has an incident management process to prevent, detect, contain, and resolve service and infrastructure issues. The incident management process includes:

• Classification of Security Events Guide;
• Handling Security Events Procedures;
• Incident Response Plans and Tests; and
• Customer Communication Procedures.

Customers are responsible for maintaining accurate contact information in order to allow OVHcloud personnel to notify them in the event an incident occurs. In addition, customers are responsible for their own incident management procedures impacting their infrastructures which possibly could include OVHcloud notifications.

OVHcloud is committed to managing vulnerability assessments in its capacity as a cloud services provider.

OVHcloud monitors for new vulnerabilities and their remediation via:

• Public security forums;
• Manufacturers / publishers' vulnerability alerts & patch management;
• Incidents identified by Operations teams, third parties, and/or customers; and
• Internal and external vulnerability scans performed periodically.

OVHcloud analyzes all vulnerabilities for their impact on systems and operations. Then, OVHcloud deploys mitigation measures to define and implement corrective action plans, as applicable. OVHcloud tracks all corrective action plans until resolution.

OVHcloud is committed to maintaining its business continuity management in its capacity as a cloud services provider.

OVHcloud ensures continuity of its infrastructure services (availability of equipment, application, and operating processes) through:

• System administration redundancy for servers and equipment;
• Electricity supply continuity and redundancy;
• Capacity management of OVHcloud equipment and servers;
• Water and air-cooling continuity; and
• Customer technical support.

In addition, OVHcloud has the ability to restore services in the event of an incident (e.g. network equipment configuration backups).

Customers are responsible for their backup and restoration procedures either as part of their standard package and/or as an optional configuration depending on the backup services purchased.

OVHcloud is committed to nature and environmental risk management in its capacity as a cloud services provider.

OVHcloud implements prevention measures to manage foreseeable natural events and environmental risks including:

• UPS (uninterruptible power source) for sufficient capacity management with automatic load-switching;
• Automatic switch electric generators with minimum autonomy of 48 hours;
• Water-cooling system used for servers (98% of server cooling is performed without air conditioning); and
• Fire detection and suppression systems.

OVHcloud is committed to maintaining physical site security measures in its capacity as a cloud services provider.

OVHcloud restricts physical access to sites based on proper segregation of duties. Each physical site is restricted based on the following:

• General office areas are accessible to employees and registered visitors;
• Confidential offices access is restricted to authorized personnel only;
• Data Center equipment areas are restricted to confidential access; and
• Data Center hosting areas are deemed critical access.

OVHcloud's physical site security measures to regulate access include:

• Data Center equipment areas have restricted access; and
• Physical barriers are between areas;
• Cameras at entrances and exits throughout the site;
• Secure access controlled via badge readers;
• Car traps are deployed for single-vehicle access via badge readers.
• Security personnel monitor & control vehicular access 24/7/365.
• Data Center “Mantraps” are used to access the Data Hall ensuring authorized access only; and
• Security guards are monitoring 24/7/365 along with video surveillance.

Commitments made by OVHcloud in its capacity as a hosting provider

Security measures are taken to regulate access to OVHcloud’s physical sites:

• an access permissions policy;
• walls (or equivalent dispositions) between each area;
• cameras located at the entrances and exits to installations, as well as in the server rooms;
• secure access, controlled by badge readers;
• laser barriers in the car parks;
• a motion detection system;
• burglary prevention systems at the entrances and exits to data centres;
• intrusion detection mechanisms (security guards 24 hours a day and video surveillance);
• a permanent surveillance center monitoring when the entrance and exit doors are opened.

OVHcloud is committed to restricting access to OVHcloud sites in its capacity as a cloud services provider.

OVHcloud physical access controls utilize badge systems. The access restriction procedures include the following control mechanisms:

• When entering an OVHcloud site, all individuals are assigned badges associated with their identity;
• All personal identities are verified prior to being issued badge access to OVHcloud sites;
• Badges must be worn at all times and visible while on the OVHcloud premises;
• Visitors' badges are deactivated once their physical access is no longer required or authorized; and
• Employees' badges are active for the duration of their employment and deactivated during the off-boarding procedures.

OVHcloud is committed to managing area access in its capacity as a cloud services provider.

Standard Badge Access Controls are:

• Doors are controlled by a centralized access management system;
• Persons must badge-in to enter a designated area; and
• Badge access at each door enables the automated verification of the individual's profile rights.

Key Door Access Controls are:

• Keys are stored in a centralized access restricted location;
• Keys' purpose is documented;
• Keys are inventoried; and
• Keys have traceable audit logs.

Access Controls to Data Centers via Mantraps are:

• Mantraps have tailgating sensors;
• Only one Mantrap door can be open at a time;
• Mantraps are controlled by badge access;
• Mantraps utilizes biometric multi-factor authentication (anti-piggybacking); and
• Mantrap cameras are installed outside the entrances & exits.

Access Controls to the Equipment Traps are:

• Equipment delivery vestibule is configured like the Data Center Mantrap entrances, except a larger area with no biometric multi-factor authentication;
• Equipment Trap is monitored by Security personnel 24/7/365, and there is no badge access within the Equipment Trap; and
• Cameras are installed in the delivery vestibule preventing blind spots.

OVHcloud is committed to third-party access management in its capacity as a cloud services provider.

OVHcloud strictly supervises the movements of visitors and service providers when on OVHcloud sites. These persons are logged as soon as they arrive on-site and issued with a visitor badge. Visitors and service providers are subject to the following controls:

• All on-site visits must be scheduled in advance;
• Third-party vendors must be escorted by OVHcloud employees;
• All identities are verified with government-issued documents prior to gaining access;
• Badges must always be worn in a visible manner; and
• Badges are deactivated at the end of the visit.

OVHcloud is committed to providing security awareness and skill development training for all its personnel in its capacity as a cloud services provider.

Security awareness training is conducted during new hires’ onboarding and during an annual security awareness campaign for the entire organization. In addition, Security awareness announcements are communicated regularly to the organization.

OVHcloud Security and Compliance personnel complete continuing professional education (CPE) required for professional certifications. Technical training sessions are provided to IT System Engineering teams for their continuous job skills development.

OVHcloud is committed to managing logical access to OVHcloud systems in its capacity as a cloud services provider.

OVHcloud applies a strict policy of access rights management. This policy includes the following provisions:

• Access authorizations are issued following the principle of "Least Privilege";
• Access rights should be based on roles versus individual access rights;
• Access grants to applications and systems are managed by provisioning procedures for the initial access, modification, and removal of access authorized by Human Resources, Managers, and IT Support.
• All employees utilize unique user ID accounts;
• Sessions systematically timeout after a period of inactivity;
• Use of generic and/or anonymous user accounts is prohibited;
• A strict password policy is applied;
• Passwords should be randomly generated;
• Endpoint devices have a minimum password length of 10 alphanumeric characters;
• Storing passwords in an unencrypted format, written down on paper, or saved in web browsers is prohibited;
• Local password management software must be authorized by IT Security;
• Remote access to OVHcloud IT systems must be via a VPN with a secure password and a client certificate configuration on their workstation.

Commitments made by OVH in its capacity as a hosting provider

A policy for managing administrator access rights for platforms is applied:

• all administrator access to live systems is realised via a bastion host;
• administrators connect to the bastion hosts via SSH, using individual and nominative pairs of public and private keys;
• connection to the target system is realised either via a shared service account or via a nominative account and bastion hosts; using default accounts on systems and equipment is prohibited;
• dual-factor authentication is mandatory for remote administrator access and for any employees accessing sensitive areas of the system, with such access being fully traced;
• administrators have an account exclusively devoted to administration tasks, in addition to their standard user account;
• authorisations are granted and monitored by managers, in accordance with the principle of least privilege and the principle of gaining trust;
• SSH keys are protected by a password that meets the requirements of the password policy; access rights are reviewed on a regular basis, in collaboration with the departments concerned.

Recommendations for the customer in charge of processing

Customers are responsible for managing and ensuring the security of their methods of authentication. Customers wishing to give their account added protection can: activate two-factor authentication in their OVH Control Panel; only allow connections from a list of IP addresses, defined ahead of time.

Commitments made by OVH in its capacity as a hosting provider

Customers can manage their OVH services from their Control Panel or the API. Customers can manage their OVH services from their Control Panel or the API. Default access is via a nominative account (NIC handle) and a password:

• the password is chosen by the customer and must meet the complexity criteria imposed by the interface;
• only the hashes of the passwords are stored on OVH’s servers;
• OVH offers the option of activating dual-factor authentication via the Control Panel, using a system of one-time passwords (OTP) sent by SMS, a mobile application, or a U2F-compatible key.
• Customers may restrict access to their Control Panel to certain predefined IP addresses;
• the API’s access tokens are usable for as long as they remain valid, and no specific subsequent verifications need to be applied;
• all customer activity in the Control Panel or the API is logged;
• customers can choose to handle the technical and administrative tasks associated with the management of their services separately.

OVHcloud is committed to workstation and mobile device security in its capacity as a cloud services provider.

OVHcloud has workstation security controls in place including the following:

• Operating system updates are managed automatically;
• Endpoint devices' hard drives are systematically encrypted;
• Potentially compromised workstations are handled in accordance with Security Incident Procedures; and
• Terminated employees' devices are wiped and re-imaged.

OVHcloud has mobile device security controls in place for both employee or corporate-owned. These security control standards include the following:

• Mobile devices must be registered in a centralized device management (MDM) system before being granted access to internal systems;
• Security policies are enforced via MDM automation;
• Mobile devices can be remotely wiped if lost or stolen.

Customers must ensure their workstations and mobile devices accessing OVHcloud services have adequate security controls in place.

OVHcloud is committed to preserving network security in its capacity as a cloud services provider.

OVHcloud manages a high-performance fiber optic private network, connected to numerous operators and forwarding agents. OVHcloud manages its own internal network backbone. This backbone distributes connectivity to each US Data Center's local network as well to other international OVHcloud Data Centers.

All network equipment is secured using the following security measures:

• An inventory is kept within a configuration management database;
• A standard hardening process is in place, featuring parameter guidance set to ensure a secure configuration;
• Administrator access to network equipment is reserved for authorized staff;
• All equipment is administered via a bastion host, applying the principle of least privilege;
• All network equipment configurations are backed up;
• Audit logs are collected, centralized, and monitored by the network operations team; and
• Network configurations are deployed automatically, based on authorized templates.

Customers are responsible for encrypting data communications through the OVHcloud network.

OVHcloud is committed to maintaining a business continuity plan in its capacity as a cloud services provider.

OVHcloud has implemented a Backup Policy for the servers and network equipment used to provide its services. Per the Backup Policy:

• All systems and data necessary for the continuity of services, reconstructing of IT systems, and /or audit logs are backed up (technical and administrative database files, activity logs, internal source code, server configurations, applications, and network equipment, etc.)
• The full and incremental backups are retained in accordance with their asset classification; and
• The backup process is monitored to ensure backups are successful.

OVHcloud is committed to monitoring audit logs in its capacity as a cloud services provider.

OVHcloud has implemented a Monitoring & Logging Policy for the servers and network equipment used to deliver its services. Per the Monitoring & Logging Policy:

• Logs are backed up and centrally retained;
• Logs are consulted and analyzed by a limited number of authorized personnel; and
• Logging Tasks are segregated between the IT teams responsible for monitoring the infrastructure and those responsible for service operations.
• The list of logging activities includes the following:
  • Storage servers hosting customer data;
  • Customer infrastructure machines;
  • Infrastructure monitoring machines;
  • Antivirus software logs on all infrastructure servers and employees endpoints;
  • Integrity checks of logs and systems, where appropriate;
  • Customers' task and event transactions performed in their infrastructure;
  • Network intrusion detection logs and alerts, if appropriate;
  • Surveillance cameras infrastructure;
  • Time servers;
  • Badge readers; and
  • Bastion host(s).

Customers are responsible for their monitoring & logging policies and procedures for their own systems and applications.