Data protection is at the core of our business. Our security policy is organized in 4 main dimensions:
Physical security: tools and procedures that physically protect equipment against exogenous risks to which they may be exposed.
Logical security: tools and procedures that protect the data that circulates and is stored on the devices and protects software that activates functions to exploit the data.
Operating procedures: the modelling of all our production activities and our SLAs
Special procedures for continuity of services and business recovery (called "resilience") that are activated when a risk occurs and causes damages.
This policy is monitored and measured continuously.
It is certified each year by two certifications:
- ISO 9001-2015 certification IAF33 "Datacenter, Hosting and Housing" which reviews our operating procedures, our quality plan, and the measures taken to address the threats.
- PCI DSS Level 1 certification, chapters 9 and 12, which evaluates:
- Our procedures for physical protection of the equipment, data protection, and resilience
- Our general information security policy and its sharing by all staff
The General Data Protection Regulation is a European Community regulation which applies as it is throughout Europe. It concerns the data protection of European citizens whether the operators concerned are in Europe or elsewhere in the world.
The operators concerned are all organizations that, at any point in their process, collect, store, process and return personal data, whether this has remained on paper or has been digitalized. We understand immediately that all companies, big and small, are concerned.
As a data hosting provider, the European regulation assigns us a role of data "processor" supplier, subcontractor of the customer who remains the owner and "controller of the processing" that he applies to his data.
This means that our customers should establish a mapping of personal data that they collect, store, process and render. A register must be kept up-to-date to attest to the traceability of the transactions. All processes for the processing of personal data must be designed from the beginning according to a principle of "privacy by design" which allows to respect this regulation.
For our part, we must be able to attest at any time that our information security policy also complies with this regulation. For example, we need to know exactly where the data are hosted and we need to know how to detail at any time our data protection, resilience and reversibility procedures.
The "Tier 4" level of protection of our main datacenter in Sophia Antipolis and the security procedures set up at TAS, in particular for our certifications, are aligned with the requirements of this regulation, as for our role.
However, the sharing of responsibilities with our customers "data processing controllers" remains a constant point of awareness, especially when we provide the administration of the outsourced servers. The protection of data is a permanent job, which cannot be decreed once and for all, especially given the human errors that can occur even in highly automated processes.
Our hosting services are formalized by personalized contracts that take into account the particular context of each customer.
Backups- PRA - PCA
We systematically propose to our customers backup and restore procedures for the data we host.
Our backup solutions also make it possible to include into the scope the data that are not hosted by us, for example data which are on remote servers or mobile devices.
In any case, we encourage our customers to define a backup policy (data criticality, backups frequency, backups location, data retention, acceptable restoration times, etc.) and to define their level of requirement for business continuity in the event of a disaster.
Our most sensitive and demanding customers require a very high speed and very high availability services in all circumstances, 24/7, 365 days a year.
In this case we build multi-server and multi-site architectures with a level of redundancy allowing users to continue normal business, without significant service interruption, even when a major incident occurs on their network.
TAS France Risk Assessment