Security and GDPR
LAST UPDATE: DECEMBER 08, 2023
Cloud-Runner is committed to keeping customer data safe and secure. If you discover a potential security issue with a Cloud-Runner service, we want to know!
If you are dealing with any European Union data through a vendor (like Cloud-Runner), then you need a contractual agreement in place with each vendor so the EU knows you’re only doing business with companies that fully comply with the General Data Protection Regulation (GDPR).
1. PCI DSS
Cloud-Runner’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.
Cloud-Runner does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.
2. Vulnerability Disclosure
If you would like to report a vulnerability or have any security concerns with a Cloud-Runner product, please contact support+security@cloud-runner.com. This will give us a structured way to track and respond to your concerns, usually within 24 hours.
Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.
We also have an open bug bounty for critical vulnerabilities report.
3. Data Sovereignty and Compliance Assurance
In alignment with the General Data Protection Regulation (GDPR) and the French Data Protection Act, Cloud-Runner guarantees that all client data is stored and processed solely within France. This commitment ensures that our clients’ data remains under the stringent data protection regulations of the European Union and France, and is not subject to export under jurisdictions with differing privacy laws, such as the United States.
Our infrastructure relies on our own servers in certified French data centers and, for backup, on services from Scaleway, a Paris-based provider. This strategic choice assures that our data handling strictly conforms to EU and French regulations, providing an unequivocal guarantee against data transfer to countries like the USA, where laws such as the Cloud Act may apply.
By choosing Cloud-Runner, you are assured of complete data sovereignty, safeguarded within the legal frameworks of the EU and France, without the risk of jurisdictional ambiguities or external legislative influences.