Acronis maintains a comprehensive information security and compliance program that includes administrative, physical and technical controls based on ongoing risk assessment. Our information security policies and processes are based on broadly accepted international security standards such as ISO 27001 and the National Institute of Standards and Technology (NIST), and take into account the requirements of related local regulation frameworks such as Europe’s General Data Protection Regulation (GDPR) and the United States’ Health Insurance Portability and Accountability Act (HIPAA).
Acronis hosts data and cloud products at trusted geographically-distributed data centers in the U.S., U.K., Switzerland, France, Germany, Japan, Singapore, and other locations. Customers maintain the right to choose and control which region or data center stores their data, making it easy to ensure compliance with regional requirements for data placement, as in the case of GDPR.
The data centers employ the highest standards of physical security to restrict unauthorized physical access and protect the safety of customer data. Only authorized personnel have access to the data centers, based on strict access management, control protocols, and monitoring by surveillance cameras (CCTV).
The data centers’ electrical power systems are designed to provide uninterrupted power supply to the entire infrastructure 24 hours a day, 7 days a week. The data centers are powered by at least two independent power sources. The use of automatic uninterruptible power supplies protects against power surges in case of switching power lines and provides power support during the switchover to diesel generators.
High-availability and redundant infrastructure are designed to minimize associated risks and eliminate single points of failure.
This redundant infrastructure allows Acronis to fulfill most types of preventives and maintenance without service interruption. Scheduled maintenance and change to the infrastructure are carried out in accordance with the manufacturers’ specifications and internal documented procedures.
For all critical assets, Acronis maintains business continuity and disaster recovery plans that are periodically tested. Recovery point and time objectives for cloud services are established according to criticality of their architectures and service features.
Acronis provides real-time encryption for all data transferred among customers and data centers, among Acronis employees and data centers and among the data centers. This real-time encryption provides the best protection for network interaction and prevents unauthorized access (reading, changing or deleting or making copies) to the transmitted data.
The Acronis network is multi-layered and zone-based. The managed network equipment separates and isolates internal, external and customers’ environments, and provides routing and filtering of network protocols and packets.
To ensure network security and minimize the risks of external penetration, Acronis uses a web application firewall (WAF) which include instant protection against SQL injection, cross-site scripting, unauthorized resource access, remote file inclusion, and other OWASP (Open Web Application Security) threats.
Acronis uses HTTPS (TLS) secure data transfer protocols with crypto-strong encryption algorithms and provides security of cryptographic key exchange (Diffie-Hellman) to protect the transmitted data and reduce the risks of compromised key information.
Acronis has implemented an enterprise-wide access control policy to restrict access to information resources and data in accordance with official duties. Access provisioning is based on the «Need to Know» and «Least Privileges» principles.
Internal access control procedures detect and prevent unauthorized access to Acronis systems and information resources. When providing access, Acronis uses centralized access control systems with secure mechanisms and authentication protocols (LDAP, Kerberos, SSH certificates), unique user IDs, strong passwords, two-factor authentication mechanisms and limited control access lists to minimize the likelihood of unauthorized access.
In addition, any access is recorded in system audit logs, changes to which are not allowed. The audit logs are periodically reviewed.
Acronis Cloud environment is a multi-tenant environment, so the architecture of the Acronis cloud services provides physical and logical isolation and separation of Customers’ data to ensure processing of the minimum amount of data in accordance with the stated processing purposes.
Acronis stores customer data employing its own software-defined storage solution, Acronis Storage with Acronis CloudRAID technology. Acronis Storage delivers fast, universal, protected, efficient, and proven storage that unites block, file, and object workloads.
The disks and equipment on which the data storage and / or processing are carried out can be broken, switched out for repair or decommissioned. In these cases, Acronis takes measures aimed at a complete erasure of data from disks and the removal of residual data from the internal memory of the equipment according to NIST SP 800-88rev1. In the event that it is not possible to erase (delete) such information, physical destruction of equipment is performed in a way that makes it impossible to read (restore) such data.
Its personnel are Acronis most important asset. Personnel are obligated to comply with Acronis’ confidentiality, business ethics and code of conduct policies. Acronis pays special attention to the selection of personnel by conducting appropriate background verification checks on candidates for employment in accordance with applicable local laws, statutory regulations and ethics.
All employees receive awareness education and training regarding information security, privacy protection and data processing, as is appropriate relative to their job functions and assigned roles.
Before contracting with any third-party subprocessor or service provider, Acronis conducts a thorough diligence process to ensure each third party can provide an appropriate level of security and privacy corresponding to the level of data access. Contracts with third parties contain information security, privacy and confidentiality requirements. During the term of each contract, Acronis regularly monitors and reviews the third party’s security controls, service delivery and compliance with contractual requirements.
Acronis continually monitors its Information Security Program to detect and respond to new information security risks in a timely manner.