New product: Protecting Entra ID is now effortless with Redstor.Find out more.

Data Protection Addendum to Redstor EULA

Publish date (01/08/2024)

This Data Processing Addendum (“DPA”) is an addendum to the Redstor End User License Agreement found at https://www.redstor.com/end-user-licence-agreement/ as updated from time to time (the “EULA”), between Redstor Limited(registered in England with company number 03556110) whose registered office is at St James Wharf, 99 – 105 Kings Road, Reading, Berkshire, England, RG1 3DD or Redstor Africa (PTY) Ltd with offices at Gabba Building Ground Floor, The Campus, 57 Sloane St, Bryanston, Johannesburg, 2021, South Africa, as applicable, (“Redstor”) and the customer who has subscribed to the Redstor Service as defined in the EULA (“Customer”), and will be incorporated by reference into, and subject to the terms and conditions of, the EULA. In the event of any inconsistency or conflict between this DPA and the EULA with respect to the Processing of Personal Data, the terms of this DPA will govern solely to the extent of such inconsistency or conflict.

This DPA sets out the terms that apply when Personal Data is Processed by Redstor under the EULA. The purpose of the DPA is to ensure such Processing is conducted in accordance with the Data Protection Laws and respects the rights of individuals whose Personal Data is Processed under the EULA. This DPA applies to Redstor and any Redstor affiliate involved in the Processing of Personal Data.

1. Definitions

In this DPA, unless otherwise stated, all of the definitions stated in the EULA shall apply herein and in addition:

1.1 “Data Privacy Framework” means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time.

1.2 “Data Subject” means an individual to whom Personal Data relates.

1.3 “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.

1.4 “Sale” and “Selling” have the meaning defined in U.S. Privacy Laws.

1.5 “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

1.6 “Standard Contractual Clauses” or “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third party countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN

1.7 “Supervisory Authority” will have the meaning ascribed to it in the GDPR.

1.8 “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022) as amended.

1.9 “U.S. Privacy Laws” means U.S. privacy and data protection laws and regulations applicable to Redstor’s Processing of Personal Data in the provision of the Service to Customer, including, as applicable, (a) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”); (b) Colorado Privacy Act, Colorado Rev. Stat. §§ 6-1-1301 to 6-1-1313; (c) Connecticut Personal Data Privacy and Online Monitoring Act, Public Act No. 22-15); (d) Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 to 13-61-404); and (e) Virginia Consumer Data Protection Act, Virginia Code Ann. §§ 59.1-575 to 59.1-585.

1.10 The terms “Business,” “Share,” and “Service Provider” as used in this DPA will have the meanings ascribed to them in the CCPA.

2. Processing of Data

2.1Scope and Purpose of Processing. This DPA applies only where and to the extent applicable Data Protection Laws govern Redstor’s Processing of Personal Data on behalf of Customer in the course of providing the Service pursuant to the EULA, including Redstor’s Processing of Personal Data for the nature, purposes, and duration set forth in Annex I.  Redstor will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party Personal Data except to provide the Service or as expressly permitted by the EULA or this DPA.  The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on your behalf, are specified in Annex I.

2.2Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Redstor is a Processor of Personal Data under the Data Protection Laws; (b) Customer is a Controller or Processor, as applicable, of Personal Data under the Data Protection Laws; and (c) each party will comply with the obligations applicable to it under the Data Protection Laws regarding the Processing of Personal Data.

2.3Authorization by Third-Party Controller. If Customer is a Processor, Customer warrants to Redstor that Customer’s instructions and actions with respect to Personal Data, including its appointment of Redstor as another Processor, have been authorized by the relevant Controller.

2.4Customer Instructions. Customer instructs Redstor to Process Personal Data: (a) in accordance with the EULA, this DPA, any applicable order, and Customer’s use of the Service; and (b) to comply with other reasonable instructions provided by Customer or a user where such instructions are consistent with the terms of the EULA. Customer will ensure that its instructions for the Processing of Personal Data comply with the Data Protection Laws. Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer obtained the Personal Data. Customer will disclose Personal Data to Redstor solely pursuant to a valid business purpose.

2.5Redstor’s Compliance with Customer Instructions. Redstor will only Process Personal Data in accordance with Customer’s instructions. Redstor may Process Personal Data other than on the written instructions of Customer if it is required under applicable law to which Redstor is subject. In this situation, Redstor will inform Customer of such requirement before Redstor Processes the Personal Data unless prohibited by applicable law.

2.6Assistance with Customer’s Obligations. Redstor provides Customer the ability to access, correct, amend, restrict, block or delete Personal Data contained in the Service. Redstor will promptly comply with reasonable requests by Customer to assist with such actions to the extent Redstor is legally permitted and able to do so. Redstor may charge a reasonable fee for any assistance not strictly required by Data Protection Laws.

2.7Notification Obligations. Redstor will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Personal Data relating to such individual. Redstor will forward such Data Subject request relating to Personal Data to Customer and Customer will be responsible for responding to any such request.  Redstor will provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Service.

2.8General Authorization for Subprocessors. Customer generally authorizes the use of subprocessors to process Personal Data in connection with fulfilling Redstor’s obligations under the EULA and/or this DPA and explicitly approves the list of subprocessors located at https://www.redstor.com/sub-processors/.

2.9New Subprocessors. When Redstor engages a new subprocessor to Process Personal Data, Redstor will, at least thirty (30) days before the new subprocessor Processes any Personal Data, notify Customer by notification either within Customer’s account and/or written notification and/or updating its list of subprocessors located at https://www.redstor.com/sub-processors/and give Customer the opportunity to object to such subprocessor. If Customer has reasonable grounds under applicable Data Protection Laws to object to Redstor’s change in subprocessors related to data protection concerns, Customer shall notify Redstor promptly within thirty (30) days after Redstor’s notification. Upon such objection, Redstor will use reasonable efforts to find an acceptable, reasonable, alternate solution; otherwise, Customer may suspend or terminate the Service.  If a Customer subscribing direct with Redstor terminates its subscription for this reason, Redstor will promptly refund any fees paid in advance by Customer to Redstor pro rata.

2.10Redstor Obligations. Redstor will remain liable for the acts and omissions of its subprocessors to the same extent Redstor would be liable if performing the service provided by the subprocessor directly. Redstor will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Redstor under this DPA.

2.11Documentation ofCompliance andAudit Rights. The Parties shall be able to demonstrate their compliance with this DPA. Redstor shall deal promptly and adequately with inquiries from Customer about the processing of its Personal Data in accordance with the applicable Data Protection Laws. On request, Redstor shall provide Customer (or auditors mandated by the Licensee) with a copy of any applicable third party certifications and audits performed by Redstor to the extent made generally available to its customers. Such information shall be confidential to Redstor and shall be Redstor’s Confidential Information as defined in the EULA.

Upon Customer’s written request by email to [email protected] no more than once per year, Redstor will provide a copy of any recent third-party audits or certifications, as applicable, or any summaries thereof, such that Customer may reasonably verify Redstor’s compliance with the technical and organizational measures required under this DPA. In the event that the Customer, acting reasonably, deems the information provided in accordance with this paragraph insufficient to satisfy its obligations under Data Protection Laws, and where required by applicable Data Protection Laws, Redstor will allow Customer or a mutually agreed upon independent auditor appointed by Customer to conduct an audit (including inspection), no more than once per year, upon 60 days’ prior written notice sent to [email protected] complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. Redstor will contribute to such audits whose sole purpose will be to verify Redstor’s compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement reasonably acceptable to Redstor before conducting the audit. The audit must be conducted during Redstor’s normal business hours, subject to Redstor’s policies, and may not unreasonably interfere with Redstor’s business activities. Any audits are at Customer’s sole cost and expense.

2.12Subprocessor Agreements. At Customer’s written request, Redstor shall provide to Customer a copy of its sub-processor agreements and any subsequent amendments. To the extent necessary to protect business secret or other confidential information, including personal data, Redstor may redact the text of the agreement prior to sharing the copy. All such copies are Confidential Information of Redstor and may not be shared by Customer with any third party other than Supervisory Authorities as required under applicable Data Protection Laws.

2.13Separate Service. Any request for Redstor to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer will reimburse Redstor for any time spent for such separate services for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by Redstor. Customer will promptly notify Redstor with information regarding any non-compliance discovered during the course of an audit.  All such audit results shall be kept strictly confidential by Customer and only shared with Redstor or, if required under applicable Data Protection Laws, with Supervisory Authorities.

2.14Limits on Auditing Party. Nothing in this DPA will require Redstor to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (a) any data of any other user or customer of Redstor; (b) Redstor’s internal accounting or financial information; (c) any trade secret of Redstor; (d) any premises or equipment not controlled by Redstor; or (e) any information that, in Redstor’s reasonable opinion, could: (i) compromise the security of Redstor’s systems or premises; (ii) cause Redstor to breach its obligations under Data Protection Laws or the rights of any third-party; or (iii) any information that an independent auditor seeks to access for any reason other than the good faith fulfilment of Customer’s rights under applicable Data Protection Laws. Customer will contractually impose, and designate Redstor as a third-party beneficiary of, any contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable Data Protection Laws.

3. GDPR

3.1Applicability. This paragraph 3 only applies to Redstor’s Processing of Personal Data subject to GDPR.

3.2Data Privacy Impact Assessments. Redstor will take reasonable measures to cooperate and assist Customer in conducting a data protection impact assessment and related consultations with any Supervisory Authority, if Customer is required to do so under Data Protection Laws.

3.3International Transfers. The parties will transfer Personal Data internationally only pursuant to a transfer mechanism valid under the Data Protection Laws or applicable law, i.e. a valid mechanism in the exporting country. For example, in the case of transfers from within the European Economic Area or the United Kingdom to another country, a scheme which is approved by the European Commission or the UK Government as ensuring an adequate level of protection or any transfer which falls within a permitted derogation.

3.4Transfer Mechanism. In the event there is more than one mechanism to transfer Personal Data from the European Economic Area, United Kingdom, and/or Switzerland to countries which do not ensure an adequate level of data protection under the Data Protection Laws, the transfer of Personal Data will be subject to a single transfer mechanism as applicable: (a) the Data Privacy Framework; (b) a valid transfer mechanism approved for transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland; or (c) the SCCs and/or the UK Addendum, each as applicable.

3.5European Economic Area Data Transfers: If applicable based on paragraph 3.4, Redstor and Customer conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a third-party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Redstor; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 2 of this DPA; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of the Netherlands; the courts in Clause 18(b) are the courts of Amsterdam, Netherlands; Annex I, II and III to the SCCs are Annex I, II and III to this DPA respectively.

3.6UK Data Transfers: If applicable based on Section 3.4, Redstor and Customer conclude the UK Addendum, which is hereby incorporated and applies to Personal Data transfers outside the UK. Part 1 of the UK Addendum is completed as follows: in Table 1, the “Exporter” is Customer and the “Importer” is Redstor, their details are set forth in this DPA and the EULA; in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs; in Table 3, Annexes 1 (A and B) to the “Approved EU SCCs” are Annex I, II and III to this DPA respectively; and in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

3.7Changes to Transfer Mechanism. If Redstor’s compliance with Data Protection Laws applicable to international data transfers is affected by circumstances outside of Redstor’s control, including if a legal instrument for international data transfers is invalidated, amended, or replaced, then Customer and Redstor will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative transfer mechanisms, standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Redstor reserves the right to choose the transfer mechanism of its preference, and amend the EULA and this DPA by adding to or replacing, the existing transfer mechanism; provided that Redstor will ensure continued compliance with Data Protection Laws.

3.8Applicability of the Standard Contractual Clauses. When utilized, the SCCs and the UK Addendum concluded between the parties pursuant to this Section 3 will only apply insofar as strictly necessary for Redstor to comply with the application or Data Protection Laws.

4. U.S. Privacy Laws

4.1Applicability. Section 4 only applies to Redstor’s Processing of Personal Data subject to U.S. Privacy Laws.

4.2Compliance Assurance. If the provision of information provided pursuant to paragraph 2.11 above does not fulfil the requirements of the applicable U.S. Privacy Laws, Customer has the right to take reasonable and appropriate steps to ensure that Redstor uses Personal Data consistent with Customer’s obligations under applicable U.S. Privacy Laws.

4.3Compliance Remediation. Redstor shall promptly notify Customer after determining that it can no longer meet its obligations under applicable U.S. Privacy Laws. Upon receiving notice from Redstor in accordance with this paragraph, Customer may direct Redstor to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.

4.4Limitations on Processing. Redstor will Process Personal Data solely as described in the EULA and this DPA. Except as expressly permitted therein or by the U.S. Privacy Laws, Redstor is prohibited from (a) Selling or Sharing Personal Data, (b) retaining, using, or disclosing Personal Data for any other purpose, (c) retaining, using, or disclosing Personal Data outside of the direct business relationship between the parties, and (d) combining Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer or its users, except as expressly permitted under applicable U.S. Privacy Laws.

4.5Deletion Requests. Redstor shall not be required to delete any Personal Data to comply with a Data Subject’s request directed by Customer if retaining such information is specifically permitted by applicable U.S. Privacy Laws; provided, however, that in such case, Redstor will promptly inform Customer of the exceptions relied upon under applicable U.S. Privacy Laws and Redstor shall not use Personal Data retained for any purpose other than provided for by that exception.

4.6Deidentified Data. In the event that Customer discloses or makes available deidentified data (as such term is defined in the U.S. Privacy Laws) to Redstor, Redstor shall not attempt to reidentify the information.

4.7Sale of Data. The parties acknowledge and agree that the exchange of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the EULA or this DPA.  Redstor will never sell Customer’s Personal Data.

5. Security

5.1Redstor Personnel. Redstor will inform its personnel engaged in the Processing of Personal Data of the confidential nature of the Personal Data, and subject them to obligations of confidentiality that survive the termination of that individual’s engagement with Redstor.

5.2Third Party Disclosure. Redstor will not disclose Personal Data to any third party unless authorized by Customer or required by law. If a government entity (including a law enforcement agency) or Supervisory Authority demands access to Personal Data, Redstor will attempt to redirect the requestor to request the data directly from Customer or notify Customer prior to disclosure, in each case unless prohibited by law.

5.3Security. Redstor shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the Personal Data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

6. Security Breach

6.1Notification Obligations. Upon becoming aware of any Security Incident affecting Personal Data, the parties shall notify each other without undue delay and shall provide timely updates and information relating to the Security Incident as it becomes known or as is reasonably requested by the other party. Such information will include the nature of the Security Incident, the categories and number of Data Subjects affected, the categories and amount of Personal Data affected, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident and mitigate possible adverse effects. Redstor’s obligations in this paragraph 6 do not apply to Security Incidents that are caused by Customer or Customer’s personnel or users or to unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

6.2Manner of Notification. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s business, technical or administrative contacts by any means Redstor selects, including via email. It is Customer’s sole responsibility to maintain accurate contact information on Redstor’s systems at all times. Furthermore, it is Customer’s sole responsibility to notify the relevant data protection Supervisory Authority and, when applicable, the Data Subjects of a Security Incident as required under the Article 33 and 34 of the GDPR. Redstor will promptly comply with reasonable requests by Customer to assist it with meeting such notification requirements to the extent Redstor is legally permitted and able to do so.

7. Term and Termination

7.1Term of DPA. This DPA will remain in effect until, and automatically expire upon, deletion of all Personal Data as described in this DPA or when the Customer no longer maintains a subscription to the Service.

7.2 Without prejudice to any provisions of applicable Data Protection Laws, in the event that Redstor is in breach of its obligations under this DPA, Customer may instruct Redstor to suspend the processing of Personal Data until Redstor complies with this DPA or the EULA is terminated. Redstor shall promptly inform Customer in case it is unable to comply with this DPA, for whatever reason.

7.3 Customer shall be entitled to terminate the EULA and its subscription to the Services insofar as it concerns processing of Personal Data in accordance with this DPA if:

(a) the processing of Personal Data by Redstor has been suspended by Customer pursuant to paragraph 7.2 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;

(b) Redstor is in substantial or persistent breach of this DPA or its obligations under applicable Data Protection Laws;

(c) Redstor fails to comply with a binding decision of a competent court or the competent Supervisory Authority/ies regarding its obligations pursuant to this DPA or to applicable Data Protection Laws.

7.4 Redstor shall be entitled to terminate the EULA and Customer’s subscription to the Services insofar as it concerns processing of Personal Data under this DPA where, after having informed Customer that its instructions infringe applicable legal requirements, Customer insist on compliance with the instructions.

7.5Deletion of Personal Data. Redstor will delete Personal Data in its possession within 30 days of: (a) receipt of a Customer request that Redstor delete Customer’s account and all associated user accounts; or (b) the date that Customer’s subscription to the Service expires or is terminated. Prior to deletion, Redstor will make any Personal Data in its possession available for download by Customer. Redstor has no obligation to retain any portion of Personal Data after such period except to the extent that Redstor is required under applicable law to keep a copy of the Personal Data.

8. Amendment

8.1Amendment. Redstor may amend this DPA from time to time. When changes are made, Redstor will make a new copy of the DPA available at https://www.redstor.com/data-protection-addendum-to-redstor-eula/ To the extent an amendment is required to comply with applicable Data Protection Laws, it will become effective immediately; otherwise, it will be effective upon renewal of Customer’s subscription to the Service.

Annex I

Subject-matter of processing:

Performance of respective rights and obligations under the EULA and delivery and receipt of the Services under the EULA; 

Duration of the processing:

Until the earlier of final termination or final expiry of the EULA, except as otherwise expressly stated in the EULA; 

Nature and purpose of the processing:

Processing in accordance with the rights and obligations of the parties under the EULA; 

processing as reasonably required to provide the Services; and 

processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by the Customer, in each case in a manner consistent with the EULA; 

Type of Personal Data:

Personal Data including legal and other names, titles, positions, e-mail addresses, and phone numbers as further outlined in the EULA; 

Categories of Data Subjects:

Categories of data subjects including customers, service providers and employees as further outlined in the EULA. 

COMPETENT SUPERVISORY AUTHORITY

Identify the competent Supervisory Authority/ies.

The competent authority for the processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner and in the EU: the Data Protection Commission in Ireland.

Annex II

Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data

Data Protection Measures

Documented herein are some of the core technical and non-technical measures implemented to ensure that customer data is protected. The measures summarised within are some of the measures taken to safeguard data. This is not a definitive account of all measures or controls in place.  Further information regarding specific controls can be provided on request.

Certifications and Examinations

Redstor maintains certification in ISO9001 (Quality), ISO27001 (Information Security), ISO22301 (Business Continuity) and has undertaken Type 2 SOC2 (Service and Organisation Controls) examinations. Furthermore, the Redstor service for customers in the United States undertook a Type 1 HIPAA (Health Insurance Portability Accountability Act) examination.

The certifications and examinations demonstrate that Redstor have the internal processes in place to ensure high levels of service. Furthermore, Redstor undertake annual external audits by accredited and licenced third parties to ensure compliance with the above. In accordance with ISO 27001 and SOC2 Redstor has implemented a number of technical and non-technical controls. These ensure adherence to the requirements of these standards which fundamentally are there to protect the security, availability, integrity and confidentiality of our customers’ data.  

Awareness Training 

In accordance with ISO27001, SOC2 and HIPAA, Redstor has implemented information security and cyber security awareness training for its employees. New employees undertake ISO and related training on commencement of employment and existing employees undertake annual refresher training. Furthermore, interactive cyber security awareness training is provided to all employees on a monthly cadence.      

Encryption

Summary

As per the service description, to reduce the risk of unauthorised access to customer data and to ensure the security of the service, Redstor encrypts data at source using 256-bit AES (GCM) encryption. This data is further protected using 128-bit TLS ciphers during transmission. Encryption is managed using keys. Encryption keys are unique to every backup account and are chosen by the customer or generated by the software in the case of cloud native backups. Data cannot be read without the encryption key and at no point are these encryption keys visible to Redstor employees.    

ESE Agent Security

Each Redstor account has its own encryption key, which is used to encrypt that account’s data during the backup process. The encryption key is essential to recovery and is neither retrievable nor readable unless a Group Certificate is present. If the encryption key is lost or forgotten, there is no way to access the backed-up data, not even for Redstor employees.

During the backup process, data blocks are compressed with LZ4 and then encrypted on the Agent using the user’s encryption key specified when the account was created. This encryption occurs prior to data being transferred to the Redstor Cloud. TLS is used to authenticate the data transfer and to create a secure session between the Agent and the Redstor Cloud.

We use a symmetric-key cryptographic block cipher, 256-bit Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) or AES-GCM to ensure authenticated encryption, guaranteeing the integrity of your data. Through AES-GCM, the integrity of each block of data is verified using its inherent checksum before being stored on the Redstor Cloud. Files that have become corrupt or are missing on the Redstor Cloud (due to disk corruption, for example) are identified by integrity checks and are retransmitted to the Redstor Cloud at the start of each backup.

During a backup, the Agent maintains a rolling buffer of data transmitted to the Redstor Cloud. Whenever a connectivity drop and subsequent reconnection to the Redstor Cloud occurs, the service resumes from the exact position of interruption, seamlessly continuing the backup without having to start at the beginning of the file. This is especially useful when large files are being transferred. For more information on how ESE maintains data integrity, see Article on our support site 1102 https://support.redstor.com/hc/en-gb/articles/360007741113.

Cloud Security

Each Cloud account within a backup set has its own encryption key. Since the Cloud to Cloud backups are run by a single administrator of a tenant with many users, an encryption key is randomly generated for each of these Cloud accounts. The encryption keys are never presented to anyone and cannot be retrieved. 

The encryption key is then secured in Azure Key Vault to ensure it is neither available nor visible to anyone. The only entity that has access to this Key Vault is the Cloud to Cloud application itself, which is also hosted in the same Cloud region in Azure.

InstantData recovery requires an account and encryption key to initiate a recovery. However, it is not secure to return an encryption key to an administrator. Instead, a short-lived session is created by the Cloud to Cloud application. A link is generated from this session which allows a user to recover data for a limited period without needing to enter their encryption key. The link is only valid until the session expires.

During the backup process, data blocks are compressed with LZ4 and then encrypted using the encryption key specified when the account was created. This encryption occurs prior to data being transferred to the Redstor Cloud. TLS is used to authenticate the data transfer and to create a secure session between the account and the Redstor Cloud.

Redstor uses a symmetric-key cryptographic block cipher, 256-bit Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) or AES-GCM to ensure authenticated encryption, guaranteeing the integrity of customer data. Through AES-GCM, the integrity of each block of data is verified using its inherent checksum before being stored on the Redstor Cloud. Files that have become corrupt or are missing on the Redstor Cloud (due to disk corruption, for example) are identified by integrity checks and are retransmitted to the Redstor Cloud at the start of each backup.

If the connection to the Redstor Cloud is interrupted, the backup service resumes seamlessly, starting again at the beginning of the interrupted file.

Vulnerability and Penetration Testing

Redstor performs monthly vulnerability testing on its website and annual penetration testing on the Redstor environment to minimise the risk of a data breach. These tests are carried out by a CREST approved, independent third party. Additionally, Redstor has implemented appropriate measures to ensure security by design to meet the requirements of data protection legislation and to protect the rights and freedoms of individuals (data subjects). To mitigate the risks associated with availability and data loss Redstor maintains two offsite copies of customer data, one copy in the primary data centre and another in the secondary data centre. These sites are equipped with redundancy at multiple levels of the data centre and infrastructure stacks.

Patch Management

In accordance with information security compliance requirements, Redstor ensures that all systems, inclusive of those internal to Redstor and our public production services, are patched (updated) monthly as a minimum. Critical updates will be applied as soon as is possible. 

Access Control 

In accordance with information security compliance requirements, Redstor applies the “principle of least privilege” regarding access rights and access control as per our Access Control Policy. This approach reduces the number of employees with access to restricted systems. It strictly ensures that only those in roles which require access will be authorised for systems use. Ensuring our employees have access to that which is necessary to execute their role’s responsibilities is fundamental to our approach to securing identity and access management of our systems. The process is managed through the lifecycle of employment.

Physical Security

Redstor data centre facilities feature an abundance of physical security controls. These include, gated perimeters, number plate recognition for vehicles, 24/7/365 manned security personnel, man traps, surveillance cameras, alarm systems, biometric access control and card-based access control as a second factor of authentication. Further information regarding the security and availability of Redstor data centre locations is available on request.

Redstor office locations, are equipped with physical door locks, card-based access controls, surveillance cameras and an alarm system.

Change Management    

In accordance with information security compliance requirements, Redstor maintains a Change Management Policy. Change management helps ensure and protect our customers’ data. By carefully considering and assessing changes within Redstor it is possible to identify those changes that may have an impact on customer data either directly or indirectly. Changes are managed as per the policy and consider a risk analysis of the proposed change(s). Changes are reviewed prior to being accepted. Changes are also reviewed having been implemented. Any items or stakeholders associated with a change, such as related documentation, will be updated or in the case of personnel, will be communicated with. Further information regarding change management can be provided on request.

Annex III

List of Sub-Processors

A list of sub-processors can be found at https://www.redstor.com/sub-processors/