exoscale.ch
External Program
Submit bugs directly to this organization
External Program
Submit bugs directly to this organization
Security and safety of your data is something we make an essential
priority at Exoscale. We understand that trusting an external
entity with your data is a difficult step to take.
First and foremost, if you need to get in touch with the team in for
critical security purposes, we encourage you to send a PGP-encrypted
e-mail to [email protected] which will ensure that only
security-accredited personnel at Exoscale will be be able to read it.
We ask that you also use this method to contact us should you discover
any security issue with the service, as well as apply standard
responsible disclosure etiquette. If you expect a financial reward for your
finding, we encourage you to submit a report through our public
[#bugbounty](bug bounty program).
Our [/static/files/publickey.txt](4096-bit RSA PGP) key has
fingerprint 3B56 0B12 22F9 B377 816A C2AA 17CC 751B 885C 11AD
it is reproduced below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGDkE0sBEADIcN+FpEVoTaPEhR89qgEgdHUIKT+TcStpFYzsKAkMEI59D1iL
y+F7AD9f/VpTNPtpi3jfS+R/sR5fr3TANFfgOXs7Z/FRwGNHLgBF1Y+P9JhwypVf
qNgv+KAHsvZjyraCZ2RAdn4QB4EC3oGNI3ZogvnuC+anFVowkEgwqdEMUBT1ZVMB
3h9FX+o5Aej2VDZlh1PU1MuA0cNCu32F7JP6l9xdzBv6/klkyjg4jpUklxJbpj7Z
+dT/ss62asWNj2H3DZW03r9lXH9NuMSGuemVgbThvzdngZPmo911aF6AgReWagBS
Y9u0PArmwo3AtxrWdup0D2DrUgD/WZJu3mQu8Iq2epcAOrKcg3rC9NhFeP+2xZT3
o6aTGpV+9jTJS77WWjXuT69wUbGGHeeN8Asdm8OSvGBdRV1EdxQFH0J0F0axlQUg
jDjnUOQI5ZX8MM2ru/tXVi5dtkpAhAy6Ah+io6DA+hHuCKjONMLfVmhvSsIHeq6D
E7KdHPyih9rC6qZw7B0fGJv9Dby0HPtU/SCEeY+mgZl1tqe6U17azzdHRylDUeWC
7vGtlhNo5FaGjzCgq8Z3EC53cEVTSKJCrbMjxyhwIaY25pcgF5rHqT1XmJ1iOFVs
HIHpIfVV8yMQNTWXsA+4G63MLZF0BHJEkcIqEG+roSIfSHv1qf4XTTiXUwARAQAB
tC1zZWN1cml0eUBleG9zY2FsZS5jb20gPHNlY3VyaXR5QGV4b3NjYWxlLmNvbT6J
Ak4EEwEKADgWIQQ7VgsSIvmzd4FqwqoXzHUbiFwRrQUCYOQTSwIbAwULCQgHAwUV
CgkICwUWAgMBAAIeAQIXgAAKCRAXzHUbiFwRrXhlD/4zvW+x0y1cdcgGu4SRtltK
1kBNl2Rb9GVv1qopIXMPuA4edHbu5gstZiOIB0dpLc4UVJMYViZZ4MLHUTNs3XcG
Up7liMC5tS3b5p3El4IYcCNDsLsZu9PQwxtMpLftU/BEiMly29va9dPDeJdtGRNS
VGJilxovqOvtNUGN5ktiq510aKl2eogzIQ00JkjyBv5cSmgcsyZus1vr8UkGkStE
MuxKlLAIr6vX67F3ZXAyRebgQ6kGLXJRa61o1zsVgUqP+NdRb8gAQ5lXJAAIU2mK
RPqMTRApdVq6r4A6CMZBfNecP1GP/31Z7eIJ6GY9/QaYsiV8pXbgvtZX6CPD4yaA
iazbmrvP1z9d8Wx7T7mttC+xa7gMuDwxcpmcilR6k1pXWAh7e+i/uweZYnBHFjOu
1Zr9NEQtHLAB4QJbYyahXe+Vw3eRhi5JHlrGqpc+H8OhAk6q6z80o3GnYlXMzKF+
2lcaVONg62w0M98mPs3Z8Xoraqi01QNhvJE7wwt2B5j+5MyU04nT9VTJxQgbD7pA
4Sb3slSN47sD4mcfpfQdVwz3PnWNByGPhF3T7RBmKm0XMonHiu07IAMHCA1iWFYM
h+z3NyaCR4ZKADmtpbvcxY9BN8L/1cZRmq+q8hMAElRLHvLpMfxc61L7voeri1iQ
FzK8qAvlz6ZRhn3Xt5Es8LkCDQRg5BNLARAA2A2N+odfqDNt3c1xBACY/ttUuCTO
3fHJiUGXtLcjyoAruqF3ItXKeuwDJMNHYz7qyZJWRcK52Bh9oE0w5LxrhphPYrjO
vAlwXQAiBsFHixcU2Fim6tfG6N9d+2zi9DsqddKSM/MozaCKxQyJXObRG8SFMUld
t8B3mQbNY55xrHD5kNEGvioY7l55kS5MjLtDrUbWnI9758g9kh1eoFNiwHSXEEnV
YMjeIXFDjJS/1ALhZDN5y2UF48OcI04O83G1X+t9DXRu8Op/7LyX83gzHPeX8uMX
kSLJA4wDUezkze5XpRJJkCEIA9JnqtWLPtt53YumtRVsGjSAk7+5S/X9hIYvZFa3
P9/nCxEcT29hwUj9ERAKaUxVq3+S9krkwaTPLB0diIGLBs/+SK4w/UdmFu000wCI
IBVx59gHOxwCLb4oWNeiY6dfQ5eSxkznAWdKpJvLpBgIvdGRfCdWSmt4DkCHszRY
w66cnizX9uIduj7Nc1DCYdl0gdqXKVFzzI6T08YNeHsWEr9FWc5PmvhXSfNm/SrZ
R7Jzi/uZfTyxf+hqmKOGhyiaDrNdyoiqvq7FgHznsBBPmurUh726K2cOeCjT1s83
/+MOh1oku9CW9NpI2xPRXWjMpG46Grqy+bbg+nTRQFzjjAbN7MhGurJ6SKqzQKRm
5ltB5C8C+fm84iEAEQEAAYkCNgQYAQoAIBYhBDtWCxIi+bN3gWrCqhfMdRuIXBGt
BQJg5BNLAhsMAAoJEBfMdRuIXBGtgCIQALu3wUFqDR9pzY855wbwDX2UcHvdiU+R
hXss2wiCvQeU0SoBvi+ViqvindUXnvPR+m/vqIhjzxgfvLMX1+rpPKIba1IJ3PIw
QrtVe5azLT6k3naIZARwBThG75Xqb1iHjb5MaBB8zx64dOsv6lvUF2glVFjFFzUH
JT3SjyknDjg0F4BRxkdD2HmFn0hQ0w1nzYQ4wdqcLdXgAoDoXVD2brivTTm3At0a
YVFi4C5WyRe9mPmJ7sNb9uWDXBNYhJ+PkXRU/sbhP+CSyZ9IgzbMQl4Z8XoqQ9t1
Vl0u60TZgnE+iv5kjQE8gmi/EbXB+RIZfngMFGWOQaaJ4tmzdeV+W87tQmcQ6WLU
fkyiNvcoZhHJKvld0k7uhACwuyE6IBjelHkXZA6E7VmeO/nC4tm4zM8hajHeMsxs
Wi7skGs1JxZjc/rIcJ+HwUWNuKZ9986DOQt/SPDJi4iWrlheqT4E01PpDArqdOHz
aBkK7+/E5KWQv9gyXMzrTu0KgOzo6hAaprc+4UGFRZfD+hCWLYI2Fcs/6MIvzbG3
P+v8H+0+yZlsrob4nbDiRjdqmWJSaG0VBYFD+vKQCpON2rjRd6IHamWjGrTua+x6
NVmc0Tf75nOxgtQEA23N6zgn8WSKU/xlhSsZA19xer4/BmHaQ17H8AtljuV2K5Zx
0eOFbD/ugeC9
=TQmN
-----END PGP PUBLIC KEY BLOCK-----
We host a public bug bounty program on Intigriti. If you are a researcher
and would like to participate, feel free to register and to submit your reports
through the platform. Details regarding services, scope, and rewards can be
found on the [https://app.intigriti.com/programs/exoscale/excoscalebugbounty/detail](program page).
We only operate from locations conforming to the most restrictive
security standards (ISO27001) and we are part of the Cloud Security
Alliance (CSA).
Conforming to recommendations made in these frameworks and standards,
we track all access to datacenters. Only Exoscale staff and accredited
Datacenter personnel have physical access. We keep an audit trail of
access to individual datacenter racks. We also work with trained staff for
operations such as disk changes or hardware reboots.
When drives are decommissioned they are destroyed or cryptographically locked.
Some of our locations are hosted in datacenters operated by Equinix, a
US-based multinational company. Equinix has published a statement regarding
the non-applicability of the US Cloud Act legislation in regards to Equinix
EMEA activity stating that, by their nature, data center services do not fall
within the scope of the activities covered by the Freedom Act and related
legislation. The full statement is available
https://sos-ch-dk-2.exo.io/datacenters-certification/Equinix-Cloud%20Act%20Statement.pdf.
The operations team at Exoscale is the only team which has actual
access to hypervisors and storage nodes. Strict access control is
maintained and tracked, as well as regular credentials cycling.
We rely on very few external services to maintain the highest possible
level of security and reduce our threat-model to a minimum. We still
can’t do everything by ourselves, so we rely on a few external
providers.
We rely on two services which are PCI-DSS for processing payments:
Adyen which processes credit cards.
PostFinance which processes legacy credit card records and postcard payments.
Paypal which processes Paypal payments.
We do not store any credit card information - only anonymized tokens, as
provided by these services.
We additionally use the online accounting solution provided by Bexio,
a Swiss company with a dedication to security similar to ours, to
provide faster reconciliation of wired payments. As such, invoice
information is duplicated on Bexio.
We only gather website analytics for our public websites (this
website, as well as https://community.exoscale.com). No activity within
our web portal is ever tracked. Our provider for website
analytics is Matomo.
We use https://mailchimp.com to send email campaigns and
newsletters. We do not store address lists at Mailchimp, but
synchronize on a per-campaign basis to avoid storing your email addresses permanently there.
Below this point, we dive in deeper detail on the exact frameworks and standards we adhere to.
You can read on if you are interested in the fine print.
Exoscale has elected the Cloud Security Alliance (CSA) framework in
order to structure and enforce the compliance controls regarding all
aspects of security with 100 control points dealing with:
Data Governance
Facility
HR
Information Security
Legal
Risk Management
Security Architecture
We conform to the OCF Level 1, having completed our Cloud Control
Matrix which maps to the following selected frameworks:
COBIT
HIPAA / HITECH Act
ISO/IEC 27001-2005
NISTSP800-53
FedRAMP
PCI DSSv2.0
BITS Shared Assessments
GAPP
Roles and responsibilities vary upon the cloud model chosen. These are
defined by the SPI stack, as defined in the CSA guidance:
“The lower down the stack the cloud service provider stops, the more
security capabilities and management consumers are responsible for
implementing and managing themselves.”
Therefore, please note that as an IaaS provider with Exoscale, most
responsibilities and data access control enforcement are on the customer’s
side. Nevertheless, we impose on ourselves a high level of security on all
infrastructure layers, as described in the following sections.
At general level, concerning data and activities conducted in our Swiss
datacenters, we are mainly subject to the Swiss Code of Obligations.
The purpose of this section is to answer general questions within the
context of Exoscale, providing IaaS Cloud Computing Services to the
customer. We want to bring to your attention in particular the
Data Protection and Export Control obligations.
Concerning data and activities conducted in our Swiss datacenters, we are
mainly subject to the Swiss Federal Data Protection Act
(“DPA”) and the Swiss Federal Data Protection Ordinance
(“DPO”). Unlike most other countries, the Swiss data protection laws
and regulations apply not only to individuals, but also legal entities.
When collecting data, the collector shall ensure that he
informs data subjects about the data processing and its intended
purpose;
informs data subjects about whether the data will be disclosed to third parties and whether a transfer outside Switzerland is contemplated; and
obtains any consents required for the data processing.
The DPA provides that the mere act of collecting personal data
constitutes the processing of personal data. Therefore, all legal
requirements which apply to the processing of personal data also apply
to the collection of personal data. Among others, the following
provisions shall be complied with in the processing of personal data:
Personal data must be processed in good faith; Personal data must
not be collected by misrepresentation or deception; The processing
of personal data must be proportionate.
Personal data may only be used for the purpose intended at the time
of collection.
The collection of personal data and the purposes for which the
personal data is processed must be obvious to the person/entity
from whom personal data are collected.
Anyone who processes personal data must not breach the privacy of
the data subjects.
As a rule, no justification for processing personal data is
required if the data subjects have made the data generally
available and have not expressly restricted the data processing.
A lawful justification for data processing exists if the data
subject has consented to it, the law provides for it, or the data
processor has an overriding interest in the data processing.
The data processing must comply with technical and organizational
security requirements, especially when processed
electronically. Personal data must be protected against intentional
or accidental deletion, accidental loss, technical errors,
falsification, theft and unlawful use, unauthorized access,
changes, copying, or other unauthorized processing.
Data processing may be delegated to a third party under an
agreement, provided that the third party data processor processes
data only to the same extent as the person employing the third
party data processor was authorized to do and that no legal or
contractual confidentiality obligation prohibits the outsourcing.
The DPA does not permit the disclosure of sensitive data or
personality profiles to third parties without lawful
justification. The consent of the data subject can constitute a lawful
justification. Companies within the same group as the disclosing
entity, i.e. the parent company or subsidiaries are considered third
parties and the sharing of personal data within a group is deemed to
be a disclosure to third parties for the purposes of the DPA.
The DPA prohibits a transfer of personal data abroad if it could
seriously endanger the personal rights of the data subjects. If the
legislation of the foreign country does not afford adequate protection
for the personal data to be transferred or accessed, under Swiss data
protection laws and regulations, transfer or access outside
Switzerland is not allowed, except in certain restricted cases which
have to meet specific requirements with respect to such disclosure
abroad. In the latter case, the Federal Data Protection and
Information Commissioner must be informed of the safeguards or rules
used before the first transfer of data is made, or if that is not
possible, immediately after the disclosure has occurred. Please note that
we do NOT transfer data outside of the country where it was initially uploaded.
For example, data uploaded in one of our Swiss zones is stored in
Switzerland only.
Products, software or technical information provided or used in
connection to the services may be subject to export laws and
regulations of Switzerland and other countries. Any use or
transfer of the products, software or technical information must be
in compliance with all such applicable regulations.
The procedures and policies for responding to a request for data or
information disclosure from governmental authorities depends mainly on the
treaties entered into with the requesting country. In broad terms, exchange
of information between countries may be requested within the context of:
criminal proceedings or
tax fraud or tax evasion.
More precisely:
In case of criminal proceedings, information can be exchanged by
way of mutual legal assistance in criminal matters (“MLA”) based on
multi- or bilateral agreements or in accordance with the Federal
Act on International Mutual Assistance in Criminal Matters. For
instance, with respect to the Schengen States, the Federal Law on
Exchange of Information between Criminal Proceedings Authorities
between Switzerland and the Schengen States shall apply.
In case of tax fraud or tax evasion, when foreign tax authorities
are involved, the exchange of information is carried out by means of
administrative assistance within the legal framework of bilateral
double taxation agreements (“DTAs”). In the case of tax related
criminal proceedings, information can be exchanged also,
alternatively, according to section (i) above. In particular, the OECD
has concluded a model double taxation agreement with Switzerland,
which provides pursuant to Article 26 for a system of administrative
assistance among the tax authorities of the signatory countries,
according to which States shall exchange information that is
foreseeably relevant to the correct application of a tax convention as
well as for purposes of the administration and enforcement of
“domestic tax laws” of the contracting States upon specific
request. Any information received thereunder by a contracting State
shall be treated as secret. Such persons or authorities shall use the
information only for such purposes. They may disclose the information
in public court proceedings or in judicial decisions. To date,
Switzerland has adopted or renegotiated over 35 Article 26-friendly
DTAs. However, the cases where we would be requested directly to
transfer data that is stored on our cloud, but that is owned by the
customer, seem to be extremely limited. One possibility would
be a case where the customer refuses to transfer data stored by us as
requested by competent authorities and such authorities would then
request us to provide the relevant information directly. In such an
event we would obviously comply with the request, but would promptly
inform the customer of the situation to the extent legally possible.
The USA Patriot Act applies to
US entities,
affiliates and subsidiaries of US entities throughout the world,
servers located in the US independently from the nationality of the
entities which operate them, and
data hosted in Europe by US entities.
Our company is based in Switzerland and does not have any affiliate or
subsidiary in the United States. Furthermore, our cloud is hosted in
leading data center companies in Switzerland. The data is stored in
Switzerland and not in the US. Thus, we are not subject to the USA Patriot
Act. However, if a customer is related to entities in the US or servers
located in the US, the customer’s data may be subject to the USA
Patriot Act.