Contents x
    Data Residency in SAFE
    • 4 Minutes to read
    • Print
    • PDF
    Contents

    Data Residency in SAFE

    • 4 Minutes to read
    • Print
    • PDF
    Article Summary

    Overview

    As a customer, when you sign up for SAFE, you are essentially allocated a tenant. As part of this process, you can select a region where the application data is stored. Currently, SAFE is hosted in the following AWS regions:

    GeographyRegion
    USN Virginia
    EUFrankfurt, Germany
    Middle- EastBahrain
    APACMumbai, India
    Sydney, Australia
    Singapore
    UKLondon

    There aredifferent types of data collected, processed, and managed by SAFE. Most of the data managed by SAFE is always kept in the chosen geographic region. Certain data is stored in our global data center.

    The table below illustrates data storage from a residency point of view.

    Data pinning to regions

    Data that is stored in the selected region and encrypted by a tenant KMS keyData that cannot be stored in the selected region
    • Policy assessment data.
    • Assessment data under technology verticals. This includes assessment data generated by CA and VA scans. 
    • Asset Groups and Policies configuration data.
    • Cyber Security Products Assessment data.
    • Compliance data.
    • Controls status, comments, and evidence against controls.
    • Third-party assessment data.
    • Financial Risk Exposure data.
    • ATT&CK Matrix data.
    • Generated reports from the product.
    • Credentials and configuration entered in the product for configuring integrations with 3rd party software.
    • Asset management and asset onboarding data.
    • Local Users settings.
    • Company Management settings.
    • Governance Management settings.
    • Assessment tool settings and ingested data from any integrated input tools.
    • Management tool settings and ingested data from any integrated input tools.
    • General product settings configured via the SAFE UI under Administration->Settings panel.
    • All SAFE scores, except People scores.
    • All Backups 
    • Any data that is the outcome of processing of assessment and CRQ except the one explicitly mentioned otherwise.
    • Application and audit logs in containers are stored in the chosen region and custom encrypted per tenant. Application and audit logs in AWS CloudWatch are stored in the chosen region using a common encryption key. SAFE Security reserves the right to allow approved support personnel to debug the logs.
    • SAFE People - Data is stored in the global data center and includes:
      • SAFE Me mobile assessment data
      • SAFE People Campaign data
      • SAFE People Score
    • Telemetry data
      • Customers have the option to share telemetry data through an option available in SAFE Web UI. If this option is turned on, the telemetry data is collected and processed in the global data center.
    • SAFE ID
      • This is the signup id of the customer. 
      • SAFE uses AWS Cognito in the global data center to manage SAFE ID.
    • Relay server allows Windows and Mac agents, which are not in the customer network but connected to the internet can send their assessment data via https://relay.safescore.ai.
      • This server does not store any assessment data. This server is hosted in theglobal data center.
    • SAFE Security reserves the right to allow approved support personnel to debug the logs.
    • Email notifications are sent from globally configured AWS-based email service for all customers if enabled.
    • SMS and Voice call notifications are sent from globally configured Twillo service for all customers if enabled.

    FAQs 

    Why is SAFE ID not regional?

    SAFE uses AWS Cognito for secure user signup and user access control. This is a single service that globally manages all the new user sign-ups for SAFE. For this purpose, user management is centralized for all the regions. The data that is stored in this single service includes email id, password (managed by AWS), and any metadata configured during SAML setup like the first name, last name, department, and mobile number. Except for the email id, every other user information is optional.
    Customers who do not want to manage users separately in SAFE may also choose to configure SSO with SAFE using SAML 2.0.

    Why is SAFE People data not region-specific?

    SAFE Me collects assessment data per employee. Employees either use the SAFE Me mobile app or Web portal for cyber awareness training. It was organically developed to be a global service. The enterprise version of SAFE Me has identified regional data residency as a product roadmap item. We understand that this may be a challenge for some of our customers, and we are happy to help you find a solution that would work better for your data residency needs. Customers have the option not to use the SAFE Me component of SAFE if this is a critical business constraint.

    Why is SAFE Relay Server not regional?

    SAFE Relay Server allows SAFE agents installed in Windows and Mac endpoints to post daily assessment data to the SAFE server when their endpoint is not in the corporate network. This allows employees to roam anywhere in the world and still post daily assessment data. This relay server is hosted in theglobal data center region. Customers have the option to enable/disable relay functionality from their SAFE Web UI. No data is stored in the relay server. The data is transferred over HTTPS, and the application payload is further encrypted with a symmetric key which was exchanged with the agent by the SAFE server during its activation. This means that even the application data in-memory in the Safe relay server is encrypted per tenant.

    Why is telemetry data centrally collected?

    The SAFE Security team uses telemetry data to improve the product continuously. Customers have the option to share only Basic data or Advanced telemetry.
    Click here to read more about telemetry configuration.

    Was this article helpful?
    What's Next