- 4 Minutes to read
Data Residency in SAFE
- 4 Minutes to read
As a customer, when you sign up for SAFE, you are essentially allocated a tenant. As part of this process, you can select a region where the application data is stored. Currently, SAFE is hosted in the following AWS regions:
There are different types of data collected, processed, and managed by SAFE. Most of the data managed by SAFE is always kept in the chosen geographic region. Certain data is stored in our global data center.
The table below illustrates data storage from a residency point of view.
Data pinning to regions
|Data that is stored in the selected region and encrypted by a tenant KMS key||Data that cannot be stored in the selected region|
Why is SAFE ID not regional?
SAFE uses AWS Cognito for secure user signup and user access control. This is a single service that globally manages all the new user sign-ups for SAFE. For this purpose, user management is centralized for all the regions. The data that is stored in this single service includes email id, password (managed by AWS), and any metadata configured during SAML setup like the first name, last name, department, and mobile number. Except for the email id, every other user information is optional.
Customers who do not want to manage users separately in SAFE may also choose to configure SSO with SAFE using SAML 2.0.
Why is SAFE People data not region-specific?
SAFE Me collects assessment data per employee. Employees either use the SAFE Me mobile app or Web portal for cyber awareness training. It was organically developed to be a global service. The enterprise version of SAFE Me has identified regional data residency as a product roadmap item. We understand that this may be a challenge for some of our customers, and we are happy to help you find a solution that would work better for your data residency needs. Customers have the option not to use the SAFE Me component of SAFE if this is a critical business constraint.
Why is SAFE Relay Server not regional?
SAFE Relay Server allows SAFE agents installed in Windows and Mac endpoints to post daily assessment data to the SAFE server when their endpoint is not in the corporate network. This allows employees to roam anywhere in the world and still post daily assessment data. This relay server is hosted in the global data center region. Customers have the option to enable/disable relay functionality from their SAFE Web UI. No data is stored in the relay server. The data is transferred over HTTPS, and the application payload is further encrypted with a symmetric key which was exchanged with the agent by the SAFE server during its activation. This means that even the application data in-memory in the Safe relay server is encrypted per tenant.
Why is telemetry data centrally collected?
The SAFE Security team uses telemetry data to improve the product continuously. Customers have the option to share only Basic data or Advanced telemetry.
Click here to read more about telemetry configuration.