Data Residency in SAFE

3 Minutes to read

Article Summary

Share feedback

Thanks for sharing your feedback!

Overview

As a customer, when you sign up for SAFE, you are essentially allocated a tenant. As part of this process, you can select a region where the application data is stored. Currently, SAFE is hosted in the following AWS regions:

Geography	Region
US	N Virginia
EU	Frankfurt, Germany
APAC	Mumbai, India
APAC	Sydney, Australia

There aredifferent types of data collected, processed, and managed by SAFE. Most of the data managed by SAFE is always kept in the chosen geographic region. Certain data is stored in our global data center.

The table below illustrates data storage from a residency point of view.

Data pinning to regions

Data that is stored in the selected region and encrypted by a tenant KMS key	Data that cannot be stored in the selected region
Policy assessment data. Assessment data under technology verticals. This includes assessment data generated by CA and VA scans. Asset Groups and Policies configuration data. Cyber Security Products Assessment data. Compliance data. Controls status, comments, and evidence against controls. Third-party assessment data. Financial Risk Exposure data. ATT&CK Matrix data. Generated reports from the product. Credentials and configuration entered in the product for configuring integrations with 3rd party software. Asset management and asset onboarding data. Local Users settings. Company Management settings. Governance Management settings. Assessment tool settings and ingested data from any integrated input tools. Management tool settings and ingested data from any integrated input tools. General product settings configured via the SAFE UI under Administration->Settings panel. All SAFE scores, except People scores. All Backups Any data that is the outcome of processing of assessment and CRQ except the one explicitly mentioned otherwise. Application and audit logs in containers are stored in the chosen region and custom encrypted per tenant. Application and audit logs in AWS CloudWatch are stored in the chosen region using a common encryption key. SAFE Security reserves the right to allow approved support personnel to debug the logs.	Telemetry data Customers have the option to share telemetry data through an option available in SAFE Web UI. If this option is turned on, the telemetry data is collected and processed in the global data center. SAFE ID This is the signup id of the customer. SAFE uses AWS Cognito in the global data center to manage SAFE ID. Relay server allows Windows and Mac agents, which are not in the customer network but connected to the internet, can send their assessment data via https://relay.safescore.ai. This server does not store any assessment data. This server is hosted in theglobal data center. SAFE Security reserves the right to allow approved support personnel to debug the logs. Email notifications are sent from globally configured AWS-based email service for all customers if enabled. SMS and Voice call notifications are sent from globally configured Twillo service for all customers if enabled.

Data that is stored in the selected region and encrypted by a tenant KMS key

Data that cannot be stored in the selected region

Policy assessment data.
Assessment data under technology verticals. This includes assessment data generated by CA and VA scans.
Asset Groups and Policies configuration data.
Cyber Security Products Assessment data.
Compliance data.
Controls status, comments, and evidence against controls.
Third-party assessment data.
Financial Risk Exposure data.
ATT&CK Matrix data.
Generated reports from the product.
Credentials and configuration entered in the product for configuring integrations with 3rd party software.
Asset management and asset onboarding data.
Local Users settings.
Company Management settings.
Governance Management settings.
Assessment tool settings and ingested data from any integrated input tools.
Management tool settings and ingested data from any integrated input tools.
General product settings configured via the SAFE UI under Administration->Settings panel.
All SAFE scores, except People scores.
All Backups
Any data that is the outcome of processing of assessment and CRQ except the one explicitly mentioned otherwise.
Application and audit logs in containers are stored in the chosen region and custom encrypted per tenant. Application and audit logs in AWS CloudWatch are stored in the chosen region using a common encryption key. SAFE Security reserves the right to allow approved support personnel to debug the logs.

Telemetry data
- Customers have the option to share telemetry data through an option available in SAFE Web UI. If this option is turned on, the telemetry data is collected and processed in the global data center.
SAFE ID
- This is the signup id of the customer.
- SAFE uses AWS Cognito in the global data center to manage SAFE ID.
Relay server allows Windows and Mac agents, which are not in the customer network but connected to the internet, can send their assessment data via https://relay.safescore.ai.
- This server does not store any assessment data. This server is hosted in theglobal data center.
SAFE Security reserves the right to allow approved support personnel to debug the logs.
Email notifications are sent from globally configured AWS-based email service for all customers if enabled.
SMS and Voice call notifications are sent from globally configured Twillo service for all customers if enabled.

FAQs

Why is SAFE ID not regional?

SAFE uses AWS Cognito for secure user signup and user access control. This is a single service that globally manages all the new user sign-ups for SAFE. For this purpose, user management is centralized for all the regions. The data that is stored in this single service includes email id, password (managed by AWS), and any metadata configured during SAML setup like the first name, last name, department, and mobile number. Except for the email id, every other user information is optional.
Customers who do not want to manage users separately in SAFE may also choose to configure SSO with SAFE using SAML 2.0.

Why is SAFE Relay Server not regional?

SAFE Relay Server allows SAFE agents installed in Windows and Mac endpoints to post daily assessment data to the SAFE server when their endpoint is not in the corporate network. This allows employees to roam anywhere in the world and still post daily assessment data. This relay server is hosted in theglobal data center region. Customers have the option to enable/disable relay functionality from their SAFE Web UI. No data is stored in the relay server. The data is transferred over HTTPS, and the application payload is further encrypted with a symmetric key, which was exchanged with the agent by the SAFE server during its activation. This means that even the application data in-memory in the Safe relay server is encrypted per tenant.

Was this article helpful?

What's Next

Bulk Upload Third-parties to SAFE

Table of contents

Overview
Data pinning to regions
FAQs