Data Residency in SAFE

Overview

As a customer, when you sign up for SAFE, you are allocated a tenant. The default region application data is stored in the US (North Virginia). If this does not meet your business needs, additional regions are available, and this can be discussed with the SAFE Account Managers.

There are different types of data collected, processed, and managed by SAFE. Most of the data managed by SAFE is always kept in the chosen geographic region. Certain data is stored in our global data center.

Data pinning to regions

Data that is stored in the selected region and encrypted by a tenant KMS key

• Policy assessment data.
• Asset Groups and Policies configuration data.
• Cyber Security Products Assessment data.
• Controls status, comments, and evidence against controls.
• Third-party assessment data
• Financial Risk Exposure data
• ATT&CK Matrix data.
• Generated reports from the product.
• Credentials and configuration entered in the product for configuring integrations with 3rd party software.
• Asset management and asset onboarding data.
• Local Users settings.
• Company Profile settings.
• Assessment tool settings and ingested data from any integrated input tools.
• Management tool settings and ingested data from any integrated input tools.
• General product settings configured via the SAFE UI under Administration->Settings panel.
• All SAFE scores and breach likelihoods.
• All Backups 
• Any data that is the outcome of processing of assessment and CRQ except the one explicitly mentioned otherwise.
• Application and audit logs in containers are stored in our global data center. Application and audit logs in AWS CloudWatch are stored in the chosen region using a common encryption key. SAFE Security reserves the right to allow approved support personnel to debug the logs.

Data that cannot be stored in the selected region

• Email notifications are sent from globally configured AWS-based email service for all customers if enabled.