FAQ - Moving the service we provide to Microsoft Azure

Why is Ciphr going to use Microsoft Azure public cloud?

Ciphr has used private cloud infrastructure for over a decade, which has proved successful. It has enabled our organisation to grow its offerings quickly while maintaining a high level of security and performance. We are now, however, at the point where operating with private cloud infrastructure is not as advantageous as leveraging the mature public cloud options now available. These benefits include:

• The ability to scale our solutions automatically
• Utilisation of the latest technologies available in the Azure marketplace with reduced effort to implement in comparison to private cloud
• Unparalleled security in relation to identity management and monitoring

Will adding the new IP addresses affect our current service before the move?

Adding the new IP addresses to your Allow-list can be done immediately without affecting the current service we provide to you, as long as you keep any previous IP addresses on the Allow-list.

We will notify you when those previous IP addresses can be safely removed.

What will not change?

We can assure you that our service and the storage of your data will remain in UK data centres, and it will continue to be protected to our high security standards:

• ISO 27001
• UK Cyber Essentials Plus
• GDPR
• Disaster recovery: we will be operating from multiple data centres and leveraging Microsoft Azure’s extensive resilience options.

Note: The new email service, principally data processing, will happen outside the UK but within the EU. For audit purposes only, limited data (meta information about the sent emails) will be stored, for a limited time. No emails will be retained after sending.

There will be no changes to any usernames, passwords, API credentials, URLs, or single sign on (SSO).

What is meant by limited data and limited time in regard to stored data by the new email service?

As the provider we will be using for the sending of our provided service emails, Sinch UK will only have access to those emails for the purposes of ensuring they are received by the appropriate recipients. The emails sent out, by the services we provide, deliberately do not contain sensitive information, and will often only provide a URL link back to the service, requiring the recipient to successfully authenticate before displaying any data.

Under the configuration that we have agreed with Sinch UK:

• No emails will be retained after sending
• Only meta information about the sent emails will be retained for 30 days for audit purposes

That meta information data is:

• Recipient email address
• Recipient domain
• Subject line
• Sender email address

Will the move of my systems to Microsoft Azure affect my use of my SFTP site?

If you use SFTP for secure document sharing with us, you will continue to access the SFTP as you always have during the move of all your systems that you have as part of your Ciphr service.

The SFTP URL will eventually need to change, but there is no need for it to change immediately.

Once we have completed our full move project (all systems for all customers), we will provide guidance to you on the changes to accessing your SFTP and any other impacts you will need to be aware of.

What due diligence did Ciphr carry out on Azure

Ciphr has a Third Party Management Policy which establishes steps to be taken to manage third party relationships. These steps help ensure that the risk of a breach of confidentiality, integrity and availability of Ciphr informational assets, in connection to the use of these third parties, is reduced to the lowest feasible level.

The policy is externally audited against the ISO27001 standard on an annual basis. It covers assessing the third parties and sorting them into tiers depending on their function. Their tiering determines the amount of due diligence that will be carried out by Ciphr on the third party.

Azure have been graded as a tier 1 supplier, the highest level. This involves retrieving an extensive amount of information about the organisation, reviewing the information to ensure they meet or exceed the level of security controls and protections which Ciphr offers to its customers. Unfortunately, we are unable to share this information as it is covered by NDAs between Ciphr and the third parties.

In addition to comprehensive initial due diligence upon entering into agreement with utilised third parties, regular audits are carried out to ensure continued compliance to contractual and legislative obligations.