Businesses, today, have to meet compliance mandates to maintain and demonstrate controls while managing electronic data. Regulations by various industries related to maintaining confidentiality, industry portability and preservation of records compel organizations to implement processes that support data backup and recovery objectives.
To support customers, IDrive® BMR continues to maintain high compliance standards relating to security, confidentiality, availability, data privacy, safekeeping and access.
SOC 2 Type 2
IDrive BMR has proudly achieved SOC 2 Type 2 certification through a rigorous evaluation conducted by an independent third-party auditing firm. SOC 2, developed and administered by the American Institute of Certified Public Accountants (AICPA), serves as an essential audit process to assess technology companies and pertains to security, availability and privacy aspects of the company. This certification validates that our cloud backup and storage solutions, as well as our policies and procedures, adhere to industry-leading standards for safeguarding customer data and account information.
A third-party organization audited IDrive BMR's ability to securely manage any business data. It followed SSAE 18 to evaluate our commitment to security and privacy. Statement on Standards for Attestation Engagements or SSAE establishes standards/controls, with the current version being SSAE21. IDrive® BMR has completed the necessary audits and possesses supporting documentation demonstrating compliance with the standards outlined by SSAE 18.
More information on how IDrive BMR assists its customers comply with different regulatory standards can be found on IDrive BMR's Compliance Page.
IDrive® Security
IDrive addresses data security and privacy concerns by employing a robust security model that manages your data when stored on the IDrive BMR device and during cloud replication to the IDrive cloud account. Security measures include encrypted data transmission and storage, restricted physical access, and password protection safeguards among its several layers of security measures used to protect customer data.
Data Privacy Framework Program
The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were established to streamline transatlantic commerce. These frameworks offer U.S. organizations dependable mechanisms for personal data transfers from the European Union / European Economic Area, the United Kingdom (including Gibraltar), and Switzerland to the United States, ensuring consistency with EU, UK, and Swiss law. An organization needs to self-certify its commitment to the DPF Principles with the ITA. This involves being listed on the Data Privacy Framework List, which the ITA updates yearly based on organizations' annual re-certification submissions.
Swiss-US Privacy Framework
IDrive aligns with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as established by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. IDrive has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
Transmission
Your data is encrypted during transfer from your local IDrive BMR device to the IDrive cloud using 128-bit SSL. Your data is deployed in top tier data centers certified for SOC 2, ISO 27001 and PCI-DSS. These data centers provide Service Organization Control (SOC) approved data protection services. All transmitted data is automatically verified during every backup.
Storage/encryption
Data files are encrypted when stored on the IDrive BMR device and on the IDrive cloud account using AES 256 CCM/AES 256 GCM encryption. Your data is also encrypted during transfer to the cloud account. Data resides on RAID-protected industry leading NAS/SAN storage devices with multiple levels of redundancy and is available for online restores 24/7.
Encryption based on a private encryption key ensures data stored on IDrive servers cannot be decrypted by anybody other than you and your authorized personnel. Private encryption keys are never stored or escrowed on IDrive servers as is.
Access
Data access is restricted by password and private key authentication. Our security protocols include two-factor authentication settings, enhancing the protection of your account. All access to the stored data is documented and time/date stamped. Detailed reporting gives regulators a clear idea of the chain of custody of the stored information, and rapid access, should it be required.
Physical access to the vaults and the data center housing IDrive servers is strictly controlled through administrative procedures, physical safeguards, and technical security measures to prevent unauthorized physical access to IDrive servers.
Password Protection
Account passwords are never stored or transmitted to IDrive in plain text.
While IDrive BMR meets several technical safeguards for maintaining data security, full compliance with specific regulatory requirements is not guaranteed by simply implementing IDrive solutions. It is important that organizations consult with their legal counsel to ensure applicable compliance regulations are satisfied.