Security is an absolute top priority for MacStadium and one that we take very seriously. We hold and maintain top certifications and deploy world-class physical, network, and process-level security at each of our locations. We strive to continuously improve our security practices; our work is never done.
As a provider of Infrastructure-as-a-Service (IaaS), MacStadium has responsibility only up to the hypervisor layer. Our customers hold responsibility for OS, application and data layer security. We give you root access to every aspect of your environment to deploy and maintain security policies as you see fit.
Our default security policies and dedicated infrastructure keep every customer secure. However, we understand every organization is different, and we can meet the needs of even the most stringent teams. We can provide tools to meet any need from isolation to encryption to direct connects and beyond.
MacStadium is independently ISO/IEC 27001:2013 certified as a company across all of our data centers. This can save you time and money from an audit, certification and compliance perspective, and your developers can rest easier knowing that we hold this globally-recognized security certification. View our ISO 27001 certificate here.
MacStadium is also ISO/IEC 27017:2015 and ISO/IEC 27018:2019 certified. The ISO 27017 standard provides guidance on the information security aspects of cloud computing, while the ISO 27018 standard provides a set of controls and associated guidance applicable to public cloud personally identifiable information (PII). In addition to ISO 27001, these certifications exemplify our commitment to data protection and privacy. View our ISO 27017 certificate here, and view our ISO 27018 certificate here.
MacStadium’s US data centers maintain SOC 1 Type 1 & 2, SOC 2 Type 1 & 2, and SOC 3 compliance. System and Organization Controls (SOC) audits have stricter requirements than ISO with respect to physical and data center-level cyber security. View MacStadium's SOC 3 report here.
MacStadium is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Our certification can be viewed here.
Passed in 2016, the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to give EU citizens more control over their personal data. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. With its broad scope, GDPR applies to nearly every corporation in the world.
MacStadium is GDPR ready, and our infrastructure, procedures and certifications enable our customers to be GDPR compliant. Given MacStadium’s IaaS role, we urge you to evaluate the GDPR and review your security, compliance and data protection processes to ensure compliance. If you already have robust compliance, security and data privacy practices in place, your compliance with GDPR should be simple.
All of our data centers are audited and/or certified by various internationally-recognized attestation and certification compliance standards. Below is the list of our data center locations and the associated certifications. To request an NDA or certificate listed below, or if you have any other compliance related questions, please contact us.
MacStadium’s data centers are housed in secure, restricted access buildings that provide the highest levels of physical security. Our colocation providers (Zayo Group and Equinix) house our infrastructure in secure, restricted areas accessible only by MacStadium-approved employees. Each facility employs:
MacStadium has a defined policy of who has access to our data centers, servers and software. Only select engineering teams have access to the backend hypervisors where virtual servers reside or direct access to NAS/SAN storage systems. We have a centralized process for creating, maintaining and resetting keys and passwords, and we keep records of all changes for auditing purposes. Background checks are conducted on all candidates upon acceptance and contingent of our offer of employment, and all employees are required to sign a NDA to ensure confidentiality.
MacStadium maintains 24/7 security incident and event management (SIEM). We monitor our infrastructure at all times with engineers on call to resolve any security-related events. MacStadium’s security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident
reporting and response procedures.
All access to customer systems is automatically logged and recorded via a privileged access control system/secure jump box. Our logging includes system actions as well as the logins and commands issued by our system administrators.
MacStadium respects your privacy and is committed to protecting the privacy and confidentiality of personal data we collect. Please read our Privacy Notice carefully to understand our policies and practices regarding your information and how we will treat it, and visit our Legal page for more information.
MacStadium is committed to industry best practices approaches concerning security measures to prevent the loss, misuse and alteration of the information in our possession. We use various security measures to protect the information we collect as appropriate to the type of information, including encryption, firewalls, and access controls. If you have any questions about our privacy practices, please contact us at privacy@macstadium.com.
All communications with MacStadium are transmitted over TLS (HTTPS), and we use SSL (Secure Sockets Layer) encryption to protect visitor data. We provide connectivity to our hardware via SSH and recommend that customers use SSH keys to securely set up their access.
Credit card purchases for MacStadium services are processed by Chargify. When our customers provide their credit or debit card information via our website, the data is sent to Chargify, and the payment data is not stored on our systems.
We understand the need for strict privacy regulations required by certain countries. Under European data protection acts like the General Data Protection Regulation (GDPR), MacStadium operates as the data “processor” and our customer is the data “controller.” We have setup a Data Processing Agreement (DPA) which can be signed by both MacStadium and our customer to meet these regulatory requirements. To obtain the DPA, or if you have any other privacy related questions please contact us.
We provide the dedicated infrastructure – the environment is yours. MacStadium is responsible for providing and maintaining all physical equipment as requested and preventing unauthorized physical access to that equipment. We will complete initial setup (imaging hosts, zoning storage, etc.), provide 24/7 technical support and ensure data center uptime.
As the customer, you are responsible for implementing security measures to protect your systems and data, including configuring and securing all infrastructure (e.g., firewall, vCenter) and virtual machines (e.g., applications, network connections, databases). You will need to ensure encryption of all data and network communications and ensure appropriate backups and failover capabilities are in place. Customers have root-level access to all aspects of their dedicated infrastructure. We enable and encourage our customers to change their credentials and lock MacStadium personnel out of their firewalls, vCenters, and hosts for ultimate security. For more information, please refer to our private cloud shared responsibility model (or Orka shared responsibility model).
To assist you in maintaining the security of your systems, we include the following technology with every Mac private cloud:
We can provide additional security measures upon request, including: