Trust Center

Articles in this section

CLOUDBLUE DATALAKE INFORMATION AND FREQUENTLY ASKED QUESTIONS

  • Updated

Introduction

As part of our ongoing commitment to deliver high-value services and offerings to our customers, CloudBlue has created an advanced data processing infrastructure, known as the CloudBlue Data Lake. This infrastructure enhancement is designed to support further the services CloudBlue provides to its customers. The CloudBlue Data Lake is intended to facilitate and enhance the provision of comprehensive data analysis, support reconciliation processes, and the delivery of sophisticated reporting and analytics services across its global operations.

CloudBlue provides a sub processor change notification to affected partners and is providing this FAQ, so our customers are fully aware and informed about the steps CloudBlue has taken to secure data you have entrusted to us. We are committed to privacy and data protection. CloudBlue is a fully owned subsidiary of Ingram Micro Inc. Any references to Ingram Micro herein should be understood to include CloudBlue.

Due Diligence

Ingram Micro has an established, extensive vendor review and onboarding process. Our Information Security, Legal, Privacy, and Compliance teams conduct due diligence reviews for each vendor, based on industry standards, some of which include:

  • the type of data being hosted or shared.
  • the confidentiality and sensitivity of the data.
  • the vendor’s privacy and data handling practices.
  • the vendor’s incident management and business continuity practices.

The GCP went through this process. In addition to the publicly available contracts on GCP’s website, GCP and Ingram Micro Inc. entered into a separate contractual agreement that covers what we perceived were gaps to ensure your data is handled appropriately.

Impact

The change will be transparent to customer who use CloudBlue services. We are duplicating certain backend data from CloudBlue offerings which your company is using into CloudBlue Data Lake on GCP. None of the functionality or services you currently use will be affected.

Privacy Principles

  1. Data Protection Agreements (DPA) – CloudBlue has data processing agreements in place with its customers, and we have agreed to Google’s DPA for the sub-processing activities.
  2. GCP Privacy Practices – GCP has published numerous documents on its privacy practices, we have summarized the important content below:
    • Customer’s control their data. The data stored in GCP does not belong to GCP, but the user. They are the custodians of the data and process it according to contractual agreements.
    • Data stored in GCP is never used for advertising.
    • GCP is transparent about data collection and use. All processing complies with government regulations and privacy best practices.
    • GCP never sells customer or service data.
    • Security and privacy are inherent design criteria for GCP, which cascades to customer environments that use these services.
  3. Auditing & Monitoring – Ingram Micro has verified these claims through various technical controls, including Approved Access – which means Google administrators cannot access Ingram Micro’s tenant without our approval. In addition, Access Transparency Logs let Ingram Micro know whenever a GCP administrator accesses our tenant configuration or any of the data in GCP. GCP provides robust monitoring and audited tools that ensure our data is protected. A link to the document Trusting Your Data with Google Cloud, provides insight into GCP’s operational policies and procedures, and can be found in the Additional Resources section.

Compliance

Ingram Micro complies with global data security and privacy standards and requires suppliers such as GCP to adhere to these as part of the services they provide to Ingram Micro. GCP maintains a wide range of compliance certifications, including:

  • SOC 1
  • SOC 2
  • SOC 3
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • HIPAA
  • PCI DSS

GCP also complies with regional privacy and regulatory standards around the world, such as:

  • CCPA
  • PIPEDA
  • GDPR

The GCP is a voluntary participant in the EU Cloud Code of Conduct to demonstrate their commitment to accountability, compliance support, and data protection principles.

Data from on the CloudBlue Data Lake will be hosted within GCP data centers in the United Kingdom.

Encryption

The GCP has encryption at rest enabled by default. It uses the industry standard AES-256 encryption algorithm in conjunction with the Tink cryptograph library for FIPS 140-2 validation. All GCP data centers, regardless of location, follow the same privacy principles, compliance controls, and operating standards.

Development and Maintenance

Our applications and data running on the Google Cloud environment were developed by CloudBlue using our Software Development Life Cycle (SDLC), which follows the Software Assurance Maturity Model (SAMM) methodology and Center for Internet Security (CIS) benchmarks. Security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort. The same process is used when new features and enhancements are added.

Common Questions

Q1: Will Google or GCP be able to access the data in the CloudBlue platforms for example number of subscriptions, prices, invoices etc.?

A1: No. Google personnel does not have access to the data in the CloudBlue data lake on GCP. We are not replicating personal data of end-customers.  

Q2: Do customers or partners need to make any changes to their internal processes?

A2: CloudBlue is duplicating data from one platform (Azure) to another (GCP). You will not need to make any changes to your internal processes at this time. You will still use the already-existing web applications.

Q3: Where will the data be hosted?

A3: CloudBlue will store data in the CloudBlue Data Lake in GCP in the United Kingdom.

Q4: Is order history or any other information being sold to Google?

A4: No. CloudBlue is not selling any information to Google. CloudBlue has implemented technical compliance controls and measures to monitor its data to detect unauthorized access.

Q5: Is Google being given any personal information, such as customer names and addresses?

A5: Neither Google nor GCP have access to the data stored in GCP. Information stored within GCP is not accessible to or shared with other Alphabet, Inc. entities, such as Google’s other business units.

Q6: Can CloudBlue be more specific about information being shared with Google and for what purpose?

A6: CloudBlue is not sharing information with Google. GCP is an Infrastructure-as-a-Service provider and CloudBlue is using that infrastructure to store data for CloudBlue Data Lake. The environment used in GCP is administered by Ingram Micro, not Google.

Additional Resources

Google has published a number of documents regarding GCP that were used by Ingram Micro, both during our due diligence activities as well as in the creation of this FAQ.  Links to each along with a brief description can be found below:

  • The Google Cloud Privacy Notice describes how Google collects and processes personal information as it relates to using GCP services. https://cloud.google.com/terms/cloud-privacy-notice
  • Google Cloud Privacy Resource Center.  Links to most of the other documents below can also be found on this page. https://cloud.google.com/privacy
  • Google Cloud Compliance Resource Center, which includes details about compliance offerings offered by region. https://cloud.google.com/security/compliance
  • The Cloud Data Processing Addendum is part of all GCP contracts that provides details and definitions of GCP’s role as a processor and sub-processor of data. https://cloud.google.com/terms/data-processing-addendum
  • Creating Trust Through Transparency describes the GCP approach to security, how data is processed, and how government requests are handled. https://cloud.google.com/security/transparency/
  • An overview of and introduction to the EU Cloud Code of Conduct. https://cloud.google.com/security/compliance/eu-cloud-code-of-conduct
  • The Government Requests for Cloud Customer Data provides details about how a government request is handled. https://services.google.com/fh/files/misc/government_requests_for_cloud_customer_data_google.pdf
  • The Google Transparency Report details requests received from government organizations and how those requests were handled. Note that this report is not limited to GCP but covers all of Google. https://transparencyreport.google.com/
  • GCP Cloud Provider Access Management – Supported Services.  This is a list of services that support and report into the Access Transparency Logs. https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/supported-services
  • The Google Security Overview focuses on GCP’s security and privacy focused culture: https://cloud.google.com/docs/security/overview/whitepaper
  • Trusting your data with Google Cloud.  This whitepaper goes into more detail regarding the topics discussed in this document. https://services.google.com/fh/files/misc/072022_google_cloud_trust_whitepaper.pdf
  • Shared Responsibility and Shared Trust describes the difference between the two and challenges and nuances of each. https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate
  • Default Encryption at Rest. This document provides details of how default encryption is enabled, how keys are managed, and other encryption features enabled by default. https://cloud.google.com/docs/security/encryption/default-encryption

 

Related articles