Last updated: Oct 21, 2020
This section gives an overview of how Octiga obtains, processes, and stores data from your Microsoft 365 tenant.
As discussed above, our solution is a standard SaaS (Software as a Service) solution deployed in the cloud on our cloud servers. At present, we have a single instance residing in Ireland on AWS (Amazon web services). We will deploy in other jurisdictions as required. We are considering an Azure Deployment and welcome potential clients to speak to us on deployment and data sovereignty requirements.
Octiga process and store data only for the intended purposes of cybersecurity services on clients 365 tenant. We use this data to infer security incidents and tenant security configurations only
The data includes:
Octiga does not store or process any company documents, employee communications, or emails.
Octiga have taken utmost care to ensure client data, where required to be processed or stored, is done so to the highest security standards and using modern security techniques. The following provides some details on this. Further details can be made available upon request.
Octiga employs a dedicated multi-tier security architecture within the cloud to ensure client data security is reasonably maximised at all points of processing and storage.
The Service Users credentials are doubly encrypted (at rest and at application level). They are restricted from internal access to only a handful of necessary Octiga employees. The containers that utilise the Service Users are isolated from the rest of our systems on a dedicated Virtual Private Cloud (VPC), this VPC is separate from our main private VPC, which in turn is behind our public-facing VPC.
All data is encrypted at rest. All data transfer, both internally and externally, is over secure encrypted channels.
Each client’s data is processed within the utmost tenant isolation. This is achieved using lambda functions and through the allocation of a dedicated, on-demand, operating system containers (docker containers) per tenant, where lambda functions are not applicable, for example in the interfacing and processing of PowerShell calls.
System events and in some limited cases, configuration data, may include some personal identifiable Information (PII) such as:
This data is extracted from Microsoft interfaces during data processing for the purpose of cybersecurity services. The only pieces of PII that we store is the UPN and IP address. These are required for on-demand security analysis.