Information Sharing & Disclosure Policy
Introduction
At CloudNexus, transparency is foundational to our relationship with customers, partners, and the broader technology ecosystem. This Information Sharing & Disclosure Policy outlines how we collect, process, share, and disclose information across our cloud hosting and infrastructure platform.
CloudNexus operates under a zero-trust, privacy-by-design architecture. We do not sell customer data, and we maintain strict boundaries between our operational infrastructure and your tenant environment. This policy supplements our Privacy Policy, Terms of Service, and Service Level Agreement (SLA).
You retain full legal ownership of all data, code, configurations, and logs generated or stored on CloudNexus infrastructure. We never claim rights to your data, nor do we mine it for advertising or third-party commercial use.
1. Information We Collect & Process
To deliver secure, performant, and compliant cloud infrastructure, CloudNexus collects and processes the following categories of information:
- Account & Identity Data: Registration details, authentication credentials, SSO configurations, and role-based access controls (RBAC).
- Infrastructure & Telemetry Data: CPU, memory, storage, and network utilization metrics; deployment logs; and health check status.
- Network & Security Data: IP addresses, firewall rules, DDoS mitigation logs, SSL/TLS certificates, and threat detection alerts.
- Support & Billing Data: Customer service interactions, technical tickets, payment history, and invoicing preferences.
- Compliance & Audit Data: SOC 2 Type II, ISO 27001, GDPR, and HIPAA audit trails generated within your tenant environment.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We apply data minimization principles and retain information only as long as operationally or legally required.
3. Third-Party Service Providers
CloudNexus engages vetted third-party vendors to support platform operations. All processors are bound by Data Processing Agreements (DPAs) and undergo annual security assessments. Categories include:
- Infrastructure & Monitoring: Prometheus, Datadog, PagerDuty
- Identity & Access: Okta, Auth0, AWS Cognito
- Payment Processing: Stripe, Adyen (PCI DSS Level 1 certified)
- Communication: SendGrid, Twilio (for transactional alerts only)
We maintain a live vendor transparency portal accessible via your dashboard. You may request a full data flow diagram for any integrated service.
4. Legal Requests & Government Disclosure
CloudNexus responds to lawful requests from authorized government or law enforcement agencies in accordance with applicable jurisdictions. Our disclosure principles include:
- Validation: All requests are reviewed by our legal and compliance teams for jurisdictional validity and proper authorization.
- Customer Notification: Unless legally prohibited, we will notify affected customers of information requests within 30 days.
- Minimal Disclosure: We only provide the specific data required by the legal order, never bulk or unrelated datasets.
- Transparency Reporting: We publish semi-annual transparency reports detailing government requests, compliance rates, and anonymized data categories.
5. Security Incident Disclosure
CloudNexus maintains a 24/7 Security Operations Center (SOC) and follows the NIST SP 800-61 incident response framework. In the event of a confirmed security incident affecting customer data:
- We will notify affected parties via email, console alerts, and status page updates within 72 hours of confirmation.
- A detailed incident report, including root cause analysis, impact scope, and remediation steps, will be provided within 14 days.
- For critical vulnerabilities, we follow coordinated disclosure practices and assign CVE identifiers where applicable.
Our bug bounty program is managed through HackerOne and covers all CloudNexus domains and public APIs.
6. Your Rights & Choices
Depending on your jurisdiction, you may exercise the following rights regarding your information:
- Access & Portability: Export your data via our CLI or API in JSON, CSV, or PARQUET formats.
- Correction & Deletion: Request modifications or permanent erasure of account and personal data.
- Opt-Out: Disable telemetry collection, marketing communications, or third-party analytics at any time.
- Restriction: Place holds on data processing during compliance audits or legal proceedings.
All rights requests are processed within 30 calendar days. Extensions may apply for complex or large-scale requests.
7. Submitting a Disclosure Request
If you are a customer, partner, or representative submitting a formal information disclosure request, please use the following channels:
- Customer Portal: Submit via Support Tickets → Compliance & Legal Requests
- Legal Mailbox: legal-requests@cloudnexus.io
- Security Disclosures: security@cloudnexus.io (PGP key available on our security page)
- Government/Law Enforcement: law-enforcement@cloudnexus.io
All requests must include verified identity documentation and a clear description of the data scope. We reserve the right to validate requests and may require additional documentation under applicable privacy and data protection laws.
Need Clarification?
Our compliance team is available for technical, legal, or architectural consultations regarding data handling and disclosure.
Contact Compliance TeamPolicy Updates
CloudNexus reserves the right to update this policy to reflect technological, regulatory, or operational changes. Material updates will be communicated via email, console notifications, and the CloudNexus Status Page. Continued use of our platform following updates constitutes acceptance of the revised terms.
For questions regarding this policy, please contact privacy@cloudnexus.io or refer to our Privacy Policy and Terms of Service.