Home Documentation Data Security & Retention

Data Security & Retention Policy

📅 Last Updated: October 15, 2025 🔖 Version: 3.2.1 🌍 Scope: Global Infrastructure

1. Policy Overview

CloudNexus maintains a zero-trust architecture and defense-in-depth strategy to protect customer data across all infrastructure layers. This document outlines our security controls, data handling procedures, retention schedules, and compliance frameworks.

All customer data is logically isolated, encrypted by default, and processed in accordance with industry-standard frameworks including ISO 27001, SOC 2 Type II, and GDPR/CCPA requirements. We retain data strictly for operational, legal, and contractual purposes, with transparent deletion protocols.

ℹ️ Transparency Commitment
CloudNexus never sells, rents, or shares customer data with third parties. All processing occurs solely to deliver, secure, and improve our infrastructure services.

2. Data Security Measures

2.1 Encryption Standards

  • At Rest: AES-256-GCM encryption for all block storage, object storage, and database volumes. Keys are managed via HSM-backed KMS with automatic rotation every 90 days.
  • In Transit: TLS 1.3 enforced across all APIs, control planes, and data planes. Certificate pinning and OCSP stapling are enabled by default.
  • Customer-Managed Keys (CMK): Available on Enterprise plans via AWS KMS, Azure Key Vault, or HashiCorp Vault integration.

2.2 Access Control & Authentication

All internal access follows the principle of least privilege. Engineers use just-in-time (JIT) access with multi-factor authentication (MFA) and hardware security keys (FIDO2/WebAuthn). Audit logs are immutable and retained for 365 days.

2.3 Network & Infrastructure Hardening

🛡️ Network Security Architecture
Segmented VPCs, strict egress filtering, Web Application Firewall (WAF), DDoS mitigation at edge and core layers, and continuous vulnerability scanning with automated patching within 72 hours of CVE disclosure.

3. Data Retention & Lifecycle Management

Data retention is categorized by type, sensitivity, and regulatory requirement. All storage classes support configurable lifecycle policies.

Data Category Retention Period Deletion Standard
Infrastructure Logs 90 days (standard)
365 days (compliance tier)		 Cryptographic shred + metadata purge
Customer Workloads & Snapshots Until explicit deletion or account closure NIST 800-88 Rev. 1 Clear/Purge/Destruct
Support & Billing Records 7 years (tax/legal compliance) Secure archive → automated deletion
Backup Copies Configurable (1–365 days) Chain-of-custody verification before removal
Personal Identifiable Information (PII) Minimum necessary for service delivery Anonymization or secure deletion upon request
⚠️ Grace Period & Recovery
Deleted resources enter a 30-day soft-deletion state for accidental recovery. After 30 days, cryptographic keys are revoked and storage blocks are permanently wiped. Legal holds override automatic deletion schedules.

4. Compliance & Certifications

CloudNexus maintains active compliance with the following frameworks and regional regulations:

  • ISO 27001:2022 — Information Security Management
  • SOC 2 Type II — Security, Availability, Confidentiality
  • GDPR & Schrems II — EU/EEA data processing safeguards
  • CCPA/CPRA — California consumer privacy rights
  • HIPAA BAA — Available for healthcare workloads (Enterprise)
  • PCI DSS Level 1 — Payment card environment isolation

Audits are conducted annually by independent third-party assessors. Compliance reports and Attestation Letters are available to Enterprise customers upon request.

5. Customer Responsibilities

CloudNexus operates under a shared responsibility model. While we secure the underlying infrastructure, customers retain control and responsibility for:

  1. Configuration of IAM roles, API keys, and network security groups
  2. Encryption of application-layer data and secrets management
  3. Timely patching of guest OS and third-party software
  4. Compliance with data sovereignty laws applicable to their jurisdiction
  5. Initiating deletion requests for retired environments

Failure to follow security best practices may void SLA guarantees related to misconfiguration-related incidents.

6. Incident Reporting & Security Contact

We maintain a 24/7 Security Operations Center (SOC) and follow a structured incident response plan aligned with NIST SP 800-61. Customers can report vulnerabilities, request data audits, or file deletion/compliance inquiries through:

  • Security Portal: security.cloudnexus.io
  • Email: security@cloudnexus.io (PGP key available)
  • Bug Bounty: Managed via HackerOne with up to $25,000 rewards for critical findings

All reports are acknowledged within 24 hours. Critical vulnerabilities trigger emergency patching within 48 hours. Post-incident reports are shared with affected customers in compliance with regulatory timelines.

📜 Policy Amendments
Material changes to this policy will be communicated 30 days in advance via dashboard notifications and email. Continued use of CloudNexus services constitutes acceptance of updated terms.