Vi genomför förbättringar i tjänsten! Vid eventuella problem, vänligen klicka CTRL+F5 eller hör av dig till support.
  • sv
  • en

Safety and security

Long-term commitment to safety and compliance

Security & privacy

Data security at Storegate

Cloud guarantee with integrity and security in focus
Storegate’s customer data is stored in a reliable environment where customers can make maximum use of the services in a safe, secure and efficient manner. The equipment is owned by Storegate and the data centers are located in Sweden.

Facilities, systems and personnel meet tough requirements and we offer a fully redundant environment with optimal conditions in terms of power supply, cooling, climate, fire detection and extinguishing systems.

Storegate’s services are monitored around the clock via surveillance systems. If disruptions occur in operations, the technician on call is automatically alerted. Access to data centers is protected by access control systems, internal sectioning and burglar alarms.

Storegate works together with independent consultants for ongoing penetration tests, vulnerability assessments and tests according to standards such as OWASP TOP TEN.

Storegate has a forum called ISWG (Information Security Work Group) that works on designing and implementing processes for Storegate’s ISMS system. Contact us for more information.

Storegate never scans information for business development purposes or to sell advertising.

Account access and authentication
When you create your account on Storegate, we have created the conditions for you to choose a strong username and password that is adapted to your company’s policy.

  • Password factors (minimum number of characters required by numbers, special characters capitalization, etc.)
  • Password reset from the administrator or via support
  • Limited number of login attempts (brute force)
  • Automatic logout in case of inactivity
  • Token-based Oauth login for clients and web
  • Two-step verification with apps that support the TOTP protocol, e.g. Microsoft and Google Authenticator

Single Sign On
For Enterprise customers, Storegate offers support for Single Sign On. This gives companies centralized control over user accounts in Storegate. If a company disables a user centrally, the person can no longer log in to the service. Similarly, you as an administrator can manage and control your users. This is done by logging into your administrator account on Storegate.com.

Mobile access
Mobile users can access their Storegate accounts via mobile browsers or a specific Storegate app. When a user connects via a mobile phone (iPhone, iPad, Windows, Android, etc.), HTTPS encrypted authentication is applied. All data sent between the server and the mobile application is encrypted using the TLS banking standard. If a mobile device is stolen or lost, the administrator can block the person’s account so that access to the information in the service is blocked in real time.

Upload and transfer
Once you have logged in to the service via one of our interfaces, you can upload files and folders. The upload itself is simple when viewed from the user’s perspective, but we at Storegate optimize performance and security in the transfer itself. All data is encrypted with 128-bit TLS encryption. This means that you don’t need to use VPN tunnels or similar to access your data from different geographical locations. The same procedure is reversed when downloading files to your devices.

Permission levels and information sharing
Once your files have reached Storegate and are ready for sharing, collaboration or storage, there are options to decide who and what should have access to the information. For example, each user can set sharing permissions in collaboration folders. By sharing folders externally, you can also decide who and which partners can access your information and upload information to your account. Distributions can be limited by time intervals and passwords that the recipient needs to access the content.

Global settings
At a global level, administrators can set certain restrictions on one or more users. In addition, the administrator can decide:

  • Who can create folders or upload files
  • Which users to invite to the account
  • How much each user is allowed to store in the home directory and in the backup section
  • Which files to permanently delete (active/inactive recycle bin)
  • How many versions of each file should be in the account
  • When and who should have reports on the status of backup
  • When to delete a user

Storage and encryption
All files uploaded to Storegate are stored in real time on two separate systems located in two physically separate data rooms and encrypted on disk using AES 256-bit encryption. Furthermore, all files are stored in the systems with scrambled paths and file names. This means that it is never possible to trace which files and references belong to the owner of the files, i.e. the account holder. For all services and protocols on Storegate, 128-bit TLS encryption is also applied during transmission. For Backup Pro, files are optionally encrypted with a user-generated encryption key (256-bit AES encryption). The system has built-in protection against SQL injection and brute force attacks. The system will automatically block failed login attempts that are repeated based on IP address and username.

Shared responsibility for data protection and compliance requirements
Security and availability are our top priority at both the organizational and functional levels of the services we offer. However, many companies are subject to local or industry-specific regulatory requirements for data storage and backup, which may require backup and storage policies, which you as a customer must accommodate. Storegate, like other leading cloud services, operates under a shared responsibility model for data protection and compliance. This means that Storegate is responsible for protecting the service and infrastructure, while the customer is responsible for protecting their own data for compliance or against access issues, accidental deletion, malicious activity and other data loss events. Therefore, we recommend that each individual customer provides a backup to a third-party solution or to a local disk at home. Through the Extended Access add-on service, all files and folders (including sub-users’ My Files directory) can be backed up locally or to a third party. Contact us for more information.

Deletion of stored information
When files are in the recycle bin, they remain there until you choose to empty all or part of the recycle bin. If you delete files from the recycle bin, they can never be recreated. If you choose to close an account, the data is saved for 60 days, after which Storegate deletes all data in accordance with GDPR.

Our guidelines
The security of your information starts in our office, in our data centers and with our procedures. All Storegate employees have an employment contract that includes confidentiality towards our partners and customers. Like most online services, we have a small number of employees with police records who need to be able to access user data for the reasons set out in our user agreement (e.g. when we are legally obliged to do so). But these are rare exceptions, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare cases. In addition, we use a number of physical and logical security measures to protect user information from unauthorized access.

Storegate also works to maintain the security of its own office network:

  • Network intrusion detection systems
  • Application logging, reporting, analysis, archiving and preservation of data
  • Continuous monitoring

Administration of your data
Storegate technicians or customer support may occasionally need access to customer accounts to handle technical issues and support. Here, too, we have established careful policies and authorizations that help us help you with as little transparency as possible.

Application and hardware architecture
In each data center, Storegate maintains full redundancy in terms of load balancers, routers, servers, switches and failover configurations, etc. Data that is written is replicated in real time on multiple servers.

Summary
Storegate’s system is a complex environment that requires multiple layers of security. From hardware such as storage systems to soft values such as the staff working at Storegate. Storegate’s top priority is and remains the security of customers’ digital information. If you need more information in a specific area, please contact Storegate and we will be happy to answer your questions.

Report vulnerability

Our principles

The security of our systems is a top priority. But no matter how much work we put into system security, there may still be vulnerabilities.
If you discover a vulnerability, we want you to let us know so we can take steps to fix it as quickly as possible. By letting us know, you help to better protect our customers and our systems.


Please do the following:

  • Send a message to info[at]storegate.com and you will receive a unique link to upload information.
  • Do not take advantage of the vulnerability or issue you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
  • Do not tell others about the problem until it has been resolved.
  • Do not use attacks against physical security, social engineering, distributed denial of service, spam or third-party applications.
  • Please provide sufficient information to reproduce the problem, so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but complex vulnerabilities may require additional explanations.

What we promise:

  • We will reply to your notification within 5 working days with our evaluation of the notification and an expected date for a decision.
  • If you have followed the instructions above, we will not take any legal action against you in relation to the report.
  • We will handle your report with strict confidentiality and will not pass on your personal data to third parties without your permission.
  • We will keep you informed of the progress made in resolving the issue.
  • In the public information about the reported issue, we will indicate your name as the person who discovered the issue (unless you wish otherwise) and as a token of our gratitude for your help, we offer a reward for each report of a security issue that was not yet known to us. The size of the reward will be determined by the severity of the leak and the quality of the report. The minimum reward is a €50 gift card.

We aim to resolve all issues as quickly as possible, and we are keen to play an active role in the final publication of the issue after it has been resolved.

GDPR

When Storegate stores your data

Storegate complies with GDPR and we have a DPO (Data Protection Officer) who can be reached at dpo@storegate.se. We have also developed an incident management plan, a privacy policy and if you want a data processing agreement, you can order it here. If you are no longer a customer, you can change or delete your information at any time by notifying us and contacting us. Our ambition is to always work with relevant content, integrity, honesty, transparency and responsibility.

When you store other people’s personal data

As a Storegate customer, we have made sure you can comply with the GDPR. First of all, all data is stored in Sweden (GDPR requires storage within the EU). The fact that it is Swedish storage also protects your data from being affected by foreign laws. In addition to this, there is a logging function on all company accounts. This means that you can follow what has happened to a specific file and who has done it. This is invaluable if you work with several people on the same files and want full control. Below you can read more about important points for your company when it comes to GDPR.

Keep in mind
Personal data that you process must have a legal basis. The processing of personal data must always be based on the General Data Protection Regulation. A legal basis can be consent before you process personal data.

Right to know. Your customers and employees have the right to know, free of charge, what information you process about them, the purpose of the processing, and wherever the processing takes place.

Right to object. The right to object includes, for example, the right to be able to unsubscribe from all your newsletters, the law is particularly clear here. You are also not allowed to use personal data you have processed on an invoice to send emails with offers, unless you have specifically informed the customer to do just that and have confirmed consent.

The right to be forgotten. This rule is perhaps the most difficult to handle as it places very specific demands on your business. If you have customer addresses in, for example, an Excel file or in an email, these must be deleted if the customer requests this. There is a concept called legal basis and it can usually apply before the customer’s desire to be forgotten. For example, if you have received consent to store an invoice with name and address, this is a legal basis. However, after 7 years, this invoice must be deleted because the data will then have no legal basis. So there may be different purposes for your processing of personal data where the storage of invoices falls under one, and the contact in your address register falls under another.

The right to be notified in the event of a data breach. If your storage account is hacked and you hold personal data, the persons concerned have the right, under certain circumstances, to be notified within a reasonable time.

Not complying with the GDPR can be costly. Companies that do not comply with the GDPR risk large fines of up to 4% of their total turnover. It is not just about IT, but all handling of personal data. For example, if you have a payroll register, this contains personal data, and it is your responsibility to have rules for how these are cleared if people leave the company.

Here are some tips on how your company can comply with the GDPR. Think of all personal data as borrowed and that when you have no purpose for it, it should be deleted. Your company is responsible for all personal data, regardless of where it is stored. It is your responsibility to ensure that IT system providers have the right security systems in place to protect your customers’ data. You must have procedures in place to delete personal data and document where and how your data is stored and managed.

Control questions you can ask in your work to comply with the GDPR:

  • Why do we store the data instead of deleting it?
  • Has the customer/individual really given their consent to storage?
  • Why do we keep the data? For example, you may not store unnecessary information such as age unless you can justify it as necessary for your business and your customer.
  • What is the purpose of the treatment? Categorize these purposes.
  • How long is it justified to keep the data? Establish procedures to purge old data.
  • If a customer wants to be forgotten, what do we do? (If you delete a file with personal data, keep in mind that it may still be in the trash)
  • If a customer wants to know what is stored, what information do you provide?
  • How do you know that the person requesting the data is really who they say they are?

Please note that you must legally secure your own business and that the text above is simplified. If you want to read more about what the Swedish Data Protection Authority says about cloud services, you can find it here.

CLOUD Act

Most Swedish companies and organizations have processes and procedures in place to comply with the new, stricter EU legislation on the handling of personal data (GDPR), which was introduced on 25 May 2018. However, there are other aspects that are at least as important to consider when a company chooses a cloud service to store, share and collaborate with company files.

In the same year, 2018, on March 23, a new US law, the CLOUD Act (Clarifying Overseas Use of Data), came into force, which means that US authorities must be given access to data stored on US cloud services, even if it is stored abroad, and that US cloud services cannot refuse to disclose such data.

To comply with the GDPR, US cloud services have been forced to offer EU storage to Swedish companies. With the CLOUD Act, this means that US legislation applies to data stored with a US cloud service even if it is within the EU and it can be very costly for a Swedish company to ignore these risks.

NIS2

Benefits of using a Swedish cloud service to meet NIS2?

The NIS2 Directive, which is an update of the original NIS Directive, aims to strengthen the cybersecurity and resilience of critical infrastructures within the EU. Therefore, to meet local requirements, it is beneficial to use a Swedish cloud service. Here are some reasons why:

1. Compliance with local laws and regulations: Storegate has been designed to comply with Swedish and European laws and regulations, including GDPR and NIS2. By choosing a Storegate, you ensure that data management is done in accordance with the strict requirements set by these regulations. This reduces the risk of legal problems and fines.

2. High security standards: As a Swedish cloud service, we can offer high security standards and advanced security measures to protect data. This includes encryption, regular security updates and robust authentication methods. By using Storegate, organizations can minimize the risk of their data being exposed to cyber threats.

3. Local support and expertise: We offer local support and expertise, which can be invaluable for incident response and technical support. Having access to support in English and Swedish in the same time zone allows us to resolve issues faster and improve communication.

4. Data residency and sovereignty: When you as an organization use Storegate, you can ensure that your data is stored within Sweden’s borders. This is important for maintaining data residency and sovereignty, which is crucial for certain industries that handle critical information.

5. Improved availability and performance: thanks to the proximity to our users, we can offer high availability and performance. This can lead to faster access times and better user experience, which is important for mission-critical applications and services.

6. Support for sustainability: As a Swedish cloud service provider, we share values with our customers and have a strong focus on sustainability and environmentally friendly solutions. By choosing Storegate, you contribute to a more sustainable future.

Storegate makes it easy and secure for businesses and individuals to store and share files. We protect everyone’s privacy and store all information in Sweden in accordance with GDPR, under Swedish law.

You are welcome to try our services or contact us for more information.

Discover a safer way to work.

Get started today,
it’s fast!

Try it free for 14 days