Infrastructure Security
The CloudSphere platform is built on a secure infrastructure foundation with layered controls:
Transit Encryption
TLS 1.3 for all data communications between clients and servers
Storage Encryption
AES-256 for all data stored on disk and in databases
Certified Hosting
Infrastructure hosted in ISO 27001-certified tier-3 data centers
Network Protection
Firewall, WAF (Web Application Firewall), and intrusion detection system (IDS/IPS)
Automated Backups
Daily backups with 30-day retention and periodic recovery testing
24/7 Monitoring
Real-time security and anomaly monitoring around the clock
Access Control
- Multi-Factor Authentication (MFA) — Required for all administrator accounts and access to production systems.
- Role-Based Access Control (RBAC) — Each user only has the access needed for their role (principle of least privilege).
- Periodic Access Reviews — Access rights audits and reviews are conducted quarterly to ensure no excessive access exists.
- Immutable Audit Logs — All access to production data is recorded in an immutable audit trail.
- Network Segmentation — Production, development, and administrative systems are separated into distinct networks.
- Strict Session Management — Sessions automatically expire after periods of inactivity, with refresh tokens rotated on a regular schedule.
Secure Software Development Lifecycle (Secure SDLC)
Security is integrated at every stage of our software development, not added as an afterthought at the end:
Design
- Threat modeling for every new feature
- Mandatory security design review before implementation
Development
- Standardized secure coding guidelines and code style
- Mandatory code review by at least one other developer before merge
Testing
- SAST (Static Application Security Testing) integrated into CI/CD pipeline
- Automated dependency scanning for vulnerabilities in third-party libraries
- DAST (Dynamic Application Security Testing) on staging environment
Deployment
- External penetration testing at least once per year by an independent party
- Security configuration review before every major release
People Security
- Background Check — Background screening is conducted for all employees and partners with access to sensitive systems.
- Mandatory Security Training — All team members complete information security and phishing awareness training at least once a year.
- Non-Disclosure Agreement (NDA) — All employees, contractors, and partners sign an NDA before beginning any engagement.
- Device Policy — Full disk encryption and automatic screen lock are mandatory on all devices used for work.
- Offboarding Procedure — All access is revoked immediately on the first day of resignation or termination, following a standardized procedure.
Security Incident Management
CloudSphere has a documented and periodically tested incident response procedure. If a security incident occurs that affects your data:
0–24 hrs
Detection & Containment
Identification, incident containment, and internal notification to the incident response team.
24–72 hrs
Customer Notification
Written notification to affected Customers in accordance with UU PDP No. 27/2022 obligations.
Ongoing
Investigation & Mitigation
In-depth analysis, remediation, and periodic status updates to affected parties.
Post-Incident
Post-Mortem & Improvement
Complete post-mortem report and implementation of improvements to prevent recurrence.
Compliance & Reference Standards
CloudSphere's platform and operations are designed, developed, and operated in accordance with the following information security standards and regulations:
ISO/IEC 27001
Information Security Management System (ISMS) — the primary framework for our security governance
UU PDP No. 27/2022
Indonesian Personal Data Protection Law — compliance standard for data processing
POJK 11/2022
OJK cybersecurity regulation for the financial services sector
NIST CSF 2.0
Cybersecurity risk management framework from the National Institute of Standards and Technology
OWASP Top 10
Web application security standard applied in our development process
CIS Controls
Critical Security Controls as a guide for prioritizing technical security controls
Responsible Disclosure Policy
We believe that collaboration with the security community makes everyone safer. If you discover a vulnerability in CloudSphere's systems or services, we invite you to report it responsibly.
In Scope
- CloudSphere website and web platform (cloudsphere.id and all active subdomains)
- CloudSphere API endpoints used for the Services
- CloudSphere mobile applications (if available)
- Infrastructure that directly supports the operation of the Services
Out of Scope
- Integrated third-party services (governed by their own security policies)
- Social engineering attacks against our employees or customers
- Denial of Service (DoS/DDoS) attacks or volume/load testing
- Already-known vulnerabilities or those currently being remediated
- Vulnerabilities in legacy software versions that are no longer supported
How to Report
Submit your vulnerability report by email to security@cloudsphere.id with subject [SECURITY REPORT]. Please include the following information:
- Vulnerability description, category (e.g. XSS, SQLi, IDOR), and potential business impact
- Clear, detailed, and reproducible steps to reproduce the issue
- Proof of Concept (PoC) without destroying, accessing, or exfiltrating real data
- Your contact information for follow-up and confirmation
Our Commitment to You
2 business days
Acknowledgment of your report
7 business days
Investigation status update
Safe harbor
No legal action for good-faith reports
Optional
Public credit acknowledgment if you wish
Security Contact
For general security questions not related to vulnerability reporting, please contact our team:
CloudSphere Security Team
Security Email: security@cloudsphere.id
General Email: hello@cloudsphere.id
For non-security questions, use our Contact Us page.
See also: Privacy Policy and Terms & Conditions.
