TheStorage uses Microsoft Azure AD B2C as an identity provider. We do NOT store any user credential, even the password hashes are provided by Microsoft. We strongly recommend to our customers to use SSO providers. We currently supporting Azure Active Directory (Azure AD / Office 365), Google / G-Suite and Microsoft Account SSO’s. We are open to provide more, but as we see currently all of or customers use one of these SSO providers. If you use one of these SSO’s (especial Azure AD or G-suite) you can control the authentication flow, and we could follow all company policies. (Included Multifactor Authentication) Azure AD B2C supporting two industry standard protocols: OpenID Connect and OAuth 2.0. The service is standards-compliant, but any two implementations of these protocols can have subtle differences. More information about Azure AD B2C here.
All customer data are stored in Microsoft SQL Azure Database. The connection between the service and the database are encrypted. (SSL/TLS) If the customer stores some sensitive data in the database (Like software keys or software license credentials) the service encrypts all the data with a symmetric encryption algorithm.
All the application and Service sensitive data are stored in Microsoft Key Vault. This service is a Secure key management which is essential to protect data in the cloud. With Azure Key Vault the “TheStorage” can encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes our keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract the application and service keys.
Due the Identity Management is provided by Microsoft and all user data is available via SSO from the application perspective we do not store any GDPR related information about our customers. We only store those data that is belong to the tenant, but we do not store personal data about the user. From validation perspective we only store the invited users email address, and the invitation date. As we use Azure AD B2C Audit data like last successful and failed authentication is stored in B2C, and It is readable by the Livesoft Company Administrator. Currently only 1 person has a right to read audit data. If a customer needs all the tenant data, the administrator can export it from the application. But if a customer wants to delete ALL the data, the tenant administrator needs to write a ticket to here, and need to verify personal data. After the delete request sent it out, the company has 60 Business days to delete all tenant related data.