Data protection in the operating models at linkyard

linkyard takes great efforts to ensure data protection in our Managed Services. In this article we present the different features and variants.

Hosting models with linkyard

Under the name Atlassian-as-a-Service we offer our customers the licensing and provision of Atlassian products as a managed service. It is important that this is a hosting service. This means that, in contrast to the provision of software as pure cloud software, we license each customer system separately, store the customer data on separate encrypted disks and operate the services as separate containers on the virtual servers. In this way, we ensure that each customer is guaranteed access only to his own instance.

On the infrastructure side, we support three deployment scenarios, which are briefly described below.

Standard variant: Operation in the linkyard cloud

In our standard version (linkyard Cloud) we offer the operation of the software in an ISO 27001:2013 certified data center of our subcontractors. Today we offer three regions: EU (standard), Germany and Switzerland. For each region we have contracts with two independent suppliers. Normally, we operate in the data center of the primary supplier. However, we store an off-site backup at the location of the secondary provider. Our Business Continuity Plan enables us, in the event of a loss of the primary provider (large-scale network failure, insolvency, force majeure, etc.), to get the system back up and running at the secondary provider within a few hours.

Today it is almost impossible to offer the best prices without relying on the infrastructure of the big hyper scalers (AWS, Azure, Google). We therefore rely partly on these modern cloud infrastructures in the cheapest offers. However, for customers who explicitly do not want to use subcontractors from third countries such as the USA for data processing, we offer the option of using only European subcontracted data processors at an additional charge. For clients from Switzerland, for example the state or Swiss banks, we also offer the option of using only subcontracted data processors from Switzerland. Clients who are interested in such options should contact us for a non-binding offer.

We are now observing the general effects of the invalidation of the EU-U.S. Privacy Shields by the European Court of Justice. As we have not based our contracts on the EU Commission's decision on equivalence to the EU-U.S. Privacy Shield, but on the standard contractual clauses on data protection, which remain in force, there is no direct deterioration of the situation for our customers. In addition, our contractual partners are the subsidiaries of these providers established in Europe, which is why the legal situation needs further clarification in this regard. Two years ago, we already pointed out the possibility that the American government could access data via American companies. In this respect, the situation has not been completely changed by the court ruling. However, we are also examining our situation and options for action in the coming weeks and will provide information on any adjustments.

Option: Public Cloud

More and more customers have their own accounts with either Azure, AWS or Google. There may be benefits to running the application as a managed service on customer-provided public cloud infrastructure. For the major public cloud providers Azure, AWS and Google we have a prepared standard setup for operation. We use our automated deployment procedures and monitoring tools as in the linkyard cloud and thus benefit from synergies.

With regard to data protection, the starting position is similar to that of operation in the linkyard cloud, if we rely on the cloud infrastructures of American providers. The difference is that the customer is the direct contractual partner of the respective public cloud providers and they do not act as subcontractors. Accordingly, there is a different contractual constellation and it is at the customer's sole discretion with whom he concludes which contracts.

Option: Custom Private Cloud or On Premise Operation

If desired, we also operate the system on a private cloud solution or on-premise on Linux VMs provided by the customer. For this option we also use our automated deployment procedure and integrate the environment into our tools. However, the installation is always customer-specific and many aspects must be individually designed, built and operated. Therefore, this usually only makes sense if the customer has a larger environment and the benefits exceed the additional costs.

Marketplace Apps

Most Atlassian products can be functionally enhanced with apps. Third-party software vendors have the opportunity to extend Atlassian products for additional use cases. In our experience, most customers have a handful of additional apps in use within a few weeks of going live, as these apps provide even better support for their use cases. The available apps can be browsed in the Atlassian Marketplace. Unlike the Atlassian Cloud, apps are added to our installation and then run by us. We do not grant any software vendor, neither Atlassian nor app vendors, access to customer data.

ISO/IEC 27018 certification of data protection

linkyard is already certified according to ISO/IEC 27001:2013. Next year we are looking forward to an external certification again, after we had to pass two years of maintenance audits. Next year, we are planning to additionally carry out the external audit of data protection according to ISO 27018 at the same time, after our accreditation body has created the basis for the examination of this new standard this year.

--

linkyard is a specialist for the secure operation of collaboration services. About 100 customers - among them many from industries with particularly high information security and data protection requirements such as banks, insurance companies, public administration or other critical infrastructures count on our services. The information security management system of linkyard is certified according to ISO 27001:2013.