This documentation is no longer updated. Please visit New Afi Documentation Center.
|
Data residency
Afi is hosted as a distributed container-based application in Google Cloud Platform (GCP) in the USA, Canada, the EU, the United Kingdom, and Australia. These Google facilities hold all major security and data privacy accreditations, including SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2.
Afi users can select the data storage location when they initially sign up for the Afi SaaS backup trial. There are five available locations:
- USA: Google datacenter us-central1 (Council Bluffs, Iowa, USA)
- United Kingdom: Google datacenter eu-west2 (London, England)
- Netherlands: Google datacenter eu-west4 (Eemshaven, Netherlands)
- Canada: Google datacenter northamerica-northeast1 (Montreal, Canada)
- Australia: Google datacenter australia-southeast1 (Sydney, Australia)
For geographically distributed companies that need to comply with data residency requirements, Afi provides a multi-geo setup option.
Data encryption
All customer data is encrypted at all times: both in transit and at rest. We use TLS 1.3 for all control communications, including data transfer between Afi components, to ensure all traffic is encrypted. When at rest, we use AES 256bit encryption.
Afi also offers a Bring-Your-Own-Key (BYOK) encryption feature for backup data encryption and key management.
Data access
System administrator and end-users (self-service, if it's enabled by administrators) access to the service is possible only through Microsoft, Google identity services that support MFA, or Okta (SAML).
Afi supports advanced data access management capabilities, including granular permissions configuration with per AAD group or Organizational unit access scope, self-service recovery portal for end-users, and an ability to restrict customer administrators access to backup data.
Afi keeps a detailed audit log for all data access operations (exports and restores) in the account available to customer administrators. Audit events are stored for 3 years.
Ransomware protection
Afi detects suspicious file encryption events and notifies customer account administrators about a possible ransomware attack. In case of a confirmed ransomware attack, account administrators can use an in-place (overwrite) restore option to recover from the latest healthy snapshot.
Compliance
Afi complies with major industry regulations and is independently audited as part of the SOC 2 compliance. The shortlist of regulations and frameworks that Afi adheres to includes, but is not limited to GDPR, Privacy Shield, HIPAA, CCPA, NHS Information Governance, PIPEDA, PHIPA.
Check out our compliance page or reach out at privacy@afi.ai if you need more details or have questions about a country- or industry-specific regulation.
If you need to enter into the HIPAA BAA with Afi, please sign our standard BAA form and send it to Afi Sales (sales@afi.ai).
Afi employees and contractors don't have access to customer backup data.
Backup & Resiliency
Afi services are deployed using Kubernetes Engine. High availability and disaster recovery are built-in into Afi's architecture. In case of a component failure, the platform launches additional container instances and redirects the load.
Afi’s backup policies and procedures outline the critical resources, including the databases, that are backed up automatically to enable recovery needed to meet our SLAs. All production data is being replicated automatically to a separate infrastructure. Afi tests its data recovery plan continuously.