Afi is hosted as a distributed container-based application in Google Cloud Platform (GCP) in the USA, Canada, the EU, the United Kingdom, and Australia. These Google facilities hold all major security and data privacy accreditations, including SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2.
Afi users can select the data storage location when they initially sign up for the Afi SaaS backup trial. There are five available locations:
- USA: Google datacenter us-central1 (Council Bluffs, Iowa, USA)
- United Kingdom: Google datacenter eu-west2 (London, England)
- Netherlands: Google datacenter eu-west4 (Eemshaven, Netherlands)
- Canada: Google datacenter northamerica-northeast1 (Montreal, Canada)
- Australia: Google datacenter australia-southeast1 (Sydney, Australia)
For geographically distributed companies that need to comply with data residency requirements, Afi provides a multi-geo setup option.
All customer data is encrypted at all times: both in transit and at rest. We use TLS 1.3 for all control communications, including data transfer between Afi components, to ensure all traffic is encrypted. When at rest, we use AES 256bit encryption.
Afi also offers a Bring-Your-Own-Key (BYOK) encryption feature for backup data encryption and key management.
System administrator and end-users (self-service, if it is turned on by administrators) access to the service is possible only through Microsoft or Google identity services that support MFA, or Okta (SAML).
Afi supports advanced data access management capabilities, including granular permissions configuration with per AAD group or Organizational unit access scope, self-service recovery portal for end-users, and an ability to restrict customer administrators access to backup data.
Afi keeps a detailed audit log for all data access operations (exports and restores) in the account available to customer administrators. Audit events are stored for 3 years.
Afi employees and contractors don't have access to customer backup data.
Afi detects suspicious file encryption events and notifies customer account administrators about a possible ransomware attack. In case of a confirmed ransomware attack, an account administrator can use an in-place (overwrite) restore option to recover from the latest healthy snapshot.
Afi complies with major industry regulations and is independently audited as part of the SOC 2 compliance. The shortlist of regulations and frameworks that Afi adheres to includes, but is not limited to GDPR, Privacy Shield, HIPAA, CCPA, NHS Information Governance, PIPEDA, PHIPA.
Backup & Resiliency
Afi services are deployed using Kubernetes Engine. High availability and disaster recovery are built-in into Afi's architecture. In case of a component failure, the platform launches additional container instances and redirects the load.
Afi’s backup policies and procedures outline the critical resources, including the databases, that are backed up automatically to enable recovery needed to meet our SLAs. All production data is being replicated automatically to a separate infrastructure. Afi tests its data recovery plan continuously.