Alkira System Description

Alkira virtual exchange points are distributed globally and deployed in different high availability zones for availability and redundancy. They can be scaled up by customers to meet the required throughput and performance.

Alkira uses security tools to scan our internal environment, system and services. We also engage professional security vendors to perform third-party penetration tests and audits of our environment on an annual basis, respectively, while internal system scans are performed weekly. Alkira service is hosted in multiple data centers to provide redundancy, and the data centers are geographically distributed regions and are highly redundant in themselves.

A subset of Alkira’s Personnel has access to customer data as necessary to support the platform. Individual access is granted based on the role and job responsibilities of the individual. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis.

Our solution is hosted on cloud providers like (AWS, Azure and GCP) infrastructure. Cloud providers are responsible for the security of the underlying cloud infrastructure and Alkira takes the responsibility of securing workloads we deploy inside the cloud infrastructure. Cloud providers monitor and audit computing environments continuously, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused.

Alkira makes use of per-customer, virtual database instances to logically separate one customer’s data from other customers’ data. When a customer stops using the service, Alkira destroys the corresponding virtual database instance. Any customer data that is identified and cataloged by Alkira as personal data is converted to an irreversible hash and stored in the virtual database instance for that customer. Personal data is not captured in clear-text in logs or databases.

The Alkira platform provides broad functionality of network and service orchestration through role-based access control. It is provided as a multi-tenant, cloud-based service, accessible on the internet via web browsers such as Chrome, Firefox, etc. As a user of the Alkira platform, customers should be proactive in recognizing the value and sensitivity of the information provided by the service as well as the need to safeguard such data appropriately. Customers should also make sure that they have access to the policy enforcement capabilities. This document details Alkira’s customer responsibilities as they relate to use of the Alkira platform. It is the responsibility of Alkira customers to familiarize themselves with the information and procedures set forth below and comply with them.

To safeguard information assets and policy enforcement capabilities available in the Alkira platform, the customers’ IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their Alkira platform account credentials. As with most cloud services, access to the Alkira platform requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Alkira platform service, it is the customer’s responsibility to manage which end users should be given access. Customers should also define when access should be taken away from the end users. For example, access should be revoked upon end user’s separation from employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Alkira platform service.

Alkira’s platform service should be considered sensitive and confidential by Alkira platform users. Users should follow information security best practices in ensuring access to their account credentials is appropriately limited, as well as ensuring that the information and functionality provided by the Alkira platform service is protected and restricted from unauthorized use. Alkira platform users are responsible for maintaining the security and confidentiality of their user credentials (e.g., Login ID and Password), and are responsible for all activities and uses performed under their account credentials whether authorized by them or not. By establishing user credentials and accessing the Alkira platform, end users of the Alkira platform service agree to comply with these requirements to safeguard assets and account information.

Alkira service can be terminated by reaching out to [email protected]. Customers are required to delete all the resources configured through the portal before service can be terminated. These resources include but are not limited to IPSec, SDWAN, and direct connect connectors extending to branches, data centers, or SD-WAN environments, network services that they have deployed, and VPC/VNETs connecting public cloud environments.

Alkira platform service is accessible to public IP addresses on global Internet, as a result, great care must be exercised by Alkira platform users in protecting their subscription against unauthorized access and use of their credentials. By establishing user credentials and accessing the Alkira platform service, end users agree to proactively protect the security and confidentiality of their user credentials and never share service account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to use or access their Alkira platform accounts. Any loss of control of passwords or user identifications could result in the loss of “Personally Identifiable Data (PII)” and the culpable account owner(s) may be liable for the actions taken under their service account credentials whether they authorized the activity or not. Additionally, when establishing Alkira platform account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be easily guessable.

All Alkira services are monitored 24×7 to meet our SLA commitments. All planned maintenance will be done as per the scheduled plan which will be communicated to the customer when they sign up for the service. If there is a need to do an emergency maintenance for a vulnerability or bug fix, we will notify customers prior to the work being performed. To get updates in real-time, customers can subscribe to email notifications. On the occasion that Alkira customers observe performance issues, problems or service outages, they can contact [email protected] or open a support ticket to report such issues.

By establishing Alkira platform account credentials or accessing its service, customers agree to notify Alkira immediately of any security incident, including any suspected or confirmed breach of security. Also, users of the service agree to logout or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion. Alkira customers should also notify Alkira immediately if they observe any activity or communications in other forums that may indicate that other Alkira customers have had their accounts compromised. Lastly, Alkira encourages users to practice responsible disclosure by notifying Alkira of any identified security vulnerabilities. Alkira is dedicated to providing secure services to clients, and will triage all security vulnerabilities that are reported. Furthermore, Alkira will prioritize and fix security vulnerabilities in accordance with the risk that they pose.

Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Alkira users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.

Alkira is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you are a dedicated security researcher or vulnerability hunter and have discovered a security flaw in the Alkira platform including the cloud application and infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Alkira. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not known to us. While reporting the security vulnerability to Alkira Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details. We determine the impact of vulnerability by looking into the ease of exploitation and business risks associated with the vulnerability.

As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Alkira security commits to:

• Acknowledge the receipt of reported security vulnerability in a timely fashion
• Notify you when the vulnerability is remediated
• Extend our gratitude by providing a token of appreciation in supporting us to make our customers safe and secure

We may retain your personal information as long as you continue to use the Services, have an account with us, or for as long as is necessary to fulfil the purposes outlined in the policy. You can ask to close your account by contacting us at the details above, and we will delete your personal information upon request. We may, however, retain personal information for an additional period as is permitted or required under applicable laws, for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes.

We do not transfer Personal Data for monetary consideration. If you would like to tell us not to sell your information in the future please email us at [email protected] with your name, postal address, telephone number and email address with “Nevada do not sell” in the subject line.

The Policy in effect at the time you use the Site governs how we may use your information. Our business may change from time to time. As a result, at times it may be necessary for Alkira to make changes to this Privacy Policy. Alkira reserves the right to update or modify this Privacy Policy at any time and from time to time without. If we make material changes we will post the updated policy on this page with an updated Effective Date. Please check back here from time to time to review this policy, and especially before you provide Your Data to Alkira through the site or by registering to the service. Your continued use or access to the Site and the Services after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy.

For Privacy related inquiries, please contact us at [email protected].