Our service is provided from four regions in order to provide our customers with options where their data is stored, and to enable them to comply with data privacy location requirements.
You can use ACL GRC from anywhere in the world and choose from one of four data centers to store your data:
United States Data Center Canada Data Center Europe Data Center Asia Data Center Australia Data Center
Data is stored and replicated across state-of-the-art data centers operated by Amazon Web Services (AWS). Specifically, data is physically stored in RDS databases on AWS EBS storage blocks attached to dedicated Amazon EC2 server instances.
All equipment at the data centers is fully redundant. AWS data is replicated in real-time to:
At the beginning of your subscription, you can choose your regional data storage to suit your physical, legal, security, or performance needs based on operational needs. All data is encrypted during transmission and at rest within the regional data storage facility.
Our system is provided from the following regions:
When hosted in the United States region, all data and backups are stored and transmitted exclusively within the United States - no exceptions.
When hosted in Canada, Europe, Asia, or Australia, all data and backups are stored exclusively within the single region.
All system users that are managed and stored in ACL Launchpad for all regions are stored exclusively in the United States. Only personally identifiable information in your licensed user profiles will be stored exclusively in the United States region, including:
The system keeps all active or archived customer data continually when you have an active subscription, unless you choose to delete the data.
You can determine:
System settings include the ability for designated system administrators to configure a time period after which archived project data is automatically and permanently deleted, but also allows the same on an ad hoc manual basis.
The vast majority of customers with active subscriptions rely on ACL to retain their data. However, you may choose to extract data for your own offline records as a secondary measure for data retention.
As long as your subscription is active, this step is redundant and not necessary. As an example, if you maintain an active subscription for ten years, you will have ten years of data within the system (unless you choose to delete it).
There are several ways customers (authorized managers or administrators) can extract data at any time:
Customers are responsible for ensuring that only appropriate users are accessing their system and are authorized to do so.
In the unlikely event that an authorized user within your organization maliciously deletes your data, ACL will work with you to investigate and restore the lost data from our system backup, providing the data deleted falls within the one year backup time frame.
Migrating data from one customer data center to another can be a complex process. Although there is no automated process available, customers can:
Most customers do not migrate in-progress projects. Best practice is to leave in-progress projects in the existing source system and start new projects in the new system.
This task can only be completed by Account Admins or Project Manager Admins.
ACL collects only the minimum personally identifiable information necessary for account and system administration purposes. Customer data is considered confidential information, and is handled securely by ACL personnel.
Customer data is never copied to ACL assets outside the production environment, including employee laptops.
Any troubleshooting that needs to be performed on customer data is performed in the customer's environment. When ACL personnel need access to a customer environment, a ticket is generated indicating that Support accessed the instance, why the interaction was necessary, and what work was performed.
Actions by ACL personnel on a customer's system are limited to resolving the customer need, and nothing more. Once a customer is satisfied with the result, and the ticket is closed, access is removed.
Customers own their data 100%, and are responsible for setting retention spans and for deleting unwanted content during the subscribed service and up to 30 days after termination or expiry of their subscription.
Customers have a responsibility to ensure their data is in compliance with applicable policies, regulations, and laws, and ACL has the responsibility to ensure customer data is secure.
For more information on the shared responsibility model, see Policies & Processes.