Contact Sign In
ID flag ID | EN flag EN
Cloud Indonesia

Data Security Policy


  • GENERAL

    • This Product and Service Data Security Policy is PT Datacomm Diangraha's ("Datacomm") commitment to protect any data or personal information of Customers using Datacomm Services, including Services on the Datacomm site at www.dcloud.co.id and its subsidiaries and affiliates, derivative sites, and without limitation Datacomm Services available on Datacomm mobile applications.


  • DATA OWNERSHIP

    • As between the parties, the Customer retains all rights, title, and interest in and to Customer Data. Datacomm has no rights to Customer Data other than those granted by the Customer. Datacomm will use and otherwise process Customer Data only to:

    • Provide Products and Services to the Customer according to information documented in product or Service details.
    • Support business operations in handling requests or incidents in providing Products and Services to the Customer.
    • Improve Products and Services for the Customer.

  • DISCLOSURE OF PROCESSED DATA

    • Datacomm will not disclose or provide access to any Processed Data except:

    • As directed by the Customer.
    • As required by law.

    For purposes of this section, "Processed Data" means:

    • Customer Data;
    • Product and Service Data;
    • Personal Data; and
    • Any other data processed by Datacomm in connection with Products and Services used by the Customer.

    Datacomm will not disclose or provide access to any Processed Data to anyone unless required by law.

    If law enforcement contacts Datacomm with a request for Processed Data, Datacomm will attempt to refer law enforcement to request such data directly from the Customer. If Datacomm must disclose or provide access to any Processed Data to law enforcement, Datacomm will promptly notify the Customer and provide a copy of the request unless prohibited by law.

    Upon receiving a request from any other third party for Processed Data, Datacomm will promptly notify the Customer unless prohibited by law. Datacomm will deny the request unless required by law to comply. If the request is valid, Datacomm will attempt to direct the third party to request the data directly from the Customer.


    Datacomm will not provide any third party with:

    • Direct, indirect, full, or unrestricted access to Processed Data;
    • The encryption keys used to secure Processed Data or the ability to break such encryption; or
    • Access to Processed Data if Microsoft knows that the data will be used for purposes other than those stated in the third-party request.
      To support the above, Microsoft may provide the Customer's basic contact information to the third party.

  • DATA SECURITY
    • SECURITY PRACTICES AND POLICIES
      • Datacomm will ensure and prepare appropriate technical and organizational measures to protect Customer Data from destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed unlawfully or accidentally.
      • These measures meet the requirements set out in ISO 27001 and PCI DSS.

    • CUSTOMER DATA PROTECTION MEASURES

      • Datacomm is committed to ensuring Customer Data is secure. To prevent unauthorized access, Datacomm has put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the data we store.


      Physical Protection:

      • Building entrance gate with RFID card.
      • Parking gate with RFID card.
      • Datacenter entrance with RFID card and biometric key.
      • Fire suppressor system.

      Electronic Protection:

      • Cryptography

        The process of encoding information from its original form (plaintext) into a cipher that is not understandable.

      • Redundant System

        Duplication of critical components or functions of a system to increase reliability and availability, typically in the form of backups or fail-safe mechanisms, or to improve system performance.

      • EDR (Endpoint Detection and Response)

        An integrated endpoint security solution that combines continuous real-time monitoring and data collection at endpoints with rules-based automated response and analytical capabilities.

      • DLP (Data Loss Prevention)

        A set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.

      • Firewall

        A network security device that monitors incoming and outgoing network traffic and allows or blocks data packets based on a set of security rules. The goal is to create a barrier between the internal network and external traffic (such as the internet) to block harmful traffic like viruses and hackers.

      • IPS/IDS (Intrusion Prevention System/Intrusion Detection System)

        A network security tool (hardware or software) that continuously monitors the network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it when it occurs.

      • Security Information and Event Management System (SIEM)

        A software solution that collects and analyzes activity from various resources across the IT infrastructure. SIEM collects security data from network devices, servers, domain controllers, and more.

      • Identity and Access Management System (IAM)

        A solution to manage user access and identities across IT resources (such as systems, applications, and networks). IAM can identify, authenticate, and grant appropriate access to users who use IT resources. It ensures that users access resources are the right people, at the right time, and for the right purpose.

      • Anti DDoS (Distributed Denial of Service)

        A solution to handle DDoS attacks that flood networks with traffic.

      • WAF (Web Application Firewall) in Cloud Infrastructure

        A solution to prevent DDoS attacks that target web applications and use protocol attacks in cloud infrastructure.


      Related Security Functions:

      • Building Security Department.
      • Security Operations Centre (SOC).

      Procedures and documents:

      • Information Security Management System Plan.
      • Security Incident SOP.
      • Non Disclosure Agreement.
      • Data Access Permission Form.
      • Information Security Risk Management.

      Implementation of International Information Security Standards:

      • ISO27001

        A standard published by the International Organization for Standardization (ISO) in cooperation with the International Electrotechnical Commission (IEC), focusing on information security management systems (ISMS), and considered a global best practice for implementing information security.

      • PCI DSS (Payment Card Industry Data Security Standard)

        A comprehensive set of requirements that must be met by businesses that handle credit and debit card payments, regardless of size or transaction volume. The standard helps reduce the likelihood of financial identity theft, fraudulent payments, and unauthorized transactions.


      Supporting activities performed periodically in Cloud infrastructure:

      • Vulnerability Assessment (VA)

        A process to identify, evaluate, and classify the severity of security vulnerabilities in an information technology system based on potential risk.

        This process provides insight into which vulnerabilities are more likely to be exploited so system administrators can quickly patch the most risky weaknesses before attackers exploit them.

      • Penetration Testing (PT)

        A simulated attack against an organization's information technology system to find weaknesses in the system.

  • DATA ENCRYPTION

    • Data transfers over public networks between the Customer and Datacomm datacenter services are encrypted by default.
    However, the Customer may install third-party applications that allow data transfers without encryption to the Customer's VM in the Datacomm datacenter. Therefore, the Customer is responsible for the security of such data transfers.
    Datacomm also provides "at rest" encryption for Customer Data in Datacomm datacenters.


  • ACCESS TO DATA

    • Datacomm uses least-privilege access control mechanisms for Customer Data. Role-based access control is used to ensure that access to Customer Data required for service operations is for appropriate and Customer-approved purposes under management oversight.


  • CUSTOMER RESPONSIBILITIES

    • The Customer is fully responsible for making independent decisions about whether the technical and organizational measures for Products and Services meet the Customer's requirements.
    The Customer acknowledges and agrees that (considering the current state, implementation costs, and the nature, scope, context and purposes of data processing, as well as risks to individuals) Datacomm's security practices and policies provide an appropriate level of security for the Customer's data.
    The Customer is responsible for implementing and maintaining privacy protections and security measures for components provided or controlled by the Customer.


  • AUDIT COMPLIANCE

    • Datacomm will perform security audits of the systems and datacenters it uses to process Customer Data as follows:

    • If standards or frameworks require such audits, at least once a year.
    • Each audit will be conducted in accordance with the standards and rules of the governing or accreditation bodies for each applicable control standard or framework.
    • Each audit will be conducted by a qualified and independent third-party security auditor selected and paid by Datacomm.

    Each audit report will be provided by Datacomm at a (link) or other location identified by Datacomm.
    These audit reports are Datacomm Confidential Information because they clearly reveal any material findings by the auditor.
    Datacomm will promptly remediate findings raised in the audit report. If needed, Datacomm will provide each audit report to the Customer subject to Datacomm and auditor confidentiality and distribution restrictions.

    If the Customer needs Datacomm to perform additional audit-related activities, before the audit begins, the Customer and Datacomm will agree on scope, timing, duration, controls and evidence requirements, and audit costs, provided that approval requirements do not unreasonably delay Datacomm's audit performance and Datacomm has full rights to refuse additional activities without any consequences.


  • SECURITY INCIDENT NOTIFICATION

    • If Datacomm becomes aware of a security breach causing destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data that is unlawful or unintended while processed by Datacomm (each a "Security Incident"), Datacomm will promptly and without undue delay (1) notify the Customer of the Security Incident; (2) investigate the Security Incident and provide detailed information to the Customer; (3) take necessary steps to mitigate effects and minimize damage caused by the Security Incident.

    Security Incident notifications will be sent to the Customer by any method chosen by the Customer, including email. The Customer is fully responsible for ensuring that contact information is accurate for each applicable Product and Service. The Customer is fully responsible for complying with applicable incident notification laws and fulfilling third-party notification obligations related to any Security Incident.

    Datacomm's notification or response to a Security Incident under this section is not an admission of fault or liability for the Security Incident. The Customer must promptly notify Datacomm of possible misuse of its account or authentication credentials or any security incident related to the Products and Services.


  • DATA TRANSFER AND LOCATION

    • Customer Data processed by Datacomm on behalf of the Customer must not be transferred to, stored, or processed in other geographic locations without Customer consent.
    Datacomm will store Customer Data at rest in the primary geographic region specified in the relevant Product or Service details.
    Datacomm does not control or restrict the regions where the Customer or its end users can access or move Customer Data.


  • DATA RETENTION AND DELETION

    • During the applicable subscription term, the Customer will have the ability to access, extract, and delete Customer Data stored in each Service.

    Customer Data that is no longer needed and has exceeded the retention period will be destroyed by removing some or all files, including electronic and non-electronic forms.
    In principle, Customer Data will be deleted after the contract ends, and such deletion is subject to the Customer's consent or objection.

    If required by law, Datacomm will retain Customer Data according to applicable legal requirements.


  • CUSTOMER DATA COMPLAINTS
    • If the Customer has a complaint about Customer Data handling, the Customer can submit it by email to: [email protected].
    • Complaints must include the Customer's identity and the nature of the complaint related to the relevant service.
    • Datacomm will follow up on such complaints and provide a response.
  • DATA SECURITY POLICY UPDATES
    • Datacomm may change or update this Data Security Policy at any time.
    • Users agree to read and revisit this Data Security Policy page from time to time to learn about changes. As long as the Customer accesses and uses Datacomm services, the Customer is deemed to agree to changes in this Data Security Policy.

Ready to get started?

Create a free account or contact us to learn more.

Sign Up Now Contact Us