Service Overview
Radware's Cloud Web Application Firewall (CWAF) Service protects the Controller’s web applications and APIs (the “Protected Assets”) against Web application layer attacks.
The Service is provided through a global network of distributed Points of Presence (“PoPs”), using an optimized and highly available architecture, securing the customer's Protected Assets from multiple PoP locations, to ensure that they are fully protected.
The Service’s PoPs are located at major traffic hubs with connections to tier-1 ISPs, striving for low latency and minimal impact on Protected Assets’ performance.
The Service features a Service Portal, which provides visibility and self-service management of the Service elements.
The Service’s PoPs are located at major traffic hubs with connections to tier-1 ISPs, striving for low latency and minimal impact on web applications’ performance.
The Service features a Service Portal which provides visibility and self-service management of the Service elements.
Purpose of the Processing
Processing is performed to protect the Customer’s Protected Assets from web application attacks, and/or other type of attacks; all pursuant to and for the limited purpose of performing Radware’s obligations set out in the Principal Agreement (as defined in the DPA).
Processing of Data in Transit
The Service processes traffic (legitimate and malicious) targeted at the Protected Assets through a Radware PoP located in the same region as the Protected Assets. However, in case of a large DDoS attack, traffic load balancing, or Service failure (redundancy), attack traffic may be processed at a Radware PoP closer to the attack source.
Data in transit may include all categories of Personal Data. Only application data of malicious activity and malicious actors is decrypted, analyzed, and stored by the Service. Note that, in order to inspect SSL traffic, the Service requires securely uploading SSL keys onto the Service Portal.
Processing of Data in Transit
The Service does not store any information that can directly identify a natural person.
The Service only stores information on malicious actor activity (including malicious source IP addresses and malicious headers), alongside aggregated non-identifiable statistics about legitimate users. Furthermore, the Service allows encryption of malicious source IP values prior to storage.
Soon within our roadmap, the Service will allow storing all Protected Assets data in a location selected by the Customer.
Items of Data at Rest stored by the Service
Category
|
Data Description
|
Retention Period
|
Protected Assets Data
|
Security event metadata for the purpose of presenting status and statistics to the Customer through the Service portal, generating reports and managing the Service.
The following security alerts information is stored:
Attacker/malicious actor information:
- Source IP
- Source country
- User-agent
- Session and cookie data
Attack/malicious activity information:
- OWASP category
- Attack category
- Attacked URL
- Request headers
- Response headers
- Attack payload
- Action taken
|
3 months
|
Audit Log
|
The following operations are stored as part of the Audit Log (resulting from user action or API invocation).
User Activity:
- Login
- Logout
- Failed login attempts
- User creation, modification, and deletion
Application Configuration Changes:
- Application provisioning and deletion
- Network configuration changes
- Security policy modification
Account Configuration Changes:
- Account provisioning and deletion
- Account settings modifications
|
2 years
(3 months available for review through Service Portal)
|
Account Information
|
Data related to the account protected by the service.
Subscription:
- Account name
- Subscription period
- Service plan
- Contact information
- Users
|
Stored as long as the Customer account is active. Deleted once Customer stops using the service.
|
The above data is stored in virtual private cloud (VPC) environments based in the United States (AWS). This data is only accessed by the Customer (and whomever the Customer gives permission to, e.g., a service provider) and by the Radware ERT team (for the purpose of providing the managed Service). The Customer may receive alerts of blocked attacks or view status via the online Service Portal.
Data Subjects
Individuals about whom data is provided to Processor through or in connection with the Service by (or at the direction of) the Customer or by the Customer’s end-users, which may include any natural person who accesses the Customer’s Protected Assets as well as employees, agents or advisors of the Customer.
Duration of the Processing
The duration of the processing is determined by the Principal Agreement or until deletion of all Customer’s Personal Data in accordance with the DPA and the “Retention Period” set forth in the table above.
Processing Locations
Approved Sub- Processor/Affiliate (Company Name)
|
Company
address
|
Approved
scope of work
|
Approved Service Locations
|
Approved Service Locations - Address
|
Radware
|
Raoul Wallenberg Street 22, Tel Aviv-Yafo, Israel
|
Cloud WAF POP
|
Frankfurt (FRA)
|
Weissmuellerstr. 13, 60314 Frankfurt, Germany
|
London (LON)
|
352 Buckingham Avenue, Slough, SL1 4NB, United Kingdom
|
Ashburn (ASH)
|
21715 Filigree Ct, Ashburn, VA 20147, USA
|
Singapore (SIN)
|
IBM-SL / Digital Reality - 29A International Business Park, Jurong East, Singapore 609934
|
San Jose (SJC)
|
IBM San Jose
|
Tokyo (TKO)
|
I2B, 3-4-1 Inukura, Miyamae-ku, Kawasaki-shi, Kanagawa 216-0011 - Japan
|
Hong Kong (HKG)
|
ROYALE INTERNATIONAL COURIERS LTD, 585-609 CASTLE PEAK ROAD 3RD FLOOR GOODMAN KWAI CHUNG LOGIST HK
|
Sydney (SYD-SL)
|
273 Pyrmont St Ultimo, Sydney NSW 2007, Australia
|
Sydney (SYD2)
|
C/639 Gardeners Rd, Mascot NSW 2020, Australia
|
Johannesburg (JNB)
|
5 Brewery Street, Isando, Johannesburg, South Africa
|
Tel Aviv (TLV)
|
Ha-Sivim St 49, Petah Tikva, Israel
|
Chennai (MAA)
|
IBM Chennai
|
Sao Paolo (SAO)
|
IBM Sao Paolo
|
Chicago (ORD)
|
2200 Busse Rd, Elk Grove Village, IL 60007, USA
|
Toronto (YYZ)
|
45 Parliament St, Toronto, ON M5A 2Y5, Canada
|
Amazon Web Services (AWS)
|
|
Operate Cloud Portal
|
US– East
|
VA, USA
|
Microsoft Azure
|
|
Network Points of Presence (PoPs)
|
US East
|
VA, USA
|
US North Central
|
IL, USA
|
EU North
|
Dublin, Ireland
|
EU France Central
|
Paris, France
|
Industry Standard Certificates
Radware’s Cloud WAF Service complies with the following standards for cybersecurity and privacy:
· ISO 27001 Information Security Management Systems
· ISO 27032 Security Techniques -- Guidelines for Cybersecurity
· ISO 27017 Information Security for Cloud Services
· ISO 27018 Information Security Protection of Personally identifiable information (PII) in public clouds
· HIPAA Health Insurance Portability and Accountability Act
· PCI-DSS Payment Card Industry Data Security Standard – Service Provider Schedule D
Radware is compliant with ISO 28000 Specification for Security Management Systems for the Supply Chain.
Compliance with these standards is audited annually by third party auditors.
Customers may find Radware’s latest cybersecurity and privacy certifications and attestations at https://www.radware.com/newsroom/certificationsindustry/
An annual SOC2 type II report is being prepared for Radware’s Cloud Services.