Service Overview
The Service is a cloud-based service designed to protect data centers, networks and servers of the Customer (the “Protected Assets”) against Distributed Denial of Service (DDoS) attacks, by providing multi-vector DDoS attack detection and mitigation.
The Service is powered by a global cloud security network with dedicated scrubbing centers spread globally (each, a “Radware Scrubbing Center”). Traffic directed at the Customer’s Protected Assets, is being redirected to a Radware Scrubbing Center. In the Radware Scrubbing Center, the Customer’s traffic is inspected for attempts to flood the network or overwhelm specific application resources, and cleaned of malicious DDoS attack traffic, where the remaining clean (legitimate) traffic is forwarded to the Customer’s . Application payload data is not processed or stored by the Processor.
The Service features a Service Portal which provides visibility and self-service management of the Service elements.
Purpose of the Processing
Processing is performed to protect the Customer’s Protected Assets from distributed denial of service (DDoS) attacks; all pursuant to and for the limited purpose of performing Radware’s obligations set out in the Principal Agreement (as defined in the DPA).
Processing of Data in Transit
Cloud DDoS Data Flow – Always-on and Hybrid Always-on:
Traffic (legitimate and malicious) from users of the Protected Assets normally transits through a Radware Scrubbing Center that is in the same region as the Protected Assets. Attack traffic is scrubbed at the local Radware Scrubbing Center and possibly at another Radware Scrubbing Center closer to the attack source in case of a large DDoS attack, traffic load balancing or a Service failure (redundancy). Data in transit may include all categories of Personal Data.
Cloud DDoS Data Flow – On-demand and Hybrid On-demand:
Traffic (legitimate and malicious) from users of the Protected Assets normally transits to a data center owned by or operated on behalf of the Customer and hosting the Protected Assets. In case of a DDoS attack, the traffic is diverted to a Radware Scrubbing Center that is in the same region as the Protected Assets. Attack traffic is scrubbed at the local Radware Scrubbing Center and possibly at another Radware Scrubbing Center closer to the attack source in case of a large DDoS attack, traffic load balancing or a Service failure (redundancy). Data in transit may include all categories of Personal Data.
Processing of Data at Rest
The Service does not store any information that can directly identify a natural person.
The Service only stores information on malicious actor activity (including in some cases malicious source IP addresses), alongside aggregated non-identifiable statistics about legitimate users. Furthermore, the Service allows encryption of malicious source IP values prior storage.
Items of Data at Rest stored by the Service
Category
|
Data Description
|
Retention Period
|
Protected Assets Data
|
Security event metadata for the purpose of presenting status and statistics to the Customer through the Service portal, generating reports and managing the Service.
The metadata includes:
- Malicious source IP addresses
- Traffic statistics (BPS, PPS)
- Attack statistics (vector, sources, destinations)
- Attack type
|
Deleted using cryptographic erasure after configurable (default 730 days) period.
|
Account Information
|
Data related to the account protected by the Service:
- Account name
- Service plan
- Contact information
- Portal Users
- Protected Assets information
|
Stored as long as the account is active.
|
Audit Log
|
Records different actions taking place in the Service:
User Activity:
- Login
- Logout
- Failed login attempts
- User creation, modification, and deletion
Configuration Changes:
- Asset activation
- Asset configuration changes
Account Configuration Changes:
- Account provisioning and deletion
- Account settings modifications
|
Stored for 6 months
|
The above data is stored in virtual private cloud (VPC) environments based in the United States (GCP). This data is only accessed by the Customer (and whomever the Customer gives permission to, e.g., a service provider) and by the Radware ERT team (for the purpose of providing the managed Service). The Customer may receive alerts of blocked attacks or view status via the online Service portal.
Data Subjects
Individuals about whom data is provided to Processor through or in connection with the Service by (or at the direction of) the Customer or by the Customer’s end-users, that may include any natural person who accesses the Customer’s Protected Assets as well as employees, agents or advisors of the Customer.
Duration of the Processing
The duration of the processing is determined by the Principal Agreement or until deletion of all Customer’s data in accordance with the DPA and the “Retention Period” set forth in the table above.
Processing Locations
Approved Sub- Processor/Affiliate (Company Name)
|
Company
address
|
Approved
scope of work
|
Approved Service Locations
|
Approved Service Locations - Address
|
SecurityDAM
|
Raoul Wallenberg Street 24, Tel Aviv-Yafo, Israel
|
DDOS Scrubbing Center
|
Frankfurt (FRA)
|
Hanauer Landstraße 298, 60314 Frankfurt, Germany
|
London (LON)
|
352 Buckingham Avenue, Slough, Berkshire, London, UK
|
Ashburn (ASH)
|
21715 Filigree Court, Ashburn, VA
|
Dallas (DFW)
|
infomart, 1950 N Stemmons Fwy #1034, Dallas, TX
|
San Jose (SJC)
|
11 Great Oaks Blvd, San Jose, CA
|
Tokyo (TKO)
|
Financial Center North Tower 1-9-5 Otemachi, Chiyoda-ku, Tokyo, Japan
|
Hong Kong (HKG)
|
399 Chai Wan Road, Hong Kong
|
Sydney (SYD)
|
639 Gardeners Road Unit B, Mascot 2020, Sydney, Australia
|
Seoul (KOR)
|
36, Jangmi-ro, Bundang-gu, Seongnam-si Gyeonggi-do KYUNG, South Korea
|
Johannesburg (JNB)
|
5 Brewery Street, Isando, Johannesburg, South Africa
|
Tel Aviv (TLV)
|
27 HaBarzel Street, Tel Aviv-Yafo
|
Sao Paulo (GRU)
|
Av. Marcos Penteado de Ulhôa Rodrigues, 249 - Res. Tres (Tambore), Santana de Parnaíba, Sao Paolo, Brazil
|
Chennai (MAA)
|
F-8 SIPCOT IT park, Siruseri, Navallur, Kancheepuram Distt, Chennai, 603103, India
|
Amsterdam (AMS)
|
Science Park 610, 1098 XH Amsterdam, Netherlands
|
Google Cloud - GCP
|
|
Operate Cloud Portal
|
US - East
|
VA, USA
|
Industry Standard Certificates
Radware’s Cloud DDoS Protection Service complies with the following standards for cybersecurity and privacy:
· ISO 27001 Information Security Management Systems
· ISO 27032 Security Techniques -- Guidelines for Cybersecurity
· ISO 27017 Information Security for Cloud Services
· ISO 27018 Information Security Protection of Personally identifiable information (PII) in public clouds
· HIPAA Health Insurance Portability and Accountability Act
Radware is compliant with ISO 28000 Specification for Security Management Systems for the Supply Chain.
SOC2 type II report covering Y 2020
Compliance with these standards is audited annually by third party auditors.
Customers may find Radware’s latest cybersecurity and privacy certifications and attestations in https://www.radware.com/newsroom/certificationsindustry/.