Trust is at the core of everything we do. Before helping customers streamline complexity, we ensure our own systems are secure, compliant and resilient.
EternaCloud’s teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Our security and governance principles are anchored by foundational principles
Controlled Access
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
Layered Security
Security controls should be implemented and layered according to the principle of defense-in-depth.
Third Party Verified Controls
EternaCloud maintains SOC 2 Type II and GDPR attestation and compliance. For detailed information about our SOC 2 Type II and GDPR controls, please visit our Trust Center.
EternaCloud maintains compliance with:
Uniform Enforcement
Security controls should be applied consistently across all areas of the enterprise.
Evolving Controls
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
All sensitive and operational data at EternaCloud is encrypted at rest using AES-256 or stronger protocols, covering production databases, storage volumes, backups, and logs.
Encryption ensures that data cannot be read through either physical or logical access without proper authorization. Data classification and role-based access controls limit who can retrieve protected data.
Portable media is encrypted, and decommissioned devices are securely wiped or destroyed in accordance with policy.
Data in transit
EternaCloud encrypts all customer and internal service data in transit using TLS 1.2 or higher. HTTPS is enforced across external-facing systems using strong cipher suites and HSTS. TLS certificates are managed and rotated automatically through Azure.
Internal communications between APIs, services, and infrastructure use mutual TLS (mTLS) or equivalent secure channels. Authentication credentials and session tokens are encrypted in transit. Segmentation and routing controls reduce risk of lateral movement.
Secret management
Encryption keys are managed via Microsoft Azure Key Vault. Key Vault stores key material in FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Microsoft and EternaCloud. The keys stored in HSMs are used for encryption and decryption through Azure’s cryptographic APIs.
Application secrets are encrypted and stored securely via Azure Key Vault and Azure App Configuration, and access to these values is strictly limited to approved roles and services. Role-based access control is enforced through Azure Active Directory, and all usage is logged and monitored for anomalies.
Service Security
Penetration testing
EternaCloud partners with an independent penetration testing firm to conduct in-depth assessments of our cloud infrastructure and application layer at least annually. These assessments are comprehensive, with full source code access provided to maximize effectiveness and coverage.
All production systems, APIs, and environments are in-scope. Test results are documented, and findings are tracked through formal remediation processes aligned with our Risk Management and Secure Development policies.
Vulnerability scanning
Security testing is integrated into every stage of our Secure Development Lifecycle (SDLC):
SAST: Code is scanned at the pull request level and during CI/CD processes to detect insecure coding patterns early.
SCA: Software composition analysis identifies known vulnerabilities in third-party libraries and tracks licensing issues.
SAST: Code is scanned at the pull request level and during CI/CD processes to detect insecure coding patterns early.
EASM: External Attack Surface Management tools continuously monitor for newly exposed assets or misconfigurations in our public-facing footprint.
Network Scanning: Periodic network vulnerability scans are performed on internal and external-facing systems.
Enterprise Security
Endpoint protection
All EternaCloud corporate devices are centrally managed using Mobile Device Management (MDM) solutions. Devices are configured to enforce full disk encryption, screen lock policies, and automatic software updates. Anti-malware protections are deployed on all endpoints, and device inventories are continuously monitored. Security alerts are reviewed 24/7 as part of our always-on incident response coverage.
Secure remote access
Remote access to EternaCloud systems is secured using encrypted VPN tunnels and protected by multi-factor authentication (MFA). Employee access is role-based and provisioned only to approved personnel. All remote activity is logged, monitored, and segmented by access group to prevent lateral movement and ensure traceability.
Security education
Security education is embedded into the employee lifecycle at EternaCloud. All new hires complete onboarding security training, which covers company policies, secure practices, and their responsibilities for protecting information. Annual refreshers are mandatory for all staff. Engineers also receive specialized training focused on secure coding principles and practices as part of their technical onboarding.
The security team regularly shares updates and threat briefings to keep employees informed of emerging risks. Phishing simulations and social engineering awareness exercises are conducted periodically to help reinforce vigilance across the organization.
Identity and access management
Identity and access management at EternaCloud is centralized and policy-driven. We use Microsoft Entra (Azure Active Directory) for single sign-on (SSO), user lifecycle management, and role-based access control (RBAC) across all systems and services.
Multi-factor authentication (MFA) is enforced for all accounts, using secure methods such as authenticator apps and platform-native security keys. Access permissions are granted based on defined roles and business need, and are automatically revoked upon role change or employee departure. Administrative access requires elevated review and is logged for audit and compliance purposes.
Vendor Security
EternaCloud uses a risk-based approach to our vendor and third-party security. Factors that determine the inherent risk of a vendor include:
Access to customer or company data
Integration with production systems or environments
Potential operational or reputational impact
Each of our vendors undergoes a security and privacy evaluation prior to onboarding. Based on the risk rating, EternaCloud assigns appropriate controls and requirements, including contractual obligations for data handling, security certifications, and compliance adherence. High-risk vendors are reviewed at least annually to reassess their controls and confirm alignment with our Third-Party Management Policy.
Data Confidentiality & Privacy
Data confidentiality and privacy is not just a regulatory obligation at EternaCloud—it’s in our core.
Privacy commitment
Eterna Cloud maintains a comprehensive GDPR compliance program supported by a robust Privacy Policy and internal controls. Data subject rights—such as access, correction, and deletion. Our service is designed with data minimization and purpose limitation in mind, ensuring that only necessary personal data is collected, used, and retained.
Data ownership
Customers retain ownership of their data. EternaCloud only accesses and processes customer data as required to deliver our services, under strict access controls and in accordance with our Data Processing Agreement and applicable laws.
Data residency
Customer data is stored in Azure-hosted environments located in the United States and the European Union. Data residency is determined based on customer needs and compliance requirements.
Responsible Security Disclosure
We welcome reports of potential security vulnerabilities or concerns from both external researchers and our customers. If you believe you’ve discovered a security issue in our platform, whether technical or operational—we encourage you to report it.
