---

Quality Management System

CloudFerro has implemented Quality Management System based on ISO 9001 and Information Security Management System (ISMS) based on ISO 27001, BSI 200-1 and BSI C5.

CloudFerro quality policy

CloudFerro services are based on a coherent cloud computing system, where CloudFerro provides clients with the most important elements of the IT infrastructure, made available in the service model (IaaS - Infrastructure as a Service).

We follow the principle to satisfy the needs and requirements of our clients as much as possible, by continuously improving the quality of our services. We devote all our efforts to ensuring a constant, high quality of our services.

We strive to make our trademark associated with trust and professionalism, as well as reliable and professional service at every step. We operate so that the requirements of each client are fully implemented correctly. We believe in long-term relationships with clients.

In implementing the above, we pay attention to:

• examination of market development trends to ensure the use of appropriate technologies and obtain the highest level of executed orders,
• staying in constant interaction with our clients, researching and analyzing their needs in terms of meeting their requirements,
• absolute assurance that our services comply with current requirements and all applicable laws,
• ensuring the application of the selection and assessment of suppliers of modern materials and equipment in accordance with the customer's requirements,
• implementation of processes in planned and supervised conditions,
• training of all personnel to provide the required qualifications and motivating to perform quality activities.
• in order to meet the growing legal requirements, integrated Quality Management System and Information Security Management System, according to ISO 9001:2015 and ISO/IEC 27001:2022, BSI 200-1 and BSI C5 have been developed and implemented.

We have established and apply the Quality Policy and procedures implemented in the company. The Quality Management System Policy is known to all employees of the company and is publicly available.

As the management, we declare that we will make every effort to ensure that the Quality Policy is fully implemented.

Information Security Management System

The information security policy conforms to “AIC” paradigm, including data confidentiality, integrity and availability.

ISMS protect both customer’s contracts sensitive data and customer’s data processed in CloudFerro cloud environment. Access to contract information such as personal data, financial conditions, etc. is limited only to authorized CloudFerro personnel, using their individual logins and passwords. Access to information over network is available only via encrypted protocols:

• SSH for secure login to virtual machines
• SFTP/SCP/SSHFS for secure data transfer to and from the VM-s
• HTTPS for secure access to the Dashboard (Horizon) and to the REST API interfaces.

The physical locations of informational assets are under exclusive control of CloudFerro staff. All datacenters used by CloudFerro are ISO 27001 certified.

Confidentiality is focused on preventing sensitive information leakage by ensuring that only the customers are capable of accessing their data using unique private/public key pairs. Centralized identity relies on OpenID based SSO providing authentication. Authorization model implementing separation of Tenants (Domains), Projects, Users, user Roles, service Catalogs and service access Policies is executed by Keystone, the OpenStack Identity Service integrated with SSO. Every cloud management operation performed by a user or an application through the Dashboard or through the API must first be checked for validity with Keystone.

In terms of network and data Security, all customers have preconfigured private networks. They are also able to define additional virtual networks. Private networks are implemented as VLAN-s, which ensure complete separation at OSI layer 2 from all other networks, owned by other users. OpenStack takes care of bridging the VLAN-s to the corresponding VM-s so that they are effectively separated in their private networks.

All the tenant's VM data is by default stored within their private storage area, assigned on per-VM basis, providing data separation between different cloud customers.

User data encryption is provided on two levels: Cloud level encryption, involving AES-256 for security and performance, and User level encryption – up to users’ sole discretion.

All VMs in cloud are equipped with antivirus software.

Integrity of sensitive data is ensured by providing the following mechanisms, whenever applicable:

• simultaneous transactional writing on different physical drives
• access control for different layers (networks, domains, servers, applications, files)
• version control and checksums of critical data
• backups of critical data, tested against accurate restore

Availability is based on redundant infrastructure, starting from disk drives in servers, redundant power supplies, redundant network services, self-healing and fault-tolerant mechanisms, redundant network components (switches, routers, protocols and uplinks), up to redundant datacenter power supply from mains, additionally protected by UPSes and diesel gen-sets.

The processing of personal data is carried out based on processes verified against compliance with the requirements of General Data Protection Regulation.

----------

Below, we present the certificates of the Quality Management System and the Information Security Management System implemented by Cloud Provider.