CloudSphere
Security Policy

Security is at the Core of Everything We Do

As a company operating in the cybersecurity space, we uphold the highest security standards not only for our clients, but also for CloudSphere's own systems and internal operations.

Last updated: 28 June 2026

TLS 1.3

Minimum Encryption

AES-256

Data at-rest Encryption

72 hrs

Incident Notification

ISO 27001

Reference Standard

Infrastructure Security

The CloudSphere platform is built on a secure infrastructure foundation with layered controls:

Transit Encryption

TLS 1.3 for all data communications between clients and servers

Storage Encryption

AES-256 for all data stored on disk and in databases

Certified Hosting

Infrastructure hosted in ISO 27001-certified tier-3 data centers

Network Protection

Firewall, WAF (Web Application Firewall), and intrusion detection system (IDS/IPS)

Automated Backups

Daily backups with 30-day retention and periodic recovery testing

24/7 Monitoring

Real-time security and anomaly monitoring around the clock

Access Control

  • Multi-Factor Authentication (MFA)Required for all administrator accounts and access to production systems.
  • Role-Based Access Control (RBAC)Each user only has the access needed for their role (principle of least privilege).
  • Periodic Access ReviewsAccess rights audits and reviews are conducted quarterly to ensure no excessive access exists.
  • Immutable Audit LogsAll access to production data is recorded in an immutable audit trail.
  • Network SegmentationProduction, development, and administrative systems are separated into distinct networks.
  • Strict Session ManagementSessions automatically expire after periods of inactivity, with refresh tokens rotated on a regular schedule.

Secure Software Development Lifecycle (Secure SDLC)

Security is integrated at every stage of our software development, not added as an afterthought at the end:

Design

  • Threat modeling for every new feature
  • Mandatory security design review before implementation

Development

  • Standardized secure coding guidelines and code style
  • Mandatory code review by at least one other developer before merge

Testing

  • SAST (Static Application Security Testing) integrated into CI/CD pipeline
  • Automated dependency scanning for vulnerabilities in third-party libraries
  • DAST (Dynamic Application Security Testing) on staging environment

Deployment

  • External penetration testing at least once per year by an independent party
  • Security configuration review before every major release

People Security

  • Background CheckBackground screening is conducted for all employees and partners with access to sensitive systems.
  • Mandatory Security TrainingAll team members complete information security and phishing awareness training at least once a year.
  • Non-Disclosure Agreement (NDA)All employees, contractors, and partners sign an NDA before beginning any engagement.
  • Device PolicyFull disk encryption and automatic screen lock are mandatory on all devices used for work.
  • Offboarding ProcedureAll access is revoked immediately on the first day of resignation or termination, following a standardized procedure.

Security Incident Management

CloudSphere has a documented and periodically tested incident response procedure. If a security incident occurs that affects your data:

0–24 hrs

Detection & Containment

Identification, incident containment, and internal notification to the incident response team.

24–72 hrs

Customer Notification

Written notification to affected Customers in accordance with UU PDP No. 27/2022 obligations.

Ongoing

Investigation & Mitigation

In-depth analysis, remediation, and periodic status updates to affected parties.

Post-Incident

Post-Mortem & Improvement

Complete post-mortem report and implementation of improvements to prevent recurrence.

Compliance & Reference Standards

CloudSphere's platform and operations are designed, developed, and operated in accordance with the following information security standards and regulations:

ISO/IEC 27001

Information Security Management System (ISMS) — the primary framework for our security governance

UU PDP No. 27/2022

Indonesian Personal Data Protection Law — compliance standard for data processing

POJK 11/2022

OJK cybersecurity regulation for the financial services sector

NIST CSF 2.0

Cybersecurity risk management framework from the National Institute of Standards and Technology

OWASP Top 10

Web application security standard applied in our development process

CIS Controls

Critical Security Controls as a guide for prioritizing technical security controls

Responsible Disclosure Policy

We believe that collaboration with the security community makes everyone safer. If you discover a vulnerability in CloudSphere's systems or services, we invite you to report it responsibly.

In Scope

  • CloudSphere website and web platform (cloudsphere.id and all active subdomains)
  • CloudSphere API endpoints used for the Services
  • CloudSphere mobile applications (if available)
  • Infrastructure that directly supports the operation of the Services

Out of Scope

  • Integrated third-party services (governed by their own security policies)
  • Social engineering attacks against our employees or customers
  • Denial of Service (DoS/DDoS) attacks or volume/load testing
  • Already-known vulnerabilities or those currently being remediated
  • Vulnerabilities in legacy software versions that are no longer supported

How to Report

Submit your vulnerability report by email to security@cloudsphere.id with subject [SECURITY REPORT]. Please include the following information:

  • Vulnerability description, category (e.g. XSS, SQLi, IDOR), and potential business impact
  • Clear, detailed, and reproducible steps to reproduce the issue
  • Proof of Concept (PoC) without destroying, accessing, or exfiltrating real data
  • Your contact information for follow-up and confirmation

Our Commitment to You

2 business days

Acknowledgment of your report

7 business days

Investigation status update

Safe harbor

No legal action for good-faith reports

Optional

Public credit acknowledgment if you wish

Security Contact

For general security questions not related to vulnerability reporting, please contact our team:

CloudSphere Security Team

Security Email: security@cloudsphere.id

General Email: hello@cloudsphere.id

For non-security questions, use our Contact Us page.

See also: Privacy Policy and Terms & Conditions.