Security Whitepaper

Cloudasta’s Commitment to Security
Cloudasta takes security very seriously. Operating as a Google Workspace Premier Partner, Reseller, and Managed Migration specialist requires an elevated position of trust. We are committed to protecting our customers' information from any data exposure by reinforcing enterprise-grade security standards and minimizing risk through strict architectural isolation.
Below is an overview of how we secure our infrastructure, manage your data, and handle compliance.

Security Protocols

Compliance & Frameworks
SOC 2 Certification Progress
We are currently in the process of obtaining our SOC 2 credential and expect to be SOC 2 Type 2 compliant by Q1 2027.
Rigorous Internal Standards
In the meantime, we maintain strict internal security standards to ensure continuous compliance and infrastructure security.
Google Cloud Platform (GCP) Foundation
All of our architecture and proprietary tools are deployed exclusively through GCP, which is fully SOC 2 compliant.
GDPR & Privacy Compliance
We fully comply with GDPR, as well as Google’s specific policies regarding Sensitive and Restricted scopes and Limited Use requirements.
Architecture & Infrastructure Security
Zero Trust Model
We operate on a strict Zero Trust security model to protect internal infrastructure against breaches.
Blast Radius Containment
We maintain strict architectural isolation by separating our corporate domain (cloudasta.com) from our highly privileged customer reseller environment (reseller.shuttlecloud.com). No internal applications, compute engines, or third-party servers are hosted directly inside the reseller environment, ensuring an attacker is contained if a corporate tool were ever compromised.
Data Encryption at Rest
Data stored in our Google Cloud SQL (MySQL) instances is encrypted by default using AES-256.
Data Encryption in Transit
All data in transit is encrypted using TLS, with application traffic over HTTPS and database connections strictly enforced over TLS.
Data Location & Residency
By default, all data remains strictly within the United States throughout the migration process using secure GCP regions. For international clients or those with strict GDPR requirements, we can explicitly provision migration infrastructure within specific global regions (e.g., Europe, UK, Asia-Pacific).
Authorization and Access Control
Secure Engineer Access
Our team members access client environments exclusively through secure, cloud-based virtual machines hosted in GCP.
Immutable Audit Logging
All partner access is performed through Google Admin, which maintains a full, immutable audit log of every login and action performed. Clients retain 100% visibility into these logs throughout the project.
Mandatory Internal SSO
Single Sign-On (SSO) is mandatory for all internal tools using Google Workspace as our Identity Provider.
Enforced 2-Step Verification (2SV)
2-Step Verification (2SV) is strictly enforced and mandatory for all Cloudasta employees to prevent unauthorized access.
Migration Data Retention Policy
Strict Temporary Storage
We do not persistently store customer data. Data is cached in databases temporarily to speed up migrations, but direct access to this data by engineers is not possible.
1-Week Deletion Guarantee
Customer data is kept for a maximum of 1 week after project completion before it is completely and permanently deleted.
Infrastructure Decommissioning
Upon project completion, all temporary metadata is automatically deleted, and any virtual machines or custom scripts created for your project are fully decommissioned.
Billing & Third-Party Payments
Zero Payment Storage
Cloudasta does not store or have access to any customer payment or credit card information.
PCI-Certified Processing
All payment data is processed securely through PCI-certified third-party payment infrastructures like Stripe or PayPal to fully protect your information.
Extended IT Audit Resource
Request our Extended Security Q&A
For an in-depth, deeply technical look at our internal policies, patch management, secure CI/CD pipelines, personnel screening, and specific migration access requirements, you can request our comprehensive Extended Security & Architecture Q&A document by emailing our team directly at the provided security email address.