Purpose

The below information covers the CartonCloud technology platform, architecture, servers and redundancy provisions.

Definitions

Tenant - A tenant is an organisation within CartonCloud. For example: "Freight Company A" use CartonCloud; they're considered a tenant. 

Software Architecture

CartonCloud is a cloud-native application with an architecture consisting of multiple technologies in an environment utilising microservices incorporating industry-standard open-source libraries and partnering with some third-party services. All tenants run from a single code base in a shared environment, with 'pluggable' modules and configurations providing tenant-specific functionality where required.

Databases Security and Backups

CartonCloud uses a number of database technologies, with data securely partitioned per tenant at all times to prevent inadvertent data leakage across different tenants. Real-time replica databases and daily backups are utilised across multiple data centres and regions to ensure data is protected even in the event of major disasters.

System Redundancy

CartonCloud is hosted in the cloud with infrastructure distributed across multiple data centres and regions for performance and/or redundancy purposes. Critical processes are also deployed simultaneously across multiple data centres with redundant power, networking, and connectivity. This allows the application to continue operating seamlessly despite some outages in the underlying infrastructure.

File Storage

Database backups, as well as files uploaded to the system, such as manifests, signatures, scanned invoices and photos captured from the Mobile Application, are held in cloud-based storage with stated 99.999999999% of data durability. In addition to other protective measures, data is versioned to ensure it is recoverable even in the event of a ransomware attack.

Networks

Databases and other critical internal services are protected on private internal only networks, with only specified public access points available on internet accessible networks. The test and development networks are also separated from production with separately controllable access policies.

Security and Compliance

CartonCloud implements security and compliance as a shared responsibility with its cloud service provider. The cloud service provider has certification for compliance with, among others, ISO 27001. CartonCloud utilises tools made available by the cloud service provider and also reviews standards such as ISO 27001 to determine suitable levels of security controls.

All communication with the CartonCloud system is only allowed for authenticated users and encrypted using HTTPS / TLS 1.2. For API access, CartonCloud uses OAuth standards to manage authentication. CartonCloud utilises a combination of proprietary and third-party tools for logging, monitoring and unauthorised access prevention. 

From time to time, external penetration testing is conducted to identify any possible security weaknesses and to plan risk mitigation and remediation work.

Account Closure

If an account is shut down (tenant leaves CartonCloud), it will be deactivated, but data will be retained in our live environment for at least 90 days, and the account can be reactivated within this period. After this time, data will be archived for internal record-keeping purposes but cannot be restored to a live tenant. Archived data will typically be retained for approximately one year before being permanently deleted.