Comprehensive data protection for all workloads
Post Reply
brucquat
Enthusiast
Posts: 32
Liked: 2 times
Joined: May 12, 2016 1:32 pm
Contact:

GDPR and Schrems II compliant

Post by brucquat »

Hello,

If Veeam performs backup copy job to the cloud:
1. Which encryption method/key is used?
2. Is the encryption key stored on-premise or in the cloud (or both)?
3. Is Veeam compliant "GDPR and Schrems II" with its encryption method?

Thanks.
PetrM
Veeam Software
Posts: 3996
Liked: 686 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: GDPR and Schrems II compliant

Post by PetrM »

Hello,

1. AES256CBC is used for backup encryption regardless of destination whether it is cloud or on-premises. You may find more info on this page.
2. Encryption key is stored on tenant side. On cloud side, there is only metakey to process blocks of encrypted backups. The metakey does not provide access to backup content.
3. It seems GDPR does not have any specific requirements for encryption, at least on this page we can find the following statement:
The GDPR deliberately does not define which specific technical and organisational measures are considered suitable in each case, in order to accommodate individual factors.
However, let me double check it with our security analysts.

Thanks!
brucquat
Enthusiast
Posts: 32
Liked: 2 times
Joined: May 12, 2016 1:32 pm
Contact:

Re: GDPR and Schrems II compliant

Post by brucquat »

Many thanks for your feedback. Any feedback from the security analysts? Thanks.
PetrM
Veeam Software
Posts: 3996
Liked: 686 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: GDPR and Schrems II compliant

Post by PetrM »

Hello,

Not yet. Just to clarify: I'm waiting for the feedback regarding the question 3 only but I'm pretty sure that the provided statement won't be changed. I'll update the topic as soon as I have more info.

Thanks!
PetrM
Veeam Software
Posts: 3996
Liked: 686 times
Joined: Aug 28, 2013 8:23 am
Full Name: Petr Makarov
Location: Prague, Czech Republic
Contact:

Re: GDPR and Schrems II compliant

Post by PetrM »

@brucquat
My sincere apologies for being late with the update. We discussed your questions internally and I have nothing to add to my initial statements. The whole point is that Veeam has no access to an encryption key as it is stored on the tenant side.

Thanks!
brucquat
Enthusiast
Posts: 32
Liked: 2 times
Joined: May 12, 2016 1:32 pm
Contact:

Re: GDPR and Schrems II compliant

Post by brucquat » 1 person likes this post

No worries for the delay and many thanks for your investigations.
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 37 guests