Arlo’s Cloud Computing Code of Practice Review

For an organisation to be compliant with this Code of Practice they must truthfully disclose the following information to all clients, both prospective and current, before, during and after the sales process. They are required to update any disclosures and actively inform their clients in writing, and the registry, of these changed disclosures as soon as possible and not later than 28 days of that change being made.

The applying organisation must comply with each of these requirements. An organisation may choose to subscribe to additional disclosure modules highlighting their further commitment to their standards of good practice.

The standard areas of disclosure required by this code are:

Company name: Arlo Software Ltd

Company Registration Number: 1811201

Trading name: Arlo Software

Physical address: Level 2, 7 Ward St, Hutt Central, Lower Hutt 5010, New Zealand

Postal address: P O Box 33062, Wellington Mail Centre, Lower Hutt 5045, New Zealand

Company Website: www.arlo.co

Contact phone number: +64 4 586 9460

Contact email address: support@arlo.co

Complaints about our service can be made in the first instance to our support helpdesk at support@arlo.co, or calling +64 4 586 9460.

Contact person responsible for these disclosure statements can be contacted via the following email address: support@arlo.co with a reference to our Cloud Computing Code of Practice Disclosure document.

The disclosures herein apply to the following products or services supplied by us.

• Arlo product as described at https://www.arlo.co.

For the purpose of Legal Jurisdiction, the contracted supplier who provides the service to you is a company registered in New Zealand.

The governing law of our contract with you are those of New Zealand.

The disclosure statements that follow have been self assessed.

• We do not claim ownership of any data or information uploaded to our service.
• Your data and information may traverse or be stored on our upstream provider’s networks or systems. In these instances that provider considers the data and information that you use or transmit via our service as owned by Arlo.
• Meta data and other statistical information, such as anonymised data generated as a result of the use of our service, is owned by Arlo and may be used for the purposes of support, service delivery, infrastructure management, and marketing.

(section is under review in v1.01)

Informal details:

• Customer data is segregated using isolated databases, each with independent logins by infrastructure components.
• Application components (API, Website, Management, auxiliary infrastructure services) have database access specific to their function based on least-privilege principles.
• Customer login tokens are managed using ASP.NET forms authentication. Cookie auth tokens are encrypted using AES-256.
• Management platform pages and resources are served over secure HTTP.
• Database backups at rest are encrypted using AES-256.
• Servers are protected by a Web Application Firewall, VPC segregation, IP-restricted port access and hardened OS configurations.
• Servers are regularly updated (monthly) with vendor patches for known vulnerabilities. Out of band releases for urgent updates are applied as early as possible.
• Access details for server access is restricted to a limited number of senior Arlo infrastructure staff in possession of physical tokens with encrypted details for server access.
• Datacentre facility security operated by Amazon Web Services (AWS)
  • Physical
    • Data center access limited to AWS data center technicians
    • Biometric scanning for controlled data center access
    • Security camera monitoring at all data center locations
    • 24x7 onsite staff provides additional protection against unauthorized entry
    • Unmarked facilities to help maintain low profile
    • Physical security audited by an independent firm
  • Operational
    • ISO17799-based policies and procedures, regularly reviewed as part of a SAS70 Type II audit process
    • All employees trained on documented information security and privacy procedures
    • Access to confidential information restricted to authorized personnel only, according to documented processes
    • Systems access logged and tracked for auditing purposes
    • Secure document-destruction policies for all sensitive information
    • Fully documented change-management procedures
    • Independently audited disaster recovery and business continuity plans in place for AWS headquarters and support services

• Our primary systems that host your data are located in either Australia (Sydney), Canada (Montreal) or Ireland (Dublin).
• Our Backup/Disaster recovery systems that hold your data are located in either Australia (Sydney), Canada (Montreal) or Ireland (Dublin).

• Backups are performed every 2 hours (client data), daily (system data), and weekly (operating system data).
• Backups include system data, client data, operating system data.
• Backup data is stored onsite and offsite.
• We test the restoration of backup data every 3 months and the test is conducted using backup files to perform a full platform recovery for selected sample customers with testing to verify the stability of the restored platform.
• Access to backup data or archive data is not available.
• Ad hoc requests for restoration of customer data will be commenced within one business day.
• We do not allow client audits of backup data.
• Backup data is retained for 14 days.
• We do undertake a regular maintenance programme to ensure the reliability and stability of our cloud resources.
• We do undertake a regular maintenance programme to ensure the reliability and stability of our service offerings.

• Our service is provided via multiple locations.
  • Our services are provided via both onshore and offshore locations.
• We operate offices in the following countries: New Zealand, United Kingdom.

• Our standard support hours are weekdays 8 AM - 5:30 PM NZST and 8.30 AM - 5 PM  GMT (not including public holidays). In the event of an unscheduled outage or incident, we will communicate the details of the issues and expected resolution times via twitter (@ArloSoftware), email (obtained during service sign up), and our helpdesk/support forums (https://support.arlo.co).
• When communicating an issue to us we prefer you to do so via our helpdesk support@arlo.co
• Our standard response time to any support issue raised is 12 hours.
• In the event of a major incident, we will update our notifications every 2 hours.
• When communicating with you we will use contact details provided by you during sign up.
• We do make incident reports available to our clients after a major incident.
• We will shut down or isolate any service offering that is impacting, or will impact, service level agreements.
• We do not require service offering specific tools to enable safe service offering shutdown or   isolation if needed.
• We operate an active/active based service.
• We classify incidents and therefore the resolution time to issues in the following way

Arlo offers differing SLA levels depending on agreements with customers, and the purchase of enhanced support plans offering reduced response times. The response times disclosed in this document are those of the baseline (standard) support plan.

For more information see 

• Arlo Service Level Agreement
• Arlo Support
• Arlo Service Specifications

• If we discover that your data has been lost or compromised, we will notify you as soon as practicable by email, unless that notification would compromise a criminal investigation into the breach.
• The notification will be made consistent with the Voluntary Breach Notification Guidelines issued by the New Zealand Office of the Privacy Commissioner.
• Where we are able to determine that there has been significant loss or compromise of personal information, and a risk of harm to individuals, we will also notify the Office of the Privacy Commissioner directly.
• When we are in possession of evidence of criminal activity associated with the breach we will notify appropriate law enforcement agencies.

• We allow the use of an API to access data during service provisioning and consumption
• Data will be available to download after we cease supplying service to you 
  • Data can be obtained via a support request to our helpdesk at support@arlo.co.
•  There may be additional charges associated with accessing data after your service has ceased.

• Our service is configured to use multiple load-balanced servers in a virtual machine environment. Application features are distributed across the farm to provide redundancy in the case of any one server or node failing.
• Our service utilises AWS Cloud infrastructure services which allow rapid deployment of new (recovery) server instances based on existing backup images or scripted infrastructure templates.
• Disaster recovery procedures include steps for the scripted rebuild of web and database servers from scratch in scenarios where existing backup images of the server are unusable or unavailable.
• Our service utilises AWS hosting facilities which feature business continuity strategies:
  • Data and servers are stored within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk floodplains (specific flood zone categorization varies by Region). 
  • In addition to discrete uninterruptible power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. 
  • Availability zones are all redundantly connected to multiple tier-1 transit providers.

• All client data can be exported at any stage of the service delivery in the following formats: CSV.
• API requires data to be transmitted in the following formats: XML, JSON.

• The source code for the applications that you use on our service is not available to license on your systems outside of our service provision.
• It will not be possible to use your data downloaded from our systems in its native form outside of our service (ie your local network).