Arlo’s Cloud Computing Code of Practice Review

Company name: Arlo Software Ltd

Company Registration Number: 1811201

Trading name: Arlo Software

Physical address: Level 2/79 The Esplanade, Petone, Lower Hutt 5046, New Zealand

Postal address: PO Box 33062, Wellington Mail Centre, Lower Hutt 5045, New Zealand

Company Website: www.arlo.co

Contact phone number: +64 4 586 9460

Contact email address: support@arlo.co

Complaints about our service can be made in the first instance to our support helpdesk at support@arlo.co, or by calling +64 4 586 9460.

Contact person responsible for these disclosure statements can be contacted via the following email address: support@arlo.co with a reference to our Cloud Computing Code of Practice Disclosure document.

The disclosures herein apply to the following products or services supplied by us.

• Arlo product as described at https://www.arlo.co.

For the purpose of Legal Jurisdiction, the contracted supplier who provides the service to you is a company registered in New Zealand.

The governing law of our contract with you are those of New Zealand.

The disclosure statements that follow have been self assessed.

We do not claim ownership of any data or information uploaded to our service.

Your data and information may traverse or be stored on our upstream provider’s networks or systems. In these instances that provider considers the data and information that you use or transmit via our service as owned by the client.

Meta data and other statistical information, such as anonymised data generated as a result of the use of our service, is owned by Arlo and may be used for the purposes of support, service delivery, infrastructure management, and marketing.

As at the date of application: 

• We are not listed on the CSA STAR Registry.
• We are currently undergoing the process of acquiring certification against the following security related standard(s) : IS/IEC 27001:2022
• We have the following physical security in place at the data centres hosting your data:
  • We host our service at a datacenter operated by Amazon Web Services (AWS)
  • Physical
    • Data center access limited to AWS data center technicians
    • Biometric scanning for controlled data center access
    • Security camera monitoring at all data center locations
    • 24x7 onsite staff provides additional protection against unauthorized entry
    • Unmarked facilities to help maintain low profile
    • Physical security audited by an independent firm
  • Operational
    • ISO17799-based policies and procedures, regularly reviewed as part of a SAS70 Type II audit process
    • All employees trained on documented information security and privacy procedures
    • Access to confidential information restricted to authorized personnel only, according to documented processes
    • Systems access logged and tracked for auditing purposes
    • Secure document-destruction policies for all sensitive information
    • Fully documented change-management procedures
    • Independently audited disaster recovery and business continuity plans in place for AWS headquarters and support services
• We have the following digital security in place on the systems hosting your data: 
  • Physical Access Controls
    • Arlo shall take reasonable measures to prevent physical access such as security personnel and secured buildings and factory premises, to prevent unauthorised persons from gaining access to Customer Personal Data, or ensure Third Parties operating data centres on its behalf are adhering to such controls.
  • System Access Controls
    • Arlo shall take reasonable measures to prevent Customer Personal Data from being used without authorisation. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorisation processes, documented change management processes and/or logging of access on several levels.
  • Data Access Controls
    • Arlo shall take reasonable measures to provide that Customer Personal Data is accessible and manageable only by properly authorised staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Personal Data to which they have privilege of access; and, that Customer Personal Data cannot be read, copied, modified or removed without authorisation in the course of Processing.
  • Transmission Controls
    • Arlo shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Customer Personal Data by means of data transmission facilities is envisaged so Customer Personal Data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport.
  • Input Controls
    • Arlo shall take reasonable measures to provide that it is possible to check and establish whether and by whom Customer Personal Data has been entered into data processing systems, modified or removed. Arlo shall take reasonable measures to ensure that (i) the Customer Personal Data source is under control of the Data Controller; and (ii) Customer Personal Data integrated into the Service is managed by secured transmission from the Data Controller.
  • Data Backup
    • Backups of databases in the Service are taken on a regular basis, are secured and encrypted to ensure that Customer Personal Data is protected against accidental destruction or loss when hosted by Arlo.
  • Logical Separation
    • Data from different Arlo subscriber environments is logically segregated on Arlo’s systems to ensure that Customer Personal Data that is collected for different purposes may be Processed separately.

• Our primary systems that host your data are located in either Australia (Sydney), Canada (Montreal), United States (Oregon), or Ireland (Dublin).
• Our Backup/Disaster recovery systems that hold your data are located in either Australia (Sydney), Canada (Montreal), United States (Oregon), or Ireland (Dublin).

Data access by you:

• Your data may be accessed during the contract period as described in our contract with you.
• Your data can be downloaded from our service during the service provision period via the following formats: CSV.
• At the cessation of our service to you, your data will be available to access.
  • Access to this data will be granted via a support request to our helpdesk at support@arlo.co.
  • There will be additional charges for access to your data after the service has ceased.

Data access by us:

• Deletion of all customer data at the cessation of our service to you takes place after 30 days.
• We use customer data for the following business functions
  • Product and service support
• We do not access customer data for any other purpose  
• We do not use customer data in order to generate revenue other than through provision of the service

Data access by others:

• If we are approached by law enforcement agencies it is our policy to cooperate as required under New Zealand law.
• We do not provide access to customer data to third parties other than law enforcement agencies as set out above.

Understanding the backup procedures of your service provider and their maintenance policies allows the customer to make decisions on what further steps they may need to ensure their data is backed up sufficiently.

• Backups are performed every 2 hours (client data), daily (system data), and weekly (operating system data).
• Backups include (tick those that apply)
  • system data
  • client data
  • statistical data
  • operating system data
• Backup data is stored onsite and offsite.
• Where backup data is stored offsite, the offsite location is determined by AWS.
• We test the restoration of backup data every 3 months and the test is conducted using backup files to perform a full platform recovery for selected sample customers with testing to verify the stability of the restored platform.
• Access to backup data or archive data is not available.
• Ad hoc requests for restoration of customer data will be commenced within one business day.
• We do not allow client audits of backup data.
• Backup data is retained for 14 days.
• We do undertake a regular maintenance programme to ensure the reliability and stability of our cloud resources.
• We do undertake a regular maintenance programme to ensure the reliability and stability of our service offerings.

• Our service is provided via multiple locations.
• Our services are provided via both onshore and offshore locations.
• We operate offices in the following countries: New Zealand, United Kingdom, Canada.

This section sets out the standard support mechanisms and service level agreements that apply to services.

• Our standard support hours are weekdays 8 AM - 5:30 PM NZST and 8.30 AM - 5 PM  GMT (not including public holidays). In the event of an unscheduled outage or incident, we will communicate the details of the issues and expected resolution times via twitter (@ArloSoftware), email (obtained during service sign up), and our helpdesk/support forums (https://support.arlo.co).
• When communicating an issue to us we prefer you to do so via our helpdesk support@arlo.co
• Our standard response time to any support issue raised is 12 hours.
• In the event of a major incident, we will update our notifications every 2 hours.
• When communicating with you we will use contact details provided by you during sign up.
• We do make incident reports available to our clients after a major incident.
• We will shut down or isolate any service offering that is impacting, or will impact, service level agreements.
• We do not require service offering specific tools to enable safe service offering shutdown or   isolation if needed.
• We operate an active/active based service.
• We classify incidents and therefore the resolution time to issues in the following way

Arlo offers differing SLA levels depending on agreements with customers, and the purchase of enhanced support plans offering reduced response times. The response times disclosed in this document are those of the baseline (standard) support plan.

For more information see 

• Arlo Service Level Agreement
• Arlo Support
• Arlo Service Specifications

• We allow the use of an API to access data during service provisioning and consumption
• Data will be available to download after we cease supplying service to you 
  • Data can be obtained via a support request to our helpdesk at support@arlo.co.
• There may be additional charges associated with accessing data after your service has ceased.

• Our service is configured to use multiple load-balanced servers in a virtual machine environment. Application features are distributed across the farm to provide redundancy in the case of any one server or node failing.
• Our service utilises AWS Cloud infrastructure services which allow rapid deployment of new (recovery) server instances based on existing backup images or scripted infrastructure templates.
• Disaster recovery procedures include steps for the scripted rebuild of web and database servers from scratch in scenarios where existing backup images of the server are unusable or unavailable.
• Our service utilises AWS hosting facilities which feature business continuity strategies:
  • Data and servers are stored within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk floodplains (specific flood zone categorization varies by Region). 
  • In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. 
  • Availability zones are all redundantly connected to multiple tier-1 transit providers

• All client data can be exported at any stage of the service delivery in the following formats: CSV, XML.
• API requires data to be transmitted in the following formats: XML, JSON

• The source code for the applications that you use on our service is not available to license on your systems outside of our service provision.
• It will not be possible to use your data downloaded from our systems in its native form outside of our service (ie your local network).

• We do allow the auditing of our services by customers, under certain conditions detailed in our Master Subscription Agreement (https://www.arlo.co/legal/master-subscription-agreement).
• We do have an acceptable use policy that is applicable to the services stated in section 5.2. This policy can be found at Terms of use (https://www.arlo.co/legal/website-terms-of-use)
• We do operate a Privacy Policy. This policy can be found at Privacy Policy (https://www.arlo.co/legal/privacy-policy)

• If we discover that your data has been lost or compromised, we will always notify you as soon as practicable by e-mail unless that notification would compromise a criminal investigation into the breach.
• When we are in possession of evidence of criminal activity associated with the breach (such as evidence of hacker activity) we will always notify appropriate law enforcement agencies.

When requested by appropriate law enforcement agencies to supply customer related information without a warrant or legal mechanism to compel disclosure:

• It is our usual policy not to comply with such requests.