Table of Contents

Sonar and General Data Protection Regulation (GDPR)

Read Time: 3 mins

Security in the Cloud

Sonar has implemented technical security and privacy protection solutions offered by Microsoft Azure to maintain the confidentiality, integrity, availability, and privacy of client data stored in the cloud.

Our Cloud Service Provider (Microsoft Azure) platforms meet a broad set of international and industry-specific compliance standards, such as the General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. Rigorous third-party audits verify their adherence to the strict security controls these standards mandate. Refer to Microsoft Service Trust Portal which has a listing of all their Audit Certifications.

Data Security - Industry Standard Encryption and Secure Connections

Sonar's data is transmitted to and from our servers over HTTPS and is encrypted in transit (TLS 1.2 and above for data in transmission) and using AES 256-bit encryption for protecting data at rest. All communications use SSL encryption, and our data is stored in SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified Cloud Data Centers.

Network Security - Intrusion Detection and Prevention

Our networks are protected by Microsoft Azure firewalls configured to follow industry best practices for network ingress/egress security. The firewall is configured for Extended Detection and Response (XDR) monitoring of security vulnerabilities and threats to protect against malware, brute-force attacks, SQL injections, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, worms, and botnets.

Azure Network Security Groups (NSGs) are used to control both inbound and outbound traffic to our cloud Virtual Network. NSG’s are used to filter traffic at the network layer by using security rules to allow or deny traffic based on 5-tuple information: protocol (TCP, UDP, ICMP), source (IP address), source port, destination, and destination port.

Sonar has established detailed operating procedures, security policies, processes and security tools designed to: ensure the safety of all Sonar employees, suppliers, partners and customers; control the quality of, and maintain the integrity of, all Sonar information systems and services; and provide continuous availability and optimized performance.

Data Governance

Sonar understands the Cloud Shared Responsibility Model and its ownership of data as it relates to Cloud Services subscribed to using Microsoft Azure. Sonar has achieved CyberSecure Canada certification, and is actively working towards ISO 27001 certification. Our commitment to data privacy and security are centered around protecting the confidentiality, integrity, privacy, availability and security of data, to prevent and detect external threats by disclosing our rights and obligations in our Privacy Policy which is aligned with GDPR (General Data Protection Regulation) requirements.

European Data Transfer

The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection.

In 2001, the EU recognized Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) as providing adequate protection.

Canada’s adequacy status ensures that personal data can flow from the EU to Canada without any further safeguard being necessary.

Microsoft has long used the Standard Contractual Clauses as a basis for transfer of data for its enterprise online services. The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the European Economic Area in a compliant manner. Microsoft has incorporated the Standard Contractual Clauses into all of their Volume Licensing agreements. For personal data from the European Economic Area, Switzerland, and the United Kingdom, Microsoft ensures that transfers of personal data to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR.

Canada’s adequacy determination in Commission Decision 2002/2/EC has been attached for reference.

How did we do?

Technical Security Overview

Contact