« back to Support Page

Anti-cloud: Backup & Restore

GDPR Compliance

What is GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. The enforcement date of GDPR is 25 May 2018.

Is Anti-Cloud Backup & Restore GDPR Compliant?

Anti-Cloud Backup & Restore can be part of your GDPR compliant backup offering, however you will have to ensure that you fulfil your own GDPR obligations as well. It maybe advantageous to engage a GDPR consultant or agency to ensure your compliance.

What aspects of using Anti-Cloud Backup & Restore will help with providing a GDPR compliant backup offering?

  • Encryption: Anti-Cloud Backup & Restore always encrypts all user data before storing it. It remains encrypted during transfer and also at rest in the storage destination, even in a scenario where the storage destination is compromised the data remains unreadable.

HIPAA Compliance

What is HIPAA?

The United States HIPAA (Health Insurance Portability and Accountability Act) is legislation that mandates data privacy and security provisions for the safeguarding of patient data by health organizations, including drugstores, hospitals and specialized insurance companies. This law was further amended in 2009 to include the HITECH Act (The Health Information Technology for Economic and Clinical Health). The act states that Protected Health Information (PHI) must be rendered “unusable, unreadable, or indecipherable” to unauthorized persons and that encryption for data ‘at-rest’ and ‘inflight’ should be addressed.

Is Anti-Cloud Backup & Restore HIPAA compliant?

Backing up:

Anti-Cloud Backup & Restore always encrypts all user data before sending or storing it, using strong AES-256-CTR with Poly1305 in AEAD mode with high-entropy random keys. The user's password is used to derive two 192-bit keys (the "L" and "R" keys) via PBKDF2-SHA512, with hard-coded parameters for repeatable output.

  • The L-key is used to log in to the Auth Role server in place of the real password; the server stores only a bcrypt(sha512) hash of this L-key.
  • The R-key never leaves the client, and is used to encrypt secret keys stored within the user's profile on the server.

During rest:

When Anti-Cloud Backup & Restore sets up a Storage Vault for the first time, it generates two high-entropy random keys (the 256-bit "A" and 128-bit "E" keys). All user data in the Storage Vault is stored encrypted with the A-key using AES-256 in CTR mode, and authenticated using Poly1305 in AEAD (encrypt-then-MAC) mode. The only party with the decryption key is your company/the backup user. This ensures total privacy of the PHI data.

What is a Business Associate Addendum (BAA)

Under the Health Insurance Portability and Accountability Act (HIPAA), a "business associate" is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity and isn’t employed by the covered entity. A "business associate" also includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Under the HIPAA regulations, using a Cloud Service Provider like Amazon/Azure/Wasabi etc would classify you as being in a business associate arrangement and require an agreement.

The HIPAA rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.

Do I need to sign a BAA with Anti-Cloud Backup & Restore?

BAA Contract available upon request.

Anti-Cloud Backup & Restore Server and HIPAA

Data that is backed up using Anti-Cloud Backup & Restore is always encrypted during backup, transit and at rest. Only you and parties you nominate, have access to your Anti-Cloud Backup & Restore Server.

We do not recommend using Anti-Cloud Backup & Restore Server as a HIPAA backup solution.

You can read more about HIPAA in general here on HHS.gov


« back to Support Page