Datto Workplace

Security Architecture Guide

 Operational Security
Dedicated Geo-Redundant Data Center Infrastructure
As opposed to the common virtualized approach to cloud services, in which
Table of Contents cloud service providers lease processing and storage capacity from Internet
infrastructure providers, all Datto Workplace hardware and software in
each data center is 100% owned, operated, and managed by Datto. In typical
Operational Security................................................................................................... 1 virtualized cloud environments, service applications and customer data actually
share processing and storage platforms in a virtual time-sliced manner,
Dedicated Geo-Redundant Data Center Infrastructure..................... 1 resulting in a minimum of separation between independent
Summary...................................................................................................................... 2 operating domains. The dedicated data center approach in which Datto has
invested ensures that only Workplace services operate on Workplace hardware
SSAE 16 / SAS 70 and SOC2 Audits................................................................. 2 or software processing and storage platforms.
Logical Access Security...................................................................................... 2
True 100% isolation of the Workplace service eliminates the possibility of
Comprehensive Monitoring................................................................................ 2 experiencing service interruption, performance degradation, or malware
Testing, Risk Assessment and Compliance.............................................. 2 infection that might otherwise be caused by adjacent applications. Combined
with multi-level regional and data center redundancy, the Workplace
Data Encryption and Authentication............................................................. 3 infrastructure represents one of the most secure, reliable, and available cloud
Policy Profiles................................................................................................................ 3 service architectures available today.
User Management and Policies............................................................................ 3 Workplace uses a co-location model for deployment of Datto-owned and
User Security Roles................................................................................................ 3 -operated equipment and software, utilizing the rack space, power, cooling,
and physical security of major world-class SSAE 16 audited data centers.
Authentication Policies........................................................................................ 4 These facilities are classified as Tier 3 or better with N+1 fault tolerant systems
Active Directory Integration.............................................................................. 4 guaranteeing 99.982% availability. The Workplace network architecture deployed
to these facilities includes multiple levels of redundant application servers and Summary
Single Sign-On.......................................................................................................... 4 storage arrays, ensuring high availability, failover support, and load balancing.
Co-location model with HW and
IP Address Whitelist Policies............................................................................ 4 SW 100% owned, operated, and
Datto operates data centers in several different geographical regions, managed by Datto
Session Policies....................................................................................................... 4 including the United States, Canada, Denmark, and Australia, and is planning
further expansion into other regions. Within each region, there are two levels Geo-redundant, Tier 3, SSAE16
Device Management and Policies....................................................................... 5 Audited data centers (two per region)
of redundancy. First, within each data center, redundant servers and file
Remote Wipe............................................................................................................. 5 storage ensure that data center-level failures can be isolated and resolved Complete, redundant, regional data
quickly. Second, within each region, at least two independent data centers are set in each data center
Remote Device Management........................................................................... 5
physically distanced and isolated from each other, thus providing protection Complete regional server setups in
Mobile Device Management.............................................................................. 6 from higher level data center failures, regional disasters, and broader Internet- each data center
Data Management and Security........................................................................... 6 related failures. This dual-level geo-redundancy provides the greatest possible
Data center redundancy using RAID6
availability and protection against data loss. mirrored backup with replication
Team Shares............................................................................................................... 6
The physical presence of data centers in separate regions also means that data Modular clustered server farms for
Public Shares............................................................................................................. 6 service load-balancing and failover
does not leave the region. Data stays in the United States for U.S. customers,
File Locking, File Versioning and Conflict Management.................... 7 in the European Union for EU customers, in Australia for AU customers, and protection
in Canada for Canadian customers (in compliance with PIPEDA and local SLAs for response time, service
Full Control of Content......................................................................................... 7 restoration, and 99.982% availability
regulations).
Ransomware Detection and Recovery........................................................ 7
Reporting........................................................................................................................... 8 The General Data Protection Regulation (GDPR), which fundamentally changed
European privacy law, went into effect in May 2018. It requires all companies
that handle the “personal data” of individuals in the EU to adopt more stringent
privacy and security practices. Datto has made a substantial investment of time
and resources to ensure its products and services are GDPR compliant.

1
SSAE 16 / SAS 70 and SOC2 Audits legal data protections across the Member States of the European Union. Datto is aware
of its obligations as a processor under the GDPR and remains committed to helping
In the rapidly changing landscape of cloud services, companies that handle sensitive
support its MSP Partners and their clients’ GDPR compliance efforts.
information in, for example, the legal, finance, and medical sectors find that their
information processing controls are under increasing levels of scrutiny. Workplace
Datto, Inc. has certified certain of our services, for which we act as a data processor,
data centers are audited against both AICPA SSAE 16/SAS 70 and ISAE 3402 criteria
under the EU-U.S. Privacy Shield Framework. For more information on Privacy Shield,
for system availability and security, thus providing assurances regarding adequate
please visit the U.S. Department of Commerce’s Privacy Shield website at:
information processing controls oversight. Similarly, Workplace’s own internal
https://www.privacyshield.gov/welcome
security controls are audited against SSAE 16/ISAE 3402 criteria for employee
policies, physical and logical access controls, intrusion detection and testing, service
Workplace is compliant with all Security Rules specified in the Technical Safeguards,
reporting, security incident procedures, training, change control, and configuration
Administrative Safeguards, and Physical Safeguards from the Health Insurance
management.
Portability and Accountability Act (HIPAA) of 1996. Workplace’s Privacy Policy provides
details regarding the policies implemented throughout Workplace in order to comply
Workplace’s SOC2 Type 2 examination report is issued in accordance with both the
with HIPAA. Furthermore, Workplace engages health care provider customers as HIPAA
SSAE 16 attestation standards established both the American Institute of Certified
Business Associates through BAA agreements.
Public Accountants and the attestation standards established by the International
Standard on Assurance Engagements (ISAE) 3402, known as “Assurance Reports
on Controls at a Service Organization.” Accordingly, Workplace services can serve Data Encryption and Authentication
as a foundation upon which customers can build their SSAE 16/SAS 70/ISAE 3402 All files handled by the Datto Workplace service are secured, both in transit and in
compliant data processing and storage policies and practices. storage, using 256-bit AES-encryption. In order to maximize the separation between
teams, users, and files, a different unique rotating encryption key is used for each All files handled by the
Logical Access Security individual file. None of the encryption keys are stored “in the clear” in any non-volatile
storage, but rather are encrypted and stored under the protection of a master key.
Datto Workplace service
All Datto Workplace application servers are protected with OS security modules that
apply Discretionary Access Control and Mandatory Access Control policies to all server Authentication is ensured through the use of certificate-based server authentication, are secured, both in transit
processes, thus ensuring that no software process can be gainfully subverted. which ensures that the user’s agent will neither connect nor cooperate with any server and in storage, using
other than those that comprise the Workplace service. Even in the unlikely event of a
successful attack on Internet DNS or routing infrastructure, which is outside the control 256-bit AES-encryption.
All Workplace infrastructure connection pathways are highly regulated as to the types
of traffic allowed between various internal server endpoints. Any network traffic that of Workplace or any other SaaS provider, Workplace’s certificate-based authentication
does not meet the expected data flow patterns in terms of source, destination, and/or will ensure that no malicious agent could successfully connect to the Workplace service.
traffic type is immediately interrupted and reported to monitoring personnel through
alerts. All known attack vectors are explicitly prohibited. Policy Profiles
Team Defaults and Policies provide Workplace administrators with granular control of
Comprehensive Monitoring All of the Workplace the features and functions available to users. Given that policy profiles are cumulative,
All Workplace regional data centers are monitored 24 hours a day, 365 days a year regional data centers are applying them to both groups and individuals offers the best possible balance between
by equipment service and operations staff who have immediate access to Workplace monitored 24 hours a day, ease of administration and granular control. All policies referenced in this guide are
engineering personnel in the event that it becomes necessary. Co-location with major controlled using this mechanism.
world-class data center industry partners ensures that our physical and environmental 365 days a year
security is unsurpassed.
User Management and Policies
Workplace utilizes dedicated software monitoring components that are designed
to track and evaluate the operation of servers, networking equipment, applications,
User Security Roles
and services within the Workplace service infrastructure. This includes monitoring of Datto Workplace provides Role-Based Access Control (RBAC) mechanisms through
resources such as processor load and memory and disk space usage. which specific users can be granted varying levels of administrative permissions.
Users can be granted Super Admin or Admin security roles, providing an extensive
Alerts regarding performance or potential security issues are automatically distributed set of controls and management tools that ensures flexible, powerful, and effective
to several on-call staff via SMS and email. administration of the team. These security roles allow administrative control of:
• Users and groups
Testing, Risk Assessment and Compliance • Default policies and policy profiles
• Active Directory (AD)
Datto Workplace makes use of independent 3rd-party testing, analysis, and • Remote deployment
assessment services. Workplace’s multi-faceted approach to testing and risk • Device approval
assessment incorporates ongoing 3rd party penetration testing of Web, Agent, and APIs, • Remote device wipe
Periodic SAS/SSAE audits, and Daily Hacker Safe updates. • Reports
The General Data Protection Regulation (GDPR) became enforceable on 25 May, 2018.
The GDPR replaces the Data Protection Directive 95/46/EC and helps to standardize

2 3
 Authentication Policies Device Management and Policies
Datto Workplace user authentication (excluding authentication via Active Directory and Cloud-based file sync and share services provide customers with significant
SSO) can be managed with policies, allowing password requirements and Two-Factor advantages in terms of access mobility, ease of sharing, and real-time collaboration.
Authentication to be enforced. Password requirement policies define a variety of This broadening access, however, means that virtual data boundaries of business
values such as password expiration, reuse cycle, and recent password intervals, as well organizations have expanded to include a greater variety of devices over a wider
as password complexity and failed login thresholds for account lockout. geographical area. Furthermore, this includes both business-owned and personal
devices. Workplace mitigates the potential for increased security threats by providing
Datto Workplace supports the delivery of 2FA tokens through either SMS or through a set of device management features which are integrated into Workplace Access
RFC-6238 compliant mobile apps, such as Google Authenticator, that utilize Time- Management.
based One-time Password Algorithm (TOTP) tokens..
Remote Wipe
Datto Workplace’s 2FA feature also supports a 2FA IP Address Whitelist, which
allows administrators to specify one or more source IP address that can be exempted Businesses have a critical need to ensure that all company data is securely and
from 2FA authentication requirements. This feature is commonly used to “whitelist” completely removed, on demand, from lost or stolen devices or from the devices of
corporate headquarters or other remote offices, where there is high confidence that departing employees. The proliferation of mobile devices and the hybrid use of personal
login attempts are from valid users physically located on company property, behind devices in business environments only serves to amplify this need. Consequently,
company firewalls. Workplace supports remote removal of company data from computers and mobile
devices.
Active Directory Integration
Remote Wipe can be performed manually by administrators, on any device, or by users
User authentication and account management for users and groups can be enabled on their own devices. Administrators can also configure policies that trigger automatic
through the Active Directory (AD) integration. This feature allows Workplace remote wipe when a user is disabled or deleted in Active Directory, or after excessive
administrators to provision users and groups using metadata from AD, and to require login attempts on Workplace Mobile. Workplace supports
all AD-managed users to authenticate using their AD credentials. Workplace does not
maintain any login information during user authentication, but acts as a proxy between Workplace’s Device Wipe capability is an “atomic” feature, and encompasses the entire
remote removal of
the user and Active Directory servers. wipe process, from initial manual request or automatic trigger to final confirmation. company data from
After a Device Wipe is initiated for a target device, the Workplace service monitors for computers and mobile
Single Sign-On a connection from that device. Upon connection, the Workplace service quarantines
the connection while commanding the remote device to wipe all Workplace-synced devices.
Datto Workplace users can benefit from the security and convenience of
authenticating via a SSO IdP (Identity Provider) to access the Workplace service. files from the device. After the wipe is completed, the device status is flagged with a
Datto Workplace uses the SAML 2.0 protocol to authenticate access to the Workplace positive confirmation so that administrative personnel are certain that the operation
service. was successful.
User authentication can
IP Address Whitelist Policies be managed with policies, Remote Device Management
Datto Workplace allows administrators to lock Workplace Desktop preferences,
The IP Address Whitelist is also commonly referred to as an Access Control List allowing password thereby preventing users from changing settings. This, used in conjunction with other
(ACL) in computer networking security terminology. This feature enables Workplace
administrators to place a flexible set of restrictions on service login. Specifically, requirements and 2FA to Workplace Desktop policies, provides complete remote management, including:
service login can be allowed or prohibited based on a combination of the mode of be enforced. • Location of the Workplace folder
access (Workplace Online, Workplace Mobile, Workplace Desktop) and the source IP • Projects synced to the device
address. For example, this might be configured to allow access via web browsers and • Maximum bandwidth usage
mobile devices from anywhere, while restricting Workplace Desktop access to your • The ability to remotely access the device on which Workplace Desktop is installed
company offices’ IP address range.

Session Policies
Session Policies allow Workplace administrators to specify session timeout duration
and prevent the remember-me feature for added control of user sessions into
Workplace services.

4 5
Mobile Device Management File Locking, File Versioning and Conflict Management
Workplace Mobile begins with a strong foundation of security, using local encryption Additional protection of content includes several cooperating mechanisms that defend
of all data stored by Datto Workplace Mobile. Workplace also uses Device Pinning against accidental deletion or overwriting of files. While the file lock mechanism alerts
techniques to ensure that the “approved” mobile device/app is permanently other users during the collaborative editing of documents, the file versioning and file
associated with the approved user account. These techniques are critical to the control branching mechanisms operate automatically to ensure that, even in the event of file
of both company data and user activities. conflicts or file overwrite, no content is lost.
Mobile device policies allow administrators to set policies regarding the functionality
available via the mobile app. The following policy settings are available: Users can manually lock files to prevent other users from making changes. In addition,
• Enforce Authentication - Specifies whether authentication is required to access Microsoft Office files automatically lock when edited, and automatically unlock
accounts via Workplace Mobile. Also controls the authentication security level. once closed. Workplace Server converts local application locks on the file server into
a Workplace lock, and vice-versa, providing improved collaboration between on-
• Enable/Disable Sync - Controls the ability of users to sync files to their mobile premises and remote users.
device
• Account Validation - Specifies the number of days a user can remain offline and As users edit and save subsequent versions of a file, the file versioning feature
still access content via the Workplace Mobile app. After the predefined period, automatically retains the previous versions of all files for up to 180 days. At any point
access will be denied until the user connects to the Internet. This mitigates the during that period, users can access previous versions through the Workplace web
risk of a user putting a device into Airplane Mode and accessing company data portal.
indefinitely.
File branching, a similar back-end automatic process, ensures that conflicting
• Enable/Disable Content Adding & Creating - Controls the ability of users to add or
updates to files are retained. If users ignore a file lock or are, due to lack of Internet
create content on their mobile device and upload it to Workplace
connectivity,unaware that another user has updated the file, the changes will be saved
• Enable/Disable Editing - Controls the ability of users to edit company files that in a duplicate version appended with the user’s name. This mechanism ensures that all
have been downloaded or synchronized to the mobile device changes are retained.
• Enable/Disable Exporting (Open-In 3rd Party Apps) - Controls the ability of users to
export company files to third party apps installed on their mobile device Full Control of Content
Datto Workplace has
Workplace’s Manage Projects feature facilitates full control of file structure and
built-in, sophisticated
Data Management and Security sharing permissions to ensure compliance with company guidelines. This feature
Workplace’s security architecture provides content access control on two levels.
allows Super Admins to... Ransomware Detection
First, overarching user policies are established by administrators and enforced by the • View and manage the entire team file structure and Recovery.
Workplace service. Then, within the confines of those policies, users are free to grant
Content owners can also • Manage team and public shares
others access to the content they control at whatever level they feel is appropriate. delegate the ability to • Recover content owned by deleted users
share the content with
Team Shares Ransomware Detection and Recovery
other users and to create
Access permissions to projects or sub-folders can be set to Online View Only, Read-Only, Datto Workplace has built-in, sophisticated Ransomware Detection and Recovery. As
Modify, Create & Modify, and Full Access (including delete). In addition, content owners
public shares. files are updated on devices, they are monitored and analyzed for possible ransomware
can also delegate the ability to share the content with other users and to create public as they are synced with the Workplace service. The overall set of file operations from
shares. devices are further analyzed on the service, and algorithms are employed to precisely
identify ransomware attacks. Once an attack is identified, the affected device is
Public Shares quarantined to prevent the synchronization of encrypted files to other devices on the
team. Administrators are immediately alerted, allowing them to respond rapidly and to
If permitted via policy, and if granted permission from the content owner, Datto revert the affected files to their last known good state, thus minimizing the impact of
Workplace users can establish and manage public shares to projects, folders and files. the ransomware attack.
Public shares can be password protected and/or configured with expiration criteria. The
functionality available to public share recipients can be configured as follows:
• View Only (via a web browser)
• View and Download
• Direct Download (files only)
• Upload Only (projects and folders only)
• View and Upload
• View, Download, and Upload
• Edit, Download, and Upload (allows document editing via Microsoft Office 365)

6 7
Reporting
Beyond privacy-oriented security features such as encryption, access policies, and
account management, Workplace implements a set of advanced reporting capabilities
specifically designed to support auditing for company policy compliance. These
advanced reporting features enable administrators to generate, export, and schedule
custom reports in order to establish audit trails and analytics on the following:
• Team Events - Account management events for all users and groups
• User Access Events - Device access, PC access, user logins, IP address mapping
• Project Events - All changes to any projects, folders, or files
• Device Events - All events associated with devices connected to your Datto
Workplace team

In addition, there are a number of preconfigured Special Reports, including:

• Shares Report - All team projects and shares permissions by users and groups,
including the access level
• Public Share Report - All active public shares, including configuration settings
• User Report - All users, their roles, storage quota, creation timestamp, and last
login
• Device Report - All devices by user, device type, OS version, app versions, last login
timestamp, and when they were installed and last connected

Reports can be customized, filtered, scheduled, sent to specified users and may
include or exclude a variety of events based upon selected criteria such as date range,
user, device type, file name, IP address, method of access, and more. Reports can either
be viewed on screen or exported to XLSX format. Reports on user access are mapped to
specific source IP addresses and can be viewed on a geographical map.

Corporate Headquarters Global Offices ©2019 Datto, Inc. All rights reserved.
Datto, Inc. USA: 888.294.6312 Updated July 2019
101 Merritt 7 Canada: 877.811.0577
Norwalk, CT 06851 EMEA: +44 (0) 118 402 9606
United States Australia: +61 (02) 9696 8190
partners@datto.com Singapore: +65-31586291
www.datto.com
888.294.6312