United States
- U.S. clients may prefer U.S. regions or client-owned cloud where procurement/security requires it.
Trust Center
Shared responsibility
Cloud Security Practices
How cloud ownership, IAM, MFA, regions, network controls, secrets, encryption, logging, environment separation, patching, monitoring, and handover are handled.
How this page supports country onboarding
Country pages link here for hosting, data residency, support, and client-owned cloud discussions.
Important note
This page is general onboarding and review information. It is not legal, tax, regulatory, cybersecurity, financial, or compliance advice, and it does not create certification claims or service commitments. Final obligations belong in signed agreements and approved project documents.
Responsibility
Cloud security is shared
Responsibilities depend on whether the environment is client-owned, VarenyaZ-managed, third-party managed, or hybrid. The SOW should say who owns tenant administration, billing, IAM, backups, logging, patching, monitoring, and handover.
Controls
Common cloud control areas
Cloud security may include region selection, IAM, MFA, network segmentation, secrets management, encryption in transit, encryption at rest, logging and monitoring, environment separation, backup configuration, infrastructure-as-code, patch management, vulnerability management, incident response, and cost monitoring.
Residency
Region and residency must be explicit
Data residency, backup region, log region, support location, and subprocessor region expectations should be identified during discovery. Residency requirements can affect architecture, vendor selection, cost, and timeline.
Preparation
Buyer checklist
Confirm client-owned or VarenyaZ-managed cloud model.
Confirm region, residency, backup, and log location needs.
Confirm IAM, MFA, and production access model.
Confirm secrets, encryption, monitoring, and patching responsibilities.
Confirm cloud account handover and support transition.
Review materials
Available artifacts
- Cloud responsibility matrix
- Region decision
- Access model
- Backup plan
- Handover checklist
Local overlays
Country-specific notes
United Kingdom
- United Kingdom security review should use the project risk level, data categories, hosting model, access needs, and regulated-industry flags captured in technical discovery.
- Review flags for United Kingdom: Legal review, Privacy review, Security review, UK transfer review when applicable.
- Hosting and access options to discuss: Client-owned UK cloud, UK or EU hosting by agreement, Limited production access model.
European Union / EEA
- EU/EEA clients may request EU-only hosting, SCC review, and subprocessor/location transparency.
South Korea
- South Korea security review should use the project risk level, data categories, hosting model, access needs, and regulated-industry flags captured in technical discovery.
- Review flags for South Korea: PIPA review, Cross-border transfer review, Security review, Procurement review, Regulated-industry review when applicable.
- Hosting and access options to discuss: Client-owned South Korea cloud, South Korea region hosting by agreement, Limited production access model, No-production-data-access model.
Canada
- Canada security review should use the project risk level, data categories, hosting model, access needs, and regulated-industry flags captured in technical discovery.
- Review flags for Canada: Privacy review, Security review, Procurement review.
- Hosting and access options to discuss: Client-owned Canadian cloud, Canadian hosting by agreement, Limited production access model.
Australia
- Australia security review should use the project risk level, data categories, hosting model, access needs, and regulated-industry flags captured in technical discovery.
- Review flags for Australia: Privacy review, Security review, Procurement review.
- Hosting and access options to discuss: Client-owned Australian cloud, Australian hosting by agreement, Limited production access model.
Singapore
- Singapore security review should use the project risk level, data categories, hosting model, access needs, and regulated-industry flags captured in technical discovery.
- Review flags for Singapore: Privacy review, Security review, Procurement review.
- Hosting and access options to discuss: Client-owned Singapore cloud, Singapore hosting by agreement, Limited production access model.
United Arab Emirates
- United Arab Emirates security review should use the project risk level, data categories, hosting model, access needs, and regulated-industry flags captured in technical discovery.
- Review flags for United Arab Emirates: Privacy review, Security review, Procurement review, Regulated-industry review when applicable.
- Hosting and access options to discuss: Client-owned UAE cloud, UAE hosting by agreement, Limited production access model.
Next review
Related trust pages
Access Control
How named accounts, MFA, least privilege, client approval, temporary production access, privileged access review, audit logs, and offboarding revocation are handled.
Backup / DR
How backup responsibility, frequency, retention, encryption, location, restore testing, RTO, RPO, disaster recovery ownership, and client-cloud responsibilities are defined.
Data Transfers
How hosting, support, subprocessors, backup regions, SCCs, UK transfer terms, and data-transfer review fit into onboarding.
DPA
When a DPA is needed, what processor terms usually cover, how subprocessors and transfers are reviewed, and what clients should prepare.
Connect this review to country onboarding
Use this page with the country onboarding guide so your legal, procurement, security, privacy, finance, and engineering teams have the right review path before contract signature.