Autotask data residency, security, and support

Data center facility locations

US / Australian / Spanish-speaking Partners:

• Tierpoint TekPark, Allentown, Pennsylvania, USA

United Kingdom Partners:

• Datto c/o Cyxtera, Slough, United Kingdom

EMEA / German-speaking Partners:

• Noris Network AG, Aschheim, Germany

Data residency

At all times, a partner’s Autotask instance will remain in the jurisdiction of the data center where it was created. Data centers may have multiple "zones," which are defined as logical containers of partner Autotask instances. Datto will not move a partner’s data to a new jurisdiction to perform troubleshooting or other support steps without the express, written consent of the partner. If a partner would like to move their Autotask instance to a different zone, they may engage with the Partner Success team in order to start the process. Be aware that moving a Autotask instance to another zone requires changes by the partner in order for third-party integrations, API calls, and elements such as single sign-on (among others) to operate seamlessly after the migration. Datto will provide documentation on which changes need to be made for this purpose.

Internet access

The Internet connection at our data centers as of a partner's agreement effective date is, at a minimum, two redundant, load-balanced circuits from different providers. Datto will actively monitor bandwidth utilization across its multi-homed load balanced circuits and will provision additional bandwidth as needed. Datto agrees that the total average utilization will not exceed 80% of all available bandwidth for a sustained period of 25% of the time during normal business.

Power

Datto’s data centers are protected from power failure with redundant utility feeds (2N), automatic transfer switches with diverse routing to sub stations, N+N uninterruptible power supplies with battery backup, and diesel generators for full-time power backup. Generators will operate services for up to 72 hours without refueling. Thereafter, refueling contracts are in place to ensure timely replenishment.

Fire detection and suppression

Datto provides, at all times, VESDA Aspirating Smoke Detection (ASD) and FE 25/FM-200 fire suppression systems in production data center facilities.

Environmental control

Datto provides, at all times, centrally managed, humidity regulated, N+1 redundant return plenum HVAC cooling systems.

Physical security

Data Centers are restricted areas requiring prior authorization for access. All facilities utilize integrated CCTV, card reader/biometric security systems, and man trap security for raised floor areas.

Monitoring

Datto monitors the application and database server(s) 24 hours a day, 7 days a week, 365 days per year. Datto has an on-call team that is automatically contacted in the event of an emergency and emergency measures are implemented to minimize server downtime in any such event.

Servers

Autotask servers are industry standard, best of breed hardware and software (no white box servers).

System maintenance

Datto maintains, updates, and upgrades the network on a regular basis to ensure its continued operation and hires, trains, and maintains qualified technology support and maintenance personnel. Datto provides a network that meets reasonable commercial standards with respect to accessibility, latency, packet loss, throughput, and other common factors affecting site performance. Datto keeps and maintains its network in good condition and repair.

Datto performs the following maintenance activities:

• Evaluates maintenance hot fixes, patches, and upgrades provided by hardware and software vendors and determines if they are appropriate for the Autotask application and network to meet all security and support requirements necessary to meet the system availability performance measurement.
• Implements the hot fixes, patches, and upgrades deemed necessary for the application environment.
• Completes installation verification tests of the modified software prior to any move to production and coordinates with partners through maintenance schedules.

Datto understands that the security of partner data is very important. To that end, several security policies are in place to ensure partner data is secure, including:

• separate production domains
• least privileged security model
• next-generation firewall appliances
• centrally managed endpoint protection
• central log aggregation
• and more.

Datto takes commercially reasonable steps to secure its data center and systems from intrusion, hacking, and unauthorized access to the partner’s production, test, and backup copies of your Autotask instance. Datto maintains the security and integrity of the service and the partner data, including the secure transfer of data between Autotask and partners.

More information about Datto's data security policies can be found in the annual, third-party, SOC2 report available by contacting your Account Manager.

Data breach

“Data Breach of the security of the system" is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

Data breach notification

Datto, when it becomes aware of a breach of the security of the system, conducts in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about a partner has occurred or is reasonably likely to occur, Datto provides notice as soon as possible to the affected partner. Notice will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. Notice can include: written notice; telephone call; electronic notice, including e-mail notification, posting on the Autotask application web site; notice to major media.

"Production system uptime and availability" is the total time during which a partner has the ability to access the application 24 hours per day, 7 days a week, measured on a monthly basis.

Datto uses commercially reasonable efforts to ensure that the application is available at all times for use by partners and their partners through the client portal.

Scheduled downtime

"Scheduled downtime" is the time during which a partner is not able to access the application hosted by Datto due to planned system maintenance. Generally, the application will be available 24x7, but the scheduled maintenance windows are set forth below to allow system maintenance. Datto reserves the right to schedule downtime as needed from time to time, with prior notice of any such change provided to the partner.

Scheduled maintenance

Normal maintenance periods are as follows:

Period	Description	Average Duration	Advance Notice
As needed, generally 3-6 months	Normal system maintenance	Less than 4 hours	At least 5 Business Days

System redundancy

Except for non-critical components, Datto provides full hardware and network redundancy with no single point of failure within its data center to the point of demarcation.

Backup frequency and type

Datto performs the following backup operations, which include the copying of the application, Autotask instances, and files of partners installations.

Production environments

Backup Type	Description	Frequency
Baseline	Pre-Production (go-live) Image	Once
Database – Full	Complete Autotask instance backup including all partner data in database.	Weekly
Database - Differential	Any element in the SQL Environment that has changed since the last full/differential backup.	Daily
Database – Transaction Logs	Any element in the SQL Environment that has changed since the last backup. This backup allows point in time recovery within an 1 hour window.	Hourly
Application/Attachments	All application executables and configuration files, source code for software, and partner attachments.	Daily

Backup retention

Datto will retain backup copies of partner data and other files locally and at a secure offsite location as follows:

Description	Retention Period
Hourly	3 weeks
Daily	3 weeks
Weekly	5 weeks

The Autotask secure offsite location will be located a minimum of 15 miles from the production Autotask data center. Partners may request backup copies of its Autotask instance and other files from Datto in the standard Autotask format, at the partner’s own expense, based on pricing in the pricing schedule.

Data recovery

The time to restore a partner's data files from a backup copy will vary substantially depending on a number of factors including, but not limited to, the severity of any data corruption and whether the backup data is on site or has to be retrieved from Autotask's offsite location. Datto will start the restoration of production files within 48 hours of receipt of the request.

Our customers and partners can request a backup copy of the data we host on their behalf.

• The file we can provide you is a compressed archive file containing a native SQL Server 2017 backup file and an embedded archive containing all attachments. The backup file will contain all information that is stored on your site as of the time the file is created.
• The cost of the backup is listed in your Datto contract. Please do not hesitate to get in touch with your Account Manager with any questions about pricing.
• Backups are generated by an automated process and customized backups are not possible. Backups are essentially all or nothing.
• The Champion or Owner of your company will need to order (or confirm the order of) the backup in writing. We will not process a backup order without that.
• Backups are only run once a day, at 4 PM ET.
• The minimum turnaround is two to four business days.
• The amount of time required to generate a backup varies due to data size and other backups generated on a given day.
• Customers attempting to schedule projects around timely receipt of backups must accommodate our backup generation and delivery process and should not assume immediate backup delivery.
• Backup delivery times vary widely and are determined by several factors including backup generation time and staffing.
• There are manual and automated safeguards built into our process to ensure that the data is delivered only to authorized recipients. In order avoid circumventing these safeguards, we do not manually alter our process to accommodate customer projects.