Security Statement


The scope of this document relates to the Celigo CloudExtend product line as well as the employees under the Celigo CloudExtend brand.

Reporting Incidents

If you detect or suspect a security incident related to CloudExtend please email [email protected]


We would like to make two things clear. First, we respect your privacy and take significant efforts to protect all your data. Second, we would never do anything with your data that we wouldn’t be proud to tell the world about. We go to considerable lengths to ensure that all data is handled securely – keeping our Apps and your data secure is fundamental to our business. Read a blog post written by Sameera Perera, our Director of R&D,  about the benefits of using NetSuite’s role based access control with third party apps.


  • All of our services run in the cloud. CloudExtend does not run our own routers, load balancers, DNS servers, or physical servers.
  • Our services and data are hosted in Amazon Web Services (AWS)
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.

Data Transfer

  • All data sent to or from CloudExtend is encrypted in transit using 256 bit encryption.


We’ve included checklists below that answer common security related questions we hear from our customers.

Employee Security

QuestionYES NO N/A
Is there a formal and approved information security policy?Yes
Is there a clearly defined acceptable use policy for computer use, and is it enforced?Yes
Are there clearly defined hire and termination policies and procedures?Yes
Are background checks performed as a part of your new hire procedures?Yes
Are there proper procedures for granting and revoking permissions upon hire and termination based on job duties?Yes
Is there a security awareness program?Yes

Secure Storage and Communication

QuestionYES NO N/AComments
Do you store any customer  related information? YESWe may store user name, company name, address, and email for licensing and billing purposes. We also may store account related metadata information. Additionally we capture usage details via 3rd party applications. Examples would include login attempts, number of records updated, type of record updated.
CloudExtend Excel for NetSuite may persist data on Amazon S3 when uploaded via "Burst Mode". Data is persisted only until it has been processed by NetSuite and downloaded by the user after which it is immediately deleted from S3. The data is encrypted on write with Amazon S3-Managed Encryption Keys SSE-S3).
Do you ensure that all data stored and transferred is encrypted? Yes 
Has a data encryption and storage policy and procedure been defined?Yes 

Physical Security of Data Hosting Location

Data is hosted in Amazon’s Web Services Data Centers. A brief summary is below and detailed physcial security documents are available at: and

Amazon has very strict rules regarding access to the physical premises of their data centers. Only approved employees are authorized to enter and 3rd party access is scrutinized based on the principle of least privilege where request must specify to which layer of the data center the individual needs access, and are time-bound. Entry gates are staffed with security officers, monitors, and cameras. Entry badges for approved visitors requires multi-factor authentication. Physical access to AWS data centers is logged, monitored, and retained. Entrances to server rooms are secured with devices that sound alarms to initiate an incident response if the door is forced or held open.  Additionally, electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide multi-factor authentication before granting entry or exit.

When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned.

Network Security

QuestionYES NO N/AComments
Is the hosting infrastructure protected by a firewall? YesThe firewall is enabled in the AWS infrastructure
Is there an IDS or IPS monitoring the network?YesThis is enabled in the AWS infrastructure
Are servers on dedicated network segments?NoOur infrastructure is hosted on Amazon AWS

Server Security

QuestionYES NO N/AComments
Do servers with customer data enforce a minimum password length of 8 or more characters?YesA minimum of 128 bit security keys are used to access AWS.
Is two-factor authentication (2FA) used?YesFor access to AWS security console 2FA is enabled
Is a Host Intrusion Detection System used?Yes

Desktop Security

QuestionYES NO N/AComments
Does the organization require a minimum password length of 8 or more characters?Yes 
Is there a password rotation policy?NoNo rotation policy for user desktops/laptops. Rotation policy applies for master password to the cloud Identity and Access Management provider used for accessing all other systems / software. Policy requires that the master password is never stored (saved) by the user
Is two-factor authentication used?YesAccess to cloud IdP is protected by 2fA
Does the organization require all desktops to have antivirus software?Yes
Are all desktop computers part of a domain?No 
Are users allowed to install applications?Yes 
Are users keyboard and monitors recorded?No 
Are users network activity recorded?No 

Monitoring and Contact

QuestionYES NO N/AComments
Is there a 24/7 contact number for outages?NoStatus updates are provided at
We’ll generally know of outages before customers report them.We have internal processes that monitor our API’s and proactively alert staff on standby. Customers can also report outages on the status page.
Is there a 24/7 contact number for security incidents?NoWe’ll generally know of incidents before customers report them. We have internal processes that monitor our API’s and proactively alert staff on standby. Incidents can be reported to [email protected]
Are logs and events monitored Yes 
For planned maintenance, can customer be notified? Yes 
For security incidents, can customer be notified? Yes 

GDPR readiness

Visit for up to date information on our GDPR readiness.

Show Buttons
Hide Buttons