Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices regarding data center location, business operations, facility characteristics, software controls, risk mitigation, and more can be instrumental in preventing unexpected events from affecting customers. The following practices help to maintain secure and dependable operation of the Autodesk Managed Cloud Services.
Autodesk’s Cloud Security & Compliance team is responsible for the daily operation of the Autodesk Managed Cloud Services. Members of the team belong to these professional organizations and have the following certifications:
For the Autodesk Managed Cloud Services, the Cloud Security & Compliance team may:
Autodesk uses a hybrid model to host the production systems for the Autodesk Managed Cloud Services, which includes data centers and cloud providers. Each data center furnishes 24/7 security staffing and formalized security access procedures. Advanced technologies provide physical and electronic barriers that help to control access.
Each data center that hosts the Autodesk Managed Cloud Services includes redundant systems to manage its environment, hardware, and network connectivity. Multiple levels of protection help to mitigate the risk of downtime.
Experienced security firms conduct annual independent security reviews on the service environment of the Autodesk Managed Cloud Services.
Autodesk protects customer data within the Autodesk Managed Cloud Services by using a multitenancy model to provide an additional layer of separation at the application level. This model uses a single instance of a software application to serve multiple customers, or tenants. For further protection, tenants cannot customize the application's underlying code.
We work with independent external security experts to regularly perform extensive security scans and assessments of the applications that make up the Autodesk Managed Cloud Services.
Autodesk uses automated monitoring tools to oversee the proper operation of Autodesk Managed Cloud Services components. Reliable monitoring tools help us to respond to incidents before they affect customers.
We employ an incident management process to quickly respond to events that adversely affect the Autodesk Managed Cloud Services. If you believe such an event has occurred, Autodesk is available 24/7 to respond. We treat events that directly impact customers with the highest priority. To report an incident, contact us.
Autodesk conducts annual security policy audits. In addition, we may update our security policy periodically during the year as needed. For example, we review and implement new policy solutions from respected trade groups as appropriate. If we discover a procedural vulnerability, security policy updates may be implemented promptly.
Customers own the data that they place in the Autodesk Managed Cloud Services. At any time during the use of these services, you can export your data. If you decide to stop using the services, you have 30 days to export your data. Refer to the Autodesk Terms of Service for details.
Autodesk requires that U.S. accounting firms conducting audits on the Autodesk Managed Cloud Services be accredited by the American Institute of Certified Public Accountants (AICPA).
Autodesk performs regular audits of the Autodesk Managed Cloud Services. We audit in accordance with the Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE16), and specifically the Service Organization Control (SOC) 2 Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy. SSAE16-SOC2 reports provide users with information about SaaS operations and applications, particularly system controls intended to meet the criteria for the security and availability principles set forth in AICPA Technical Practice Aids—Trust Services Principles, Criteria, and Illustrations (TSP), Section 100 (applicable trust services criteria).
To read the full Autodesk SSAE16-SOC2 audit report, which requires a signed Autodesk nondisclosure agreement (NDA), contact us. Read more detailed information about the SSAE16 standard on the AICPA website.
A note about State on Auditing Standards 70 Type II (SAS70 Type II): Autodesk provisions data centers that host the Autodesk Managed Cloud Services to maintain Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization (SSAE16)—the latest SAS 70 replacement. We conducted the first SAS70 attestation in July 2007 and continue to perform audits under the current SSAE16 standard.
Autodesk views ISAE 3000 as an excellent platform for establishing basic principles and procedures when conducting assurance engagements, such as ISAE 3402. To learn more, read ISAE 3000 (Revised), Assurance Engagements Other Than Audits or Reviews of Historical Financial Information.
Autodesk has been performing independent security reviews (ISRs) since 2005. To read a recent ISR summary, which requires a signed Autodesk NDA, contact us.
The Autodesk Managed Cloud Services operate in conformance with the requirements of the ISO 27001 certification.