Clumio announces $75M Series D and 4X YoY growth in ARR

Deployment Review Terms and Requirements

  1. Customer’s Clumio deployments will be subject to weekly Deployment Reviews by Clumio. Customer is responsible for responding and collaborating with Clumio within (2) business days of Clumio’s request thereof to resolve issues pertaining (but not limited to):
    • AWS-Clumio account connection status;
    • Failed backup tasks
    • Failed file level indexing tasks;
    • Customer-managed key configuration (“CMK”); and
    • Security settings – SSO, RBAC.
  2. In order for Customer to complete a Deployment Review, the following criteria must be met:
    • Customer’s Clumio environment must have SSO configured and enabled;
    • The AWS environment must have SSO configured and enabled;
    • At least 1 Clumio backup task must have been completed successfully prior to initiation of a restore;
    • Customers leveraging the “Bring Your Own Key” (“BYOK”) encryption feature are responsible for ensuring proper configuration of the feature at the time of restore. If a customer leverages BYOK for Clumio backup and their CMK is not available at time of restore, the backup is permanently irretrievable;
    • Customer must have the ability to leverage an uncompromised AWS environment for Clumio connection at the time of any restore or restoration of Customer Data;
    • Clumio default Password expiration must not be configured for less than 90 days;
    • Clumio idle session timeout default must not be configured for less than 10 minutes;
    • Audit logs must be sent to a Security Incident Event Management (“SIEM”) at Clumio and/or reviewed monthly for unexpected changes to backup policy retention values. In the event an anomaly is detected, Customer should involve Clumio immediately by contacting; and
    • Any administrative role in Clumio at Customer must not be tied to any individual user account on a permanent basis;
  3. In order for Customer to be in compliance with the requirements of the Clumio Deployment Review on an ongoing basis, Customer must provide:
    • A letter of attestation, on an annual basis, regarding a pen test from a certified 3rd party within the last year and remediation status;
    • On an annual basis, evidence of a current, active security program (a SOC 2 Type 2 report that’s published less than 12 months ago or a Bridge Letter, or an ISO 27001 certificate of registration with a completed audit less than 12 months ago);
    • An access control policy and procedure reasonable acceptable to Clumio and that ensures:
      • User roles are assigned with least privilege access;
      • Multi-factor authentication is utilized; and
      • Service tokens are refreshed at-least every 90-days.
    • IP whitelisting is in use in the Clumio platform;
    • Evidence that the customer’s AWS account is scanned monthly for security posture (e.g. Scoutsuite, AWS Security Hub, etc.) must be provided to Clumio each month by contacting;
    • A vulnerability management policy and procedure reasonably acceptable to Clumio must be provided that ensure:
      • Zero-day, Critical, and High Severity vulnerabilities are triaged and addressed at the highest priority
      • Routine scanning of vulnerabilities is enabled, and
      • A patch management process is in place to ensure vulnerabilities are addressed in a timely fashion according to their severity.
    • Evidence that the Customer email domain used for Clumio portal logins has spoofing protections (minimally, DKIM and SPF);
    • Evidence that Customer is running anti-malware/anti-ransomware software on all endpoints and servers;
    • Evidence that Customer’s internal data is encrypted at rest and in transit;
    • Evidence that all interfaces to third party systems are encrypted;
    • Evidence that Customer is not using any insecure (cleartext) authentication; and
    • Evidence that Customer has ensured that all default administrative accounts are changed from vendor defaults or disabled.