Nextcloud is a leading free, open source, web based office application, offering document sharing, contacts, calendar and much more. Webarchitects can provide managed Nextcloud virtual servers.
Get your organisation onto the co-operative cloud — why trust the hosting of your office documents to a remote US-based corporation?
Webarchitects are able to provide secure, private, managed Nextcloud, GPRD compliant, virtual servers with HTTPS certificates, running in our data centre in Sheffield powered by green energy, and also support with desktop and mobile client configuration.
We provision Nextcloud servers using our public Ansible playbook and can optionally (this takes up quite a lot of disk space) also install the Collabora Online app and the Collabora Online Development Edition Docker container, on the same server — this allows the WYSIWYG editing of documents and spreadsheets using a web browser.
Using your own, private, Nextcloud server, as opposed to Office 365 from Microsoft or G Suite (Google Docs etc.), might be the best option for organisations which need to comply with the General Data Protection Regulation (GDPR), to quote from the Nextcloud blog:
Using a free Public Cloud is certainly the worst idea you could have: do you have a clear proof that your customers consented to have their driving license uploaded on Google servers in the USA, with all the privacy and security concerns it implies? All US-based companies currently worry about GDPR, since they cannot ensure the “adequate level of protection” (General Data Protection Regulation, article 45).
Being GDPR-compliant starts with one requirement: knowing which data you have, where they are stored, and who has access to these data.
Nextcloud offers a full audit trail with audit logs including:
- user session (login, logout, user agent)
- file handling (download, upload, modify, (un)delete, tag, comment, restore old version)
- user management (creating/deleting/changing user, setting a password)
- sharing (creating, deleting, changing permissions, updating a password, setting an expiration date
To ensure various levels of legal compliance, personal data must be stored in certain countries only.
Ensuring security of personal data is one of the most important requirements of GDPR: companies must evaluate their risks and mitigate them. Main requirements include:
- encryption of data at rest, in transit and on the cloud. Your company alone must have the key. That already blocks most server-side encryption solutions and public clouds from usage: if you don’t encrypt the data first before sending it off, using Amazon S3, Google, Microsoft or other cloud services is very risky, especially in their free versions.
- ability to retrieve personal data in case of accidental or non-accidental problems, from malicious attacks to ransomware issues. 2017 might be the year of ransomware but there is no reason to assume the problem is solved in 2018.
- the software used to manage data must be trustworthy, that is, verified, approved, certified or at least transparent enough (like open source).
For more details see the Guide to the General Data Protection Regulation (GDPR) from the Information Commissioner's Office.
All the disks that our Sheffield based virtual servers are hosted on, plus the disks that they are backed up to, (we keep 30 days worth of snapshots of the disks of our virtual servers) are encrypted, in addition for clients that require it, we can optionally use LUKS to encrypt the data partitions of your disks and then clients can replace passphrases provided by us and use their own passphrases so that we are not able to decrypt the disks, if this is done, then clients need to decrypt their disks with each reboot via the Xen shell.