HomeDocumentation and Guides

Cisco Cloudlock Data Storage Overview

This is an overview of the data storage practices of Cloudlock, Inc., as embedded in Cisco Cloudlock. In general, Cloudlock stores metadata but not customer data. See the following sections for details.

Table of Contents

Usernames and Credentials

Usernames and credentials are generally not stored. In some cases storage of usernames and/or emails is required. For example, Cloudlock does retain the email address of the primary administrator for each customer’s instance of our application. Other than those specific cases, however, Cloudlock does not generally collect or store usernames or credentials. Cloudlock uses identity providers such as Google, OneLogin, and others to validate credentials. OAuth2 or SAML are used for login. Users log into their own domains, but not through Cloudlock.


Some metadata is stored. Cloudlock collects the metadata from protected platforms in order to provide identifying information within Incidents. Metadata may include items from the following list, which applies to documents, objects, and assets, depending on the protected platform.
**For protected Documents, Objects, or Assets:

  • Name
  • Document or Object ID
  • Owner’s email address
  • Collaborators’ email addresses and access rights
  • Attributes (for example, file type, object type, last modification time, creation time, size, etc.)
    For Cloudlock Incidents:
  • Audited actions performed on an object triggering an incident (the object itself is not stored by Cloudlock)
    For protected platforms:
  • Domain, organization name and subdomain names, if any.
  • Usernames associated with the domain, including internal and external collaborators
    **Exporting and/or deleting metadata
  • All reports and related information within Cloudlock can be exported at any time.
  • Upon termination of any contract with Cloudlock, metadata will be deleted if required.

Metadata Stored by Cloudlock

accountemailCloudlock primary administrator email address
appapp_nameThe name of an AFW app
appapp_creatorThe ID of the app creator
appdescriptionDescription of the AFW app
app_eventevent_dateDate on which an AFW app event occurred
app_eventevent_typeThe type of AFW app event which occurred
app_eventdescriptionDescription of the AFW app event
app_eventevent_byUsername of the user who triggered the AFW app event
app_installinstall_dateThe date the application was installed into the domain
app_installstateWhether or not the app is currently installed
app_installupdated_onThe date the installation was updated
app_installinstall_typeThe type of installation which occurred
auditorigination_valueUnique ID associated with an auditable action taken by a user within Cloudlock
auditwhenThe date and time that an auditable action was taken by a user within Cloudlock
auditdetailsSpecific details of an auditable action taken by a user within Cloudlock
entitynameThe name of a document, event or app installation
entityextraAdditional vendor-specific metadata describing an installation
entityvendor_subtypeThe filetype of a document
entitycreated_onDate the entity was created by the vendor
entityupdated_onLast modified date recorded from vendor
entityviewed_onLast viewed date recorded from vendor
entityentity_statusThe status of an object from a vendor (existing, deleted, etc)
entitydeleted_onDate the vendor recorded this entity as deleted
entitylast_scan_idThe change ID from the vendor
incident_detailextraVendor-specific customer metadata describing an object that triggered an incident
incident_notesnoteA customer-specified note associated with an incident
incident_notification_logsubjectThe subject of an email that was sent
incident_notification_logto_addressesThe addresses the email was sent to
incident_notification_logcc_addressesThe cc addresses the email was sent to
incident_notification_logbcc_addressesThe bcc addresses the email was sent to
incident_notification_logcustom_messageThe custom message that was in a sent email
incident_notification_logreply_toThe reply to addresses associated with the sent email
incident_notification_logextraExtra metadata associated with the sent email
ip_librarynameThe customer specified name of a known IP address
ip_librarydescriptionThe customer specified description of a known IP address
ip_librarylocationThe geographical coordinates of a known IP address
ip_libraryip_addressA known IP address
mail_notification_actiontoRecipient(s) of an email notification response action
mail_notification_actionccCC’ed recipient(s) of an email notification response action
mail_notification_actionbccBCC’ed recipient(s) of an email notification response action
mail_notification_actionreply_toEmail address of the administrator the recipient can reply to
organizationnameThe name of the organization (usually a domain name)
organization_asseturlThe url that the vendor asset is located
organization_assetkeyThe unique identifier from the vendor
organization_groupvalueA user or group name
organization_groupvendor_idA unique ID associated with the user or group
organization_groupgiven_nameA user’s given name
organization_groupfamily_nameA user’s family name
organization_groupextraAdditional metadata associated with a user or group
organization_grouptypeWhether the record references a user or a group
organization_groupcreated_onThe date that a user or group was created
organization_groupstatusThe status of the group or user (active, inactive, etc)

Cloudlock Monitoring

Cisco Cloudlock uses in-memory monitoring to audit protected platforms. No files or content are saved, kept or stored anywhere. The only data Cloudlock retains is the meta data listed above along with a redacted snippet of the flagged data.
For example upon detection of a credit card only the following would be recorded: “XXXXXXXXXXXX6899”
Further information on our security procedures can be found in the Cloudlock Trust Center.