Compliance & sovereignty¶
Cloud Digit Bangladesh is built for a regulated, sovereign-data audience first. This page maps the most-asked controls onto the platform.
Sovereignty model¶
| Property | Cloud Digit |
|---|---|
| Operating jurisdiction | Bangladesh (BTRC-licensed) |
| Data residency | All customer data + processing within BD borders, all three regions |
| Off-shore fall-back | None. No region outside Bangladesh, by design. |
| Operator nationality | Bangladeshi entity; admin staff under local labour law |
| Lawful access | BD courts / BTRC under BD legal process only |
| Forex | None — billed in BDT, no USD ledger |
Regulatory mappings¶
Bangladesh Bank ICT Security Guideline 4.0 (banks, NBFIs, MFS, PSPs)¶
| Control area | Cloud Digit alignment |
|---|---|
| §4 — Information Security Governance | Customer-side responsibility; we provide audit logs, RBAC, evidence packs |
| §5 — Risk Management | DR options (BaaS, DRaaS), multi-region, defined RTO/RPO |
| §6 — Asset Management | Resource tagging, inventory APIs, classification labels |
| §7 — HR Security | Operator-side: NDA, background checks, cleared zones |
| §8 — Physical & Environmental | Tier-III, biometric access, 24/7 manned, CCTV retention |
| §9 — Access Control | MFA-mandatory admin, IAM, JIT-style break-glass |
| §10 — Cryptography | TLS 1.2+ in transit, AES-256 at rest, KMS-managed keys; BYOK roadmap |
| §11 — Operations Security | Patch SLAs, hardening baselines, vuln scans |
| §12 — Communications Security | VPC isolation, segmented networks, optional private link |
| §13 — System Acquisition / Dev | Customer-side; we provide CI/CD, registry, K8s |
| §14 — Supplier Relationships | Sovereignty attestation pack on request |
| §15 — Incident Management | 24/7 NOC, status page, P1 RCA within 5 BWD |
| §16 — Business Continuity | Cross-region DRaaS, BaaS, geographic diversity (DHA/CTG/SYL) |
| §17 — Compliance | Audit-trail exports (CloudTrail-equivalent), evidence packs |
A detailed ICT 4.0 control-mapping spreadsheet is available under NDA; open a ticket from the account owner.
Other frameworks¶
| Framework | Status |
|---|---|
| BTRC licensing | Holder (active) |
| ISO 27001:2022 | Certified — see audit pack |
| PCI DSS v4.0 | Compliant scope on dedicated infra; SAQ-D-MERCHANT path supported |
| SOC 2 Type II | Annual attestation |
| Bangladesh Personal Data Protection (draft) | Tracked; aligned by design |
| NBR / VAT | Mushak-compliant invoicing |
| e-GP / PPR-2008 procurement | Vendor-listed |
Audit & evidence¶
- Activity logs — every API call, console action, and resource change retained for 18 months by default; longer on request
- Tenant logs export — push to your own object bucket or SIEM in JSON
- Evidence packs — point-in-time snapshot of compliance posture (incl. DC tour notes, Tier-III attestations, ISO/SOC reports). Generated on request, NDA-gated.
- Right-to-audit — included in the Master Service Agreement for Enterprise / Regulated FI tiers, scheduled annually
Data classification & DLP¶
- Resource tags include a free-form
data-classificationlabel (e.g.,Public,Internal,Confidential,Restricted) - Object Lock for WORM / immutability — see Object Lock
- Managed SIEM available — see SIEM
Lawful access¶
Cloud Digit will only respond to lawfully-issued process from Bangladesh authorities (court orders, BTRC directives where applicable). Foreign discovery requests are not honoured directly; they must go through Mutual Legal Assistance Treaty channels and Bangladeshi courts. Customers are notified of any requests targeting their data unless the order specifically prohibits notification.