StreamSets Platform Security Policy

  1. Introduction. As further described in this StreamSets Security Policy (“Security Policy”), StreamSets uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration, or disclosure of Configuration Data stored on systems under StreamSets’ control.When the Products are used as a Service, the Service operates on Amazon Web Services, Inc. or Google Cloud (the “Cloud Provider”) and is protected by Cloud Provider’s security and environmental controls.

    Detailed information about Cloud Provider’s security is available at either www.aws.amazon.com/security/ and www.aws.amazon.com/compliance/shared-responsibility-model or www.cloud.google.com/security/. For clarity, only Configuration Data—and not Pipeline Data—is accessible by the Service.

    When the Products are used as Software, the Software is installed on Customer’s infrastructure and StreamSets does not have access to Configuration Data or Pipeline Data.
  2. Technical Measures.
    1. Access Controls.
      1. Access to the Service—which is hosted by Cloud Provider—is controlled by Customer via user IDs and passwords.
      2. StreamSets limits access to the Service to those employees and contractors needed to perform authorized tasks (“StreamSets Personnel”).
      3. StreamSets has implemented a role-based program to limit StreamSets Personnel access to Configuration Data:
      4. Access is granted on a least privilege necessary basis. If such access is granted, StreamSets Personnel are prohibited from storing Configuration Data on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of StreamSets.
      5. StreamSets maintains and monitors logs to review access to Configuration Data.
      6. Upon termination of StreamSets Personnel, any access to Configuration Data, the Service, and StreamSets’ facilities is also terminated.
    2. Encryption.
      1. Configuration Data is always encrypted in transit to and from Cloud Provider’s systems via Secure Socket Layer / Transport Layer Security 1.2.
    3. Network Security / Intrusion Protection.
      1. Cloud Provider’s systems are ISO 27001 certified. For information about Cloud Provider’s SOC certification, please see www.aws.amazon.com/compliance/soc-faqs or www.cloud.google.com/security/compliance/. Further, these systems deploy 24x7x365 monitoring, anomaly detection algorithms, and rule-based exception alert mechanisms.
      2. StreamSets’ own network (the “StreamSets Network”) is set behind a firewall and designed to detect and thwart inappropriate access. The StreamSets Network is segmented with security groups defining access control lists on an as-needed basis.
        1. For enhanced security within the StreamSets Network, StreamSets imposes Network Address Translation to non-published addresses.
      3. On the StreamSets Network, StreamSets employs a centralized multi-factor authentication access management system to control StreamSets Personnel access to StreamSets’ servers.
    4. Asset Management.
      1. StreamSets’ assets—including StreamSets Personnel laptops—are tagged and tracked.
      2. StreamSets requires all StreamSets Personnel to report any lost assets, immediately. Once a loss is reported, StreamSets will attempt to remotely wipe the asset.
      3. Managed antivirus is deployed on all StreamSets Personnel laptops and workstations to monitor for malware, viruses, and other malicious exploits.
    5. Audit Logs.
      1. All logs for the Service are reviewed on a regular basis.
      2. Any exception reporting—such as intrusion or breach detection—immediately triggers a review of access logs.
  3. Physical and Environmental Controls.
    1. The Service and Configuration Data are hosted with the Cloud Provider and all physical security controls are managed by the Cloud Provider. StreamSets reviews the Cloud Provider’s SOC 2 Type 2 report annually to ensure appropriate physical security controls.
    2. Physical access to StreamSets’ facilities is controlled via computer chip enabled key cards.
    3. 24x7x365 cameras are deployed at key StreamSets’ facilities to monitor entry points.
  4. Vulnerability Scans.
    1. Cloud Provider conducts regular vulnerability scans of its systems. Cloud Provider also enables Customer to conduct its own vulnerability testing of Cloud Provider’s systems.
    2. StreamSets conducts security vulnerability scans of the StreamSets Network on a regular basis. At least annually, a third party conducts similar scans. A copy of the results of such third-party scans will be provided to Customer upon reasonable request, no more than once annually, and such report will be deemed the Confidential Information of StreamSets without any further marking or designation.
  5. Security Incident Response.
    1. A “Security Incident” is (a) the unauthorized access to or disclosure of Configuration Data, or (b) the unauthorized access to the systems within the Service that transmit or analyze Configuration Data.
    2. StreamSets will notify Customer in writing or email within seventy-two (72) hours of a confirmed Security Incident.
    3. StreamSets will take appropriate actions to contain, investigate, and mitigate the Security Incident.
    4. An incident report is created after the investigation is complete and communicated to Customer, and such report will be deemed the Confidential Information of StreamSets without any further marking or designation.
  6. Business Continuity Plan.
    1. StreamSets maintains a Business Continuity Plan (“BCP“). As part of this BCP:
      1. StreamSets has facilities and StreamSets Personnel in multiple geographic zones, worldwide.
    2. The BCP is tested annually.
  7. Organizational Measures.
    1. Background Checks.StreamSets performs background screening as part of the StreamSets hiring process, to the extent legally permissible. The scope of this screening includes:
      1. Criminal records.
      2. Verification reports including identity, previous employment, education, and social security number.
      3. Reference checks.
    2. Security Training.
      1. StreamSets maintains a security awareness program for StreamSets Personnel that provides initial education to all StreamSets Personnel.
      2. Ongoing training in security and secure computing is provided to StreamSets Personnel who are engaged in the development and operations of the Products.
      3. Additional security trainings are made available on an ad-hoc basis.
    3. StreamSets Personnel Management.
      1. StreamSets Personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding business ethics, appropriate usage, and professional standards.
      2. As a condition of employment, StreamSets Personnel are required to execute a confidentiality agreement.

Description of the technical and organizational measures implemented by StreamSets (including any relevant certifications).

Measure Description
Measures of pseudonymisation and encryption of personal data Data is encrypted with HTTPS over TLS 1.2 in transit, and is encrypted at rest using an industry-standard AES-256 encryption algorithm using RSA-2048 keys. When the Products are used as a Service, the Service operates either on Amazon Web Services (“AWS”) or Google Cloud Platform (“GCP”, and each a “Cloud Provider”). The Service is protected by Cloud Provider’s security and environmental controls.

In relation to each Cloud Provider specifically:

  • Data that resides in AWS is encrypted at rest as further detailed in AWS’ documentation and white papers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided Hardware Security Modules (HSMs) certified under FIPS 140-2.
  • Data that resides in GCP is encrypted at rest as further detailed in GCP’s documentation and white papers. In particular, GCP instances and volumes are encrypted using AES-256. Encryption keys via Cloud Key Management Service (Cloud KMS) are IAM role protected, and protected by GCP-provided HSM certified under FIPS 140-2.

When the Products are used as Software, the Software is installed on Customer’s infrastructure and StreamSets does not have access to Configuration Data or Pipeline Data.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services 1. Access Controls

  • Access to the Service – which is hosted by Cloud Provider – is controlled by Customer via user IDs and passwords.
  • For the avoidance of doubt, only Configuration Data – and not Pipeline Data – is accessible by the Service.
  • StreamSets limits access to the Service to those employees and contractors needed to perform authorized tasks (“StreamSets Personnel”).
  • StreamSets has implemented a role-based access control program (RBAC) to limit StreamSets Personnel access to Configuration Data.
  • Access is granted on a least privilege necessary basis. If such access is granted, StreamSets Personnel are prohibited from storing Configuration Data on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of StreamSets.
  • StreamSets maintains and monitors logs to review access to Configuration Data.
  • Upon termination of StreamSets Personnel, any access to Configuration Data, the Service, and StreamSets’ facilities is also terminated.

2. Encryption

  • As mentioned above, Configuration Data is always encrypted in transit to and from Cloud Provider’s systems via Secure Socket Layer / Transport Layer Security 1.2.

3. Network Security / Intrusion Protection

  • Cloud Provider’s systems are ISO 27001 certified.
    • AWS has obtained certifications for compliance with ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1. See https://aws.amazon.com/compliance/iso-certified/
    • GCP has obtained certifications for ISO/IEC 27001:2013, 27017:2015, 27018:2019, 27701:2019, 9001:2015, and CSA STAR CCM v3.0.1. See https://cloud.google.com/security/compliance/offerings
  • Information about each Cloud Provider’s SOC certifications is available online:
    • For AWS: www.aws.amazon.com/compliance/soc-faqs
    • For GCP: www.cloud.google.com/security/compliance/.
  • Further, AWS and GCP deploy 24x7x365 monitoring, anomaly detection algorithms, and rule-based exception alert mechanisms.
  • StreamSets’ own network (the “StreamSets Network”) is set behind a firewall and designed to detect and thwart inappropriate access. The StreamSets Network is segmented with security groups defining access control lists on an as-needed basis.
  • For enhanced security within the StreamSets Network, StreamSets imposes Network Address Translation to non-published addresses.
  • On the StreamSets Network, StreamSets employs a centralized multi-factor authentication access management system to control StreamSets Personnel access to StreamSets’ servers.

StreamSets’ own SOC 2 Type II compliance report, which is available upon request, contains all operational controls and system descriptions to meet the requirement.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident StreamSets maintains a Business Continuity Plan (“BCP“). As part of this BCP, StreamSets has facilities and StreamSets Personnel in multiple geographic zones, worldwide. The BCP is tested annually.

In addition to the cross-region database replication process, the Service operates a full daily backup of 30 days, and full monthly backup of 12 months retention. Backups may be restored periodically for service verification and disaster recovery exercise.

Where a Security Incident arises:

  • StreamSets will notify Customer in writing or email within seventy-two (72) hours of a confirmed Security Incident. A “Security Incident” is (a) the unauthorized access to or disclosure of Configuration Data, or (b) the unauthorized access to the systems within the Service that transmit or analyze Configuration Data.
  • StreamSets will take appropriate actions to contain, investigate, and mitigate the Security Incident.
  • An incident report is created after the investigation is complete and communicated to Customer, and such report will be deemed as Confidential Information of StreamSets without any further marking or designation.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Each Cloud Provider conducts regular vulnerability scans of its systems. Each Cloud Provider also enables Customer to conduct its own vulnerability testing of Cloud Provider’s systems.

StreamSets conducts security vulnerability scans of the StreamSets Network on a regular basis. At least annually, a third party conducts similar scans. A copy of the results of such third-party scans may be provided to Customer upon reasonable request, no more than once annually, and such report will be deemed the Confidential Information of StreamSets without any further marking or designation.

StreamSets undergoes annual penetration testing and for certain parts of the Service, SOC 2 Type II audits.

StreamSets also conducts a monthly security review of infrastructure and network audit entries per change control management policy.
Measures for user identification and authorisation Single sign-on (SSO) and Multi-Factor Authentication (MFA) are mandatory for all user identification and authorization.

On the StreamSets Network, StreamSets employs a centralized multi-factor authentication access management system to control StreamSets Personnel access to StreamSets’ servers.
Measures for the protection of data during transmission Configuration and Usage Data is always encrypted in transit to and from Cloud Provider’s systems via Secure Socket Layer / Transport Layer Security 1.2 and above.
Measures for the protection of data during storage As mentioned above, each Cloud Provider’s systems are ISO 27001 certified (see above row on “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services” for additional information).

For more information about Cloud Provider’s SOC certification, please see www.aws.amazon.com/compliance/soc-faqs or www.cloud.google.com/security/compliance/. Further, these systems deploy 24x7x365 monitoring, anomaly detection algorithms, and rule-based exception alert mechanisms.

All data is encrypted at rest (see above row on “Measures of pseudonymisation and encryption of personal data” for more information).
Measures for ensuring physical security of locations at which personal data are processed The Service and Configuration Data are hosted with the Cloud Provider and all physical security controls are managed by the Cloud Provider.

StreamSets reviews the Cloud Provider’s SOC 2 Type 2 report annually to ensure appropriate physical security controls. Additional information on the Cloud Provider’s SOC 2 compliance can be found at either www.aws.amazon.com/compliance/soc-faqs or www.cloud.google.com/security/compliance/.

Physical access to StreamSets’ facilities is controlled via computer chip enabled key cards.

24x7x365 cameras are deployed at key StreamSets’ facilities to monitor entry points.
Measures for ensuring events logging All logs for the Service are reviewed on a regular basis.

Any exception reporting—such as intrusion or breach detection—immediately triggers a review of access logs.

StreamSets’ security event tracking (SET) system keeps track of all security related incidents. Incident triage, post-mortem report, and customer communication are included in the SET process.
Measures for ensuring system configuration, including default configuration StreamSets uses version control System which maintains service properties and configuration of each release.
Measures for internal IT and IT security governance and management StreamSets performs background screening as part of the StreamSets hiring process, to the extent legally permissible. The scope of this screening includes:

  • Criminal records;
  • Verification reports including identity, previous employment, education, and social security number; and
  • Reference checks.

StreamSets maintains a security awareness program for StreamSets Personnel that provides initial education to all StreamSets Personnel.

Ongoing training in security and secure computing is provided to StreamSets Personnel who are engaged in the development and operations of the Products.

Additional security trainings are made available on an ad-hoc basis.

IT staff are trained in the use and deployment of security solutions used to protect against malicious software. Employees are required to complete the annual security training, and are aware of the security policies enforced on their workstations and laptops.

StreamSets Personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding business ethics, appropriate usage, and professional standards.

As a condition of employment, StreamSets Personnel are required to execute a confidentiality agreement.

All StreamSets’ assets – including StreamSets Personnel laptops – are tagged and tracked.

StreamSets requires all StreamSets Personnel to report any lost assets, immediately. Once a loss is reported, StreamSets will attempt to remotely wipe the asset.

Managed antivirus is deployed on all StreamSets Personnel laptops and workstations to monitor for malware, viruses, and other malicious exploits.
Measures for certification/assurance of processes and products As mentioned above, each Cloud Provider’s systems are ISO 27001 certified (see above row on “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services” for additional information).

For information about Cloud Provider’s SOC certification, please see www.aws.amazon.com/compliance/soc-faqs or www.cloud.google.com/security/compliance/.

StreamSets is certified as a HIPAA Business Associate.

StreamSets has obtained SOC 2 Type II certification for StreamSets Control Hub.

Information on StreamSets SOC 2 Type II report and HIPAA Business Associate certification are available upon request.
Measures for ensuring data minimisation StreamSets has limited access to Pipeline Data.
Measures for ensuring data quality StreamSets’ SDLC (Software Development Life Cycle) mandates the coding standard and review process, applies code analysis during the artifactory build process, verifies through unit, integration, and PSR test, before upgrading to the production environment by following the operation promotion process.
Measures for ensuring limited data retention The Service does not have access to Pipeline data, but for preview mode in relation to transient data only.
Measures for ensuring accountability The Service enforces authentication policy, and keeps track of changed events via login audit and action audit logs.
Measures for allowing data portability and ensuring erasure The Service does not have access to Pipeline data, but for preview mode. Configuration Data can be downloaded.

The specific technical and organizational measures to be taken by StreamSets to be able to provide assistance to Controller to fulfil data subject data protection requests include:

As mentioned above, the Service does not have access to Pipeline data, but for preview mode. Configuration Data can be downloaded.

Back To Top