StreamSets Cloud Security Policy

Updated: November 26, 2019

1. Overview. In connection with its provision of the StreamSets Cloud Service (the “Service”), StreamSets uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration, or disclosure of Customer Data processed on systems under StreamSets’ control.
2. Cloud Providers. The Service is operated on Google Cloud (“Cloud Provider”) and protected by Cloud Provider’s security and environmental controls. Detailed information about Cloud Provider’s security is available at cloud.google.com/security.
3. Customer Data. As defined in the Agreement, Customer Data consists of Pipeline Data and Configuration Data.
   1. Customer’s Pipeline Data is processed by the Service as follows:
      1. Data Persistence. Data Pipeline processing is performed in-memory and only persists to disk in rare cases where an operation requires storage for temporary data. Such data is always encrypted at rest. Pipeline Data does not persist beyond processing of the Data Pipeline.
      2. Troubleshooting. In order to support the troubleshooting of Data Pipelines, the Service allows a Customer with browser access to capture snapshots of Pipeline Data for analysis of a running Data Pipeline. Such data is stored temporarily in a private scratch space, then it is permanently deleted at completion time. This data is transmitted directly between the Data Pipeline execution environment and the Customer’s network browser and is encrypted both in transit via SSL/TLS v1.2+ and at rest via the encryption process provided by the Cloud Provider.
      3. Log files. Log Files generated by the execution of Data Pipelines are stored via a secure logging service provided by Cloud Provider and permanently deleted after thirty (30) days.
      4. Credentials. The Service provides a feature for managing access to Endpoint secrets and other credential data of Customer (the “Cloud Vault”). Credential data for Endpoint connectors is automatically stored in the Cloud Vault, which encrypts Customer credentials when at rest using Customer-specific keys.
      5. Connectors. Connectors are used by the Service to read and write Pipeline Data to Customer Endpoints. The Service provides configuration options, which defaults to an over-the-wire encrypted connection option when available. Customers are responsible for choosing appropriate secure connection option.
      6. Access by StreamSets Personnel. StreamSets Personnel have no direct access to Pipeline Data except in the event that Customer elects to purchase Support and specifically invites StreamSets Personnel to view a portion of Pipeline Data in the context of providing such Support as further described in the StreamSets Cloud Support Policy.
   2. Customer’s Configuration Data is processed by the Service as follows:
      1. Encryption. Customer manages Configuration Data within the Service.   Configuration Data is encrypted both in transit via SSL/TLS v1.2+ and at rest via the encryption process provided by the Cloud Provider.
4. Technical Measures.
   1. 1. Account Access and Permissions.
         1. Access to the Service is controlled by Customer via user IDs and passwords.
            1. Customers may designate an Organization Administrator to grant or revoke additional user access to its Service account or provide role-based permissions within Customer’s organizations.
            2. Only users registered by the Organizational Administrator may access Customer’s account.
         2. StreamSets limits access to Customer Data to those StreamSets employees and contractors needed to perform authorized tasks (“StreamSets Personnel“).
            1. StreamSets grants StreamSets Personnel access to Customer Data on an as-needed basis according to a role-based program.  If such access is granted, StreamSets Personnel are prohibited from storing Customer Data on local desktops, laptops, mobile devices, shared drives, removable media such as USB drives, or on public facing systems that do not fall under the administrative control or compliance monitoring processes of StreamSets.
            2. StreamSets maintains and monitors access logs to the Service to review access by StreamSets Personnel.
            3. Upon termination of StreamSets Personnel, any access to Customer Data, the Service, and StreamSets’ facilities is terminated.
      2. Network Security / Intrusion Protection.
         1. Cloud Provider’s systems are ISO 27001 certified.  For information about Cloud Provider’s SOC  certification, please see cloud.google.com/security/compliance. Further, these systems deploy 24x7x365 monitoring, anomaly detection algorithms, and rule-based exception alert mechanisms.
         2. StreamSets’ own network (the “StreamSets Network“) is set behind a firewall and designed to detect and thwart inappropriate access.
            1. The StreamSets Network is tested with security groups defining access control lists on an as-needed basis.
            2. For enhanced security within the StreamSets Network, StreamSets imposes Network Address Translation to non-published addresses.
            3. On the StreamSets Network, StreamSets employs a centralized multi-factor authentication access management system to control StreamSets Personnel access to StreamSets’ servers.
      3. Asset Management.
         1. StreamSets’ assets, including StreamSets Personnel laptops, are tagged and tracked.
         2. StreamSets requires all StreamSets Personnel to report any lost assets immediately. Once a loss is reported, StreamSets will attempt to remotely wipe the asset.
         3. Managed antivirus is deployed on all StreamSets Personnel laptops and workstations to monitor for malware, viruses, and other malicious exploits. All local disk storages are encrypted by default.
      4. Audit Logs.
         1. All logs for the Service are reviewed on a regular basis.
         2. Any exception reporting, such as intrusion or breach detection, immediately triggers a review of all access logs.

   </ol style=”list-style-type: lower-alpha;”>

5. Physical and Environmental Controls.
   1. The Service is hosted with Cloud Provider and all physical security controls to Cloud Provider’s service are managed by Cloud Provider. StreamSets reviews Cloud Provider’s SOC 2 Type 2 report annually to ensure appropriate physical security controls.
   2. Physical access to StreamSets’ facilities is controlled via computer chip enabled key cards.
   3. 24x7x365 cameras are deployed at key StreamSets’ facilities to monitor entry points.
6. Vulnerability Scans.
   1. Cloud Provider conducts regular vulnerability scans of its systems. Cloud Provider also enables Customer to conduct its own vulnerability testing of Cloud Provider’s systems.
   2. StreamSets conducts security vulnerability scans of the StreamSets Network on a regular basis. At least annually, StreamSets engages a third party to conduct similar scans.  A copy of the results of such third-party scans will be provided to Customer upon reasonable request, no more than once annually, and such report will be deemed the Confidential Information of StreamSets without any further marking or designation.
7. Security Incident Response.
   1. If StreamSets becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach“), StreamSets will:
      1. Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
      2. Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay. Notwithstanding the foregoing, StreamSets is not required to make such notice to the extent prohibited by Laws, and StreamSets may delay such notice as requested by law enforcement and/or in light of StreamSets’ legitimate needs to investigate or remediate the matter before providing notice.
      3. Each notice of a Breach will include:
         1. The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired, or disclosed during the Breach;
         2. A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known;
         3. The scope of the Breach, to the extent known; and
         4. A description of StreamSets’ response to the Breach, including steps StreamSets has taken to mitigate the harm caused by the Breach.
8. Organizational Measures.
   1. Background Checks. StreamSets performs background screening as part of the StreamSets hiring process, to the extent legally permissible.  The scope of this screening includes:
      1. Criminal records.
      2. Verification reports including identity, previous employment, and social security number.
   2. Security Training.
      1. StreamSets conducts mandatory security awareness training for all StreamSets Personnel on an annual basis.  The mandatory training includes the following topics, among others: Employee Access and Protection, Email, Passwords, Mobile Devices (BYOD), Clean Desk Policy, Protecting Your Computer, Social Engineering, Viruses/Malware, and Personally Identifiable Information (PII).
      2. StreamSets provides specialized training to StreamSets Personnel who are engaged in the development and operations of the Products.
      3. Additional security trainings are provided on an as-needed basis.
   3. StreamSets Personnel Management.
      1. StreamSets Personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding business ethics, appropriate usage, and professional standards.
      2. As a condition of employment, StreamSets Personnel are required to execute a confidentiality agreement.