A Comprehensive Approach for Security and Compliance

A Comprehensive Approach for Security and Compliance

The SnapLogic Elastic Integration Platform consists of the Integration Cloud, a multi-tenant cloud service for creating, managing and monitoring your integrations, and the Snaplex, the elastic execution grid for data processing that can run in the cloud, behind your firewall and/or natively in a Hadoop cluster. SnapLogic security is comprised of a combination of policy, procedure and technology spanning physical, network, infrastructure, platform and data, ensuring that your private and sensitive data is always protected. SnapLogic adheres to security best practices, runs regular internal security audits and maintains policies that span operations, data, passwords and credentials, facilities and networks, and connectivity. Additionally SnapLogic does not observe, store or interact directly with sensitive customer data.

Compliance with SnapLogic’s security policies are maintained through regular audits. All cloud services are SSAE 16 SOC 2 Type 1 certified. See the full list of SnapLogic security and compliance certifications.

Inter-Component Communication Security

Inter-Component Communication Security

Communication between the SnapLogic Integration Cloud, the control plane and the on-premises processing components (Groundplex), sometimes referred to as the data plane, is established via SSL encryption on port 443, the standard secure port used for secured HTTP traffic. Established links communicate using the standard “web sockets” protocol (RFC 6455) enabling the full range of control communication. Communication between the control plane and cloud-based processing components (Cloudplex) is over HTTPS.

The SnapLogic UX (Designer, Manager and Dashboard) communicate with the Groundplex over HTTPS secured communication from the browser.

Read the whitepaper: SnapLogic Elastic Integration Technical Whitepaper.

Runtime Data Security

Runtime Data Security

The SnapLogic Integration Cloud is a stateless engine, which means it does not store runtime or business-related data. Only customer metadata is stored in the SnapLogic Integration Cloud. Snaps leverage the endpoint security provided by whatever it is connected to (application, database, file, etc.) whether using a secure JDBC connection to a database or invoking a HTTPS-based REST or SOAP API as part of the integration pipeline. If the endpoint supports data encryption, Snaps can also be configured to send and receive encrypted data. Account credentials used to access endpoints from SnapLogic can also be encrypted using a private key/public model. The data is encrypted with a public key before it leaves the browser, then is decrypted with a private key on the Groundplex.

Learn more about SnapLogic Snaps.

Authentication

Authentication

The SnapLogic Integration Cloud server supports an authentication and privilege model that allows the administrator to grant, limit or restrict access to components and pipelines. The server applies access rules to all requests, and grants or denies access depending on the type of operation attempted by the user. Users who share a particular responsibility can be assigned to groups.

SnapLogic also supports Single Sign-On (SSO), allowing users to be authenticated via SAML-2 compliant Identity Providers, such as OpenAM or Okta. The authentication configuration can be modified to enhance the security configuration.

Design Time Infrastructure Security

Design Time Infrastructure Security

The SnapLogic Integration Cloud metadata and log files are hosted on the Amazon Web Service (AWS) cloud infrastructure – one of the most powerful, flexible and secure state-of-the-art cloud computing environments available today. 100% Amazon Web Services based, SnapLogic inherently leverages the security and compliance capabilities of AWS.

Platform Security Certifications

The multi-tenant SnapLogic Integration Cloud leverages the comprehensive security and certifications provided by AWS. In addition, SnapLogic applies its own security precautions for the Integration Cloud, including the latest security and resilience patches, and third-party security audits.

The SnapLogic Elastic Integration Platform has achieved certification from TRUSTe adhering to TRUSTe’s strict online privacy principles and protecting the privacy of personal information collected through our application.

TRUSTe online privacy certification

Privacy Shield (previously known as Safe Harbor)

Privacy Shield (previously known as Safe Harbor)
SOC 2 Certification

SOC 2 Certification

In 2016, SnapLogic worked with A-LIGN.COM, a nationwide security and compliance solutions provider, to perform an in-depth audit of the control objectives and activities for SnapLogic iPaaS. SnapLogic is proud to announce that the control procedures for the SnapLogic Online iPaaS service has been verified in a SOC 2 Type II report.

The SOC 2 Type II report includes management’s assertion of SnapLogic’s systems and the auditor’s opinions on the fairness of descriptions, suitability of design, and operating effectiveness of the controls. While SnapLogic Online iPaaS service has always held itself to extremely high standards, the successful completion of this third-party audit provides SnapLogic customers assurances that appropriate controls and practices are in place and demonstrates SnapLogic’s ongoing commitment to providing customers a secure and reliable service.

This achievement is the newest addition to SnapLogic’s other certifications. Earlier, SnapLogic received compliance with the U.S.-EU and U.S.-Swiss Safe Harbor Framework regarding the collection, use and retention of personal data from the European Union member countries and Switzerland. SnapLogic customers can always get up-to-the-minute service status information and notifications by visiting our site trust.SnapLogic.com. Customers can automatically receive proactive notifications about scheduled and unscheduled outages. By maintaining transparency with our customers, we hope to not only demonstrate our outstanding service levels, but also ensure that all of our customers are consistently successful using our service.

SSAE 16 & ISAE 3402

SSAE 16, also called Statement on Standards for Attestation Engagements 16, is a regulation created by the Auditing Standards Boards (ASB) of the American Institute of Certified Public Accountants (AICPA) for redefining and updating how service companies report on compliance controls.

What is a service company / organization?
Service organizations are entities that provide outsourcing activities that are relevant to the control environments at user organizations. Examples of services organizations include application service providers.

ISAE 3402 is an extension and expansion of SAS 70 (the Statement on Auditing Standards No. 70) which defined the standards an auditor must employ in order to assess the contracted internal controls of a service organization.

All Security and Compliance

All Security and Compliance


The following is a summary of all security and compliance across the SnapLogic platform.

Security SnapLogic employs a defense in depth approach to security, utilizing best of breed solutions combined with sound, prudent and effective security practices which include:

  • Secure access via HTTPS (SSL/TLS)
  • Strong encryption of sensitive data at rest
  • Password and sign-in security options
  • State of the art firewalls at both the perimeter and within the data center
  • Active log monitoring for Indicators of Compromise
  • Hardened baseline images
  • Mandatory security awareness training for all employees
  • Highly controlled, secure administrative access to SnapLogic’s production infrastructure
  • Regular internal and third-party security audits and penetration testing of both our applications and infrastructure
  • Support for Single Sign On (SSO) via SAML or Active Directory
  • Robust role based access
  • Comprehensive and regularly tested Disaster Recovery and Business Continuity plan
  • Completion of SSAE 16 SOC 2 Type 11 audit
  • EU-Safe Harbor certified through TRUSTe

Compliance SnapLogic maintains strong technology partnerships with vendors which comply with, or whose security and compliance programs align with some or all of the following:

  • SOC 1/ ISAE 4302
  • SOC 3 (continuity of service, physical and logical integrity, confidentiality, privacy)
  • HIPAA, PCI DSS level 1, FERPA
  • ISO 27001, FedRAMP(SM)
  • DIACAP and FISMA
  • ITAR, FIPS 140-2
  • CSA, MPAA, MTCS Tier 3
  • G-Cloud
  • DoD CSM Levels 1-2, 3-5

See the complete list of AWS compliance here.
For more information about SnapLogic security, Contact Us.

Contact us Request Demo