SnapLogic – Security Standards
This SnapLogic Security Standards Summary (“Security Summary”) describes the the administrative, technical, and physical controls applicable to the SnapLogic platform (“Services”).
SnapLogic may update this Security Summary from time to time to document changes in security policies for the Services. SnapLogic will, upon request no more than once per year, certify to its compliance with this Security Summary. All capitalized terms used in this Security Summary are defined in SnapLogic’s Master Subscription Agreement, Data Processing Addendum, and/or the applicable ordering documents or Documentation.
SnapLogic uses reasonable methods designed to protect Customer Data from unauthorized access, use, and loss including physical, technical, and administrative safeguards. Customer Data is logically segregated from that of other customers.
Standards and Certifications
SnapLogic annually receives third party audits for compliance with AICPA SOC 2 Type 2, SSAE18 Type II, ISAE 3402 Type 2 standards, as well as the U.S. Health Insurance Portability and Accountability Act (“HIPAA”), including as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”). SnapLogic follows OWASP coding practices for product development. The most recent certifications and/or audit summary letters are available upon Customer’s request under NDA.
API and web services managed by SnapLogic use TLS 1.2. HTTPS is used for data transmission and remote access over public networks. RSA or AES encryption are used throughout the product which includes protecting Customer Data, databases, and metadata.
Customer Encryption and Authentication Requirements. Customer is solely responsible for implementing proper security controls on its endpoint devices, including defining the encryption settings. SnapLogic recommends that Customer executes the following best practices whenever possible:
- Customer enabling session connection encryption using the then most current implementation of SSL or TLS for any connection between the Customer Apps and the Services.
- Where session connection encryption is not available for a particular Customer App, Customer encrypting the data payload using strong encryption (128-bit encryption or better).
- Customer utilizing industry-best practice authentication control for user access to the Services.
SnapLogic does not persist data. By design any temporary storage used by the product is ephemeral storage and only used while a service is running and does not persist after the service is no longer running. Ephemeral storage is used as a non-billable resource included in the operation of a service. Product ephemeral storage is suited for the temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content during the execution of the application. If the Customer does not configure all of the storage options, the Services will default to SnapLogic’s built in temporary storage.
Services are accessible to Customers through authentication protocols, including unique IDs and strong password requirements. Services include optional support for two factor authentication for user access.
Risk Assessment and Penetration Testing
SnapLogic regularly conducts risk assessments, penetration testing, and vulnerability scans. SnapLogic promptly creates a correction plan for any issues that are identified as a result of any vulnerability testing.
The SnapLogic platform operates on Amazon Web Services (AWS) cloud infrastructure. Further information about security provided by AWS is available from the AWS Cloud Security and the AWS Compliance Center. SnapLogic has implemented a patch management process to ensure infrastructure systems are patch in accordance with applicable industry standards. Groundplex Customers are solely responsible for patch management of applications hosted at Customers’ data centers.
SnapLogic maintains a Security Incident Response Plan, which details procedures to be followed in the event of unauthorized access to, use of, disclosure, theft, or manipulation of Customer Data (“Security Breach”). SnapLogic will notify affected Customers of Security Breach within 48 hours from the discovery of the Security Breach. With respect to any Security Breach SnapLogic shall investigate, perform a root cause analysis, and prepare and implement a corrective action plan. Further, SnapLogic shall provide affected Customer(s) with regular updates about the status of the foregoing, copies of any materials prepared in connection with the same, upon Customer’s request, and a written report of any findings when the incident has been resolved.
Business Continuity and Disaster Recovery
SnapLogic maintains a business continuity and disaster recovery program. Policies and procedures are in place to provide Services and Support Services with minimal interruptions, including disaster recovery planning and testing capabilities, recovery site management and standard backup and recovery procedures.
SnapLogic has established workforce conduct standards, including the following measures:
- SnapLogic performs background checks on every employee and requires background
checks from all consultants and contractors who work on customer accounts and/or
- SnapLogic performs annual security and privacy training for all employees;
- SnapLogic enforces its security and privacy policies throughout the organization.
Contacting Security Team
All questions regarding SnapLogic’s security standards and/or this Exhibit should be addressed to firstname.lastname@example.org.