| Do you use sub-processors? |
Yes. Please see the Sub-Processors list. |
| What information are collected and stored? |
Please see the Privacy Policy. |
| How are you scanning for vulnerabilities? |
We use GitHub Advanced Security to scan for vulnerabilities. When fixes are available, vulnerabilities must be remediated according to severity:
- Emergency: Within 24 hours
- Critical: Within 7 days
- High: Within 30 days
- Medium: Within 90 days
- Low: Within 180 days
If no fix is available, mitigations will be put in place, as necessary. |
| How are integration authentication credentials stored? |
Credentials are stored in GCP's Secret Manager, in a separate project from the application. Only service accounts related to the integration have access to these secrets. Alerts are generated when any non-service account accesses the secrets. |
| What services process and store my data? |
When integration data are pulled, via API, into our systems through GCP Cloud Functions. They are stored in Google Cloud Storage (GCS), in unique buckets per tenant, for historic trend analysis. These data are also normalized and stored in Cloud SQL for application and API queries.
|
| What countries and regions are my data stored in? |
All tenant data are processed and stored in the United States. If you are a customer in the EU and require data to be stored in the EU, please contact us and we will work with you to create an EU instance of our product.
|
| How do you handle backups? |
Cloud SQL provides native, automated backups. GCS can be used as a backup source in case of a catastrophic failure in Cloud SQL. |
| Are data encrypted? |
Data are encrypted:
- At rest using Google Cloud's encryption at rest
- In transit within our GCP architecture, to and from our platform through Google Cloud's load balancers, and to and from your integration providers
|
| How are are users authenticated? |
Users are authenticated through Google SSO or through accounts they create in Auth0. Responses from each provider are checked to verify that the email address has been verified. |
| How does authorization work? |
Once authenticated, the user's tenant information (e.g. tenant name, tenant ID, role, SKU, and domain) are retrieved from our databases and are included in a signed JWT. When a request is made, the JWT is verified and the tenant name and ID are used to ensure requests are being made to the right tenant and only that tenant's data are being read and modified.
|
| Will my data be shared with any 3rd party? |
We do use Sub-Processors. For more details, please see the Privacy Policy. |
| How do I delete my data from your systems? |
- Delete an integration: The credentials are deleted from Secret Manager, all data relevant to that integration are automatically deleted from GCS and Cloud SQL, and the integration record is deleted to prevent future syncs.
- Delete a tenant: All credentials are deleted from Secret Manager, all data in GCS are deleted, and all data except the tenant name that was created is removed from Cloud SQL. If there is a Stripe subscription, the customer account is deleted and the subscription canceled. Also, an alert is sent to the SecurityScout team to check Auth0 to be sure that user accounts are manually deleted and no integration syncs were in progress and pulling in data as the tenant was deleted.
- Email privacy@securityscout.io
|
| Do I validate my data are deleted? |
Email privacy@securityscout.io. |