To see how SignalFx complies with GDPR, read the whitepaper here »

Security by design

SignalFx offers the only in-stream monitoring platform for ingesting, processing, storing, analyzing, visualizing, and alerting on metrics data at massive scale in real real-time. The service was designed from the beginning with security as a key tenet, using best-in-class technologies, infrastructure, and development practices to safeguard customer data while delivering low latency, real-time performance. Our dedicated security function is led by a Chief Security Officer, who works with engineering and product management to deliver enterprise-level product security and continuously improve internal security controls and processes.

Data collection

Data is sent to SignalFx through a managed collection of open source agents (e.g. collectd, statsd, telegraf, etc), our open source Smart Agent, our Metric Proxy, through a connection to our customer’s cloud infrastructure (e.g. AWS CloudWatch), as well as custom integrations built with SignalFx client libraries.  The SignalFx Smart Agent installed on customer infrastructure does not receive any inbound connections. The agent does not have the ability to auto-update, hence all updates must be manually installed and configured by customers. Our cloud infrastructure integrations (AWS, Azure, GCP) use a restricted set of monitoring, list, and describe permissions.

Data protection

Protecting our customers sensitive data is our key priority. Sensitive data in transit and at rest is encrypted by default.

In transit

  • All data sent to SignalFx is encrypted with TLS 1.2.
  • Any communication between a user’s browser and SignalFx requires an extended validation SSL certificate.
  • All requests to SignalFx come through the AWS Elastic Load Balancer (ELB) on port 443. The ELB uses SSL (X.509 certificate) to terminate the connection and then decrypt requests from clients. 

At rest

SignalFx encrypts customer secrets at rest with AES 256 bit encryption. Each secret is encrypted with a dynamic key which is then encrypted with a root key.

Application security

SignalFx has implemented a comprehensive application security program and enterprise level end user application security controls. 

  • All code changes undergo a rigorous review and approval process
  • SignalFx performs a monthly application scan against OWASP Top 10 risks with Qualys
  • SignalFx engages a third party agency for an annual code review and penetration testing
  • All findings are reviewed, validated, and remediated
  • SignalFx provides integrations with common SAML SSO providers
  • SignalFx supports user, team, and role based access control

AWS deployment

SignalFx designed its AWS architecture in accordance with the AWS Shared Responsibility model, leveraging AWS security best practices.

  • SignalFx platform is deployed in a secure VPC with all production microservices running in a private subnet, with no public IP addresses
  • Inbound traffic comes through AWS ELB’s listening on port 443
  • Every subnet is associated with a routing table and a network access control list (NACL) controlling traffic in and out of the subnet
  • Every instance is associated with security groups controlling inbound and outbound instance connections
  • Access is managed through IAM users, groups, and roles based on the principle of “least privileged access”
  • MFA is required for console and CLI access
  • All access keys are rotated every six months

Monitoring

SignalFx has implemented a comprehensive monitoring strategy to identify and address potentially suspicious events.

  • All AWS API calls are recorded and monitored
  • AWS CloudTrail logs are encrypted at rest and enabled with validation 
  • All successful and failed connections, and executed commands by SignalFx employees are logged and monitored

Compliance

SignalFx undergoes a rigorous annual audit conducted by the independent CPA firm of Schellman & Company, LLC. The firm is registered with the Public Company Accounting Oversight Board (PCAOB) and subject to strict auditing standards, inspections, and enforcement. SignalFx currently holds the SOC 2 Type 2 attestation covering the trust criteria for security, availability, and confidentiality.

GDPR

SignalFx has implemented data protection measures following specific GDPR guidance:

  • Our customers can submit a Subject Access Request (SAR) to access their personal data, correct inaccuracies, or erase that data
  • SignalFx protects data in transit and at rest with TLS 1.2 and AES 256 algorithms
  • SignalFx performs impact assessments to help mitigate the risk of breaches by identifying vulnerabilities and how to resolve them.
  • SignalFx breach notification process complies with GDPR

For a closer look at SignalFx compliance with GDPR, please review our GDPR whitepaper.

All SARs should be sent to gdpr-compliance@signalfx.com

Security & Compliance

For a closer look at the SignalFx platform, download our comprehensive security and compliance whitepaper.

Download Now »