SignalFx Successfully Completes SOC 2 Type 2 Report

Our goal at SignalFx is to empower enterprises to focus on answering business-critical questions they have about how their cloud applications are performing, scaling, and operating. However, we understand the importance of data security and service availability for these enterprises as they operate in today’s ever-changing world.

In reaffirming our commitment of security and availability to our customers and potential customers, we are excited to announce the successful completion of the Service Organization Control (SOC) 2 Type 2 report. Independent auditor Schellman & Company, thoroughly evaluated how SignalFx demonstrates excellence among software as a service (SaaS) providers with a report that contained no exceptions. Read the press release here.

Why SOC 2 is Critical in Today’s World

Today’s SaaS organizations must demonstrate that they have adequate controls of data protection technologies and processes. The American Institute of Certified Public Accountants (AICPA) created Service Organization Control 2 Type 2, or “SOC 2 Type 2,” as standards governing how SaaS and cloud service providers assure customers that their information is secure and will be available whenever needed.

The SOC 2 Type 2 report puts strict requirements in place and sets a high bar with a more meaningful audit standard compared with SAS70 or SOC 2 Type 1. The same SOC 2 report used by Amazon Web Services and Google validates the security of infrastructures and services and is rapidly becoming an industry standard.

SignalFx understands that enterprises want to be able to trust their providers with confidential information and highly sensitive business transaction, and a clean SOC 2 report means that company can depend on us for secure, compliant services. Not only do we have the design of controls in places, we have tested and passed the operating effectiveness of these controls.

Key Highlights of SOC 2 Type 2

As many recognize SOC 2 as the worldwide standard for security, availability, process integrity, and privacy, the examination process is extensive and rigorous, based on multiple principles and criteria testing. We wanted to share highlights of how SignalFx has implemented these controls throughout our systems.

Security

We strive to ensure customer confidence in their data security and proactively address new and evolving security technologies, changes to industry standard practices, and changing security threats.

SignalFx was designed from the ground up to be a secure, multi-tenant solution. We’ve taken significant measures to isolate customer’s data from one another and designed in several security safeguards to protect our customer’s data.

• All data transmitted between SignalFx and SignalFx users is encrypted data in transmission using transport layer security (TLS).
• Production systems reside within a secure Virtual Private Cloud (VPC) within Amazon Web Services and access to this is secured through a password-protected Virtual Private Network (VPN). We require 2-factor authentication for all critical services, including access to our AWS consoles.
• Every entity using SignalFx has a distinct “Organization” by which all data is logically isolated. Each Organization has its own distinct set of authorization tokens which are used when submitting data to SignalFx. Data cannot be shared or accessed across organizations.
   

Availability

The SignalFx platform is hosted within Amazon Web Services (AWS). While AWS provides high availability to all their customers, we have taken an additional step to triple replicate production data to each of the three separate availability zones within the same VPC. We leverage our own streaming analytics technology to generate the right alerts and to immediately notify the appropriate team members of any failures or anomalous behavior in our production systems.

It is recognized that there may be unpredicted issues or outages that may affect our service. We proactively address these scenarios in our scalable microservices architecture. We’ve worked hard to determine the right capacity for each service and have bounded that capability with the ability to handle failovers and recovery. Our services are designed to tolerate failure of any instance of a service without degradation of system performance or function.

Furthermore, we’ve designed and run disaster recovery drill tests based on learning from previous incidents. We continue to iterate, improve, and codify those best practices through alerts built in our own system.

What’s Next

Security and availability are key priorities to us at SignalFx and successfully completing the SOC 2 Type 2 report is only the first step. We are continuously striving to ensure a safe, secure environment for our customers and are already taking steps towards ensuring customer confidence in the confidentiality of their data. We look forward to sharing our progress in the near future.

If you have additional questions regarding security, availability or confidentiality, we are happy to answer them. Please reach out to us here and we will respond as quickly as we can.

This post features contributions from Ram Jothikumar, Arijit Mukherji, and Karen Magallanes.

----------------------------------------------------
Thanks!
Ram Jothikumar