Technical and Organizational Measures to Ensure the Security of Customer Data
January 24, 2022
These Technical and Organisational Measures to Ensure the Security of Customer Data (“Technical and Organisational Measures”) form a part of the DataStax Terms (the “Agreement”) or other agreement(s) entered into between you or the entity which you represent (“Customer”) and DataStax, Inc. (“DataStax”). These Technical and Organisational Measures present the industry best practice information security policies, procedures, controls and customisable features that DataStax employs for the protection of Customer Data that is transferred by Customer into the Products, or otherwise stored, created, processed or modified pursuant to the Agreement.
|
Measure |
Description |
Product |
| Measures of pseudonymisation and encryption of customer data | Transparent data encryption – complete application transparency using preferred encryption capabilities that prevent unauthorised data access. | All products and services |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | DataStax enforces the rule of least privilege for IT systems. Access to designated systems and customer data is limited to personnel for whom access is required based on job function. Access lists for key corporate systems are audited quarterly. Access to all systems is deleted or suspended upon termination of employment. Only secure transfer protocols (SFTP, SSH etc.) are used to transfer data from one system endpoint to another. |
All products and services |
| Measures for ensuring the ability to restore the availability and access to customer data in a timely manner in the event of a physical or technical incident | DataStax maintains a disaster recovery and business continuity plan to ensure that critical business functions are identified and mitigating controls are in place against any event that may impact the availability and/or access to the customer data within the service. The plan is tested annually to ensure that the determined Recovery Point Objective and Recovery Time Objective are met in the event of an incident. |
All products and services |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing |
As part of the software development lifecycle the DataStax Test Engineering team routinely scans DataStax software using industry standard tooling to itemize the content of its software and match publicly known vulnerabilities to code. DataStax has an ongoing vulnerability disclosure (bug bounty) program that is independently managed by a third-party. DataStax monitors the National Vulnerability Database and US-CERT activity. The results of these processes are fed back into the development team for review and, if applicable, patches are developed and released. In addition to scanning its codebase, DataStax regularly engages a third-party to conduct penetration tests of the service which is performed at least annually. |
All products and services
Astra DB and & DataStax Enterprise Astra DB |
| Measures for user identification and authorisation | DataStax enforces the rule of least privilege for IT systems. Access to designated systems and customer data is limited to personnel for whom access is required based on job function. Access lists for key corporate systems are audited quarterly. Access to all systems is deleted or suspended upon termination of employment. Only secure transfer protocols (SFTP, SSH etc.) are used to transfer data from one system endpoint to another. | All products and services |
| Measures for the protection of data during transmission |
DataStax ensures encryption in transit for all data using industry standard protocols such as TLS depending on the manner of transmission. Where applicable, DataStax ensures encryption in transit for all communications between Customersand the service itself via a secure Cassandra Query Language (CQL) endpoint that provides in-transit data encryption using industry-standard mutually authenticated TLS (mTLS). Transmission of data using private endpoints is a feature of the service that may also be used by Customers to connect to the platform. |
All products and services Astra DB |
| Measures for the protection of data during storage |
Datastax ensures encryption at rest with the use of cloud native encryption for ephemeral and persistent data stores using each cloud provider’s object storage. DataStax utilises the cloud providers built-in features to manage all encryption keys. For increased control over the confidentiality of data Customers are able manage their own encryption keys if they elect to use the Bring Your Own Key feature. |
All products and services Astra DB |
| Measures for ensuring physical security of locations at which customer data are processed | Any physical storage of data is secured by a physical key, electronic access key or both. As well as the use of video security and alarm systems. | All products and services |
| Measures for ensuring events logging | DataStax sends available audit logs, such as access and change logs, to a third party security information and event management platform (SIEM). A security operations service is employed for 24/7 coverage to monitor events for any suspicious activity that may indicate a potential security incident. | All products and services |
| Measures for ensuring system configuration, including default configuration | DataStax ensures a secure configuration of the service environment by using automated, repeatable and well defined baseline standards when deploying and updating environments using industry leading infrastructure as code software tooling. | Astra DB only - not applicable to all other products and services. |
| Measures for internal IT and IT security governance and management | DataStax ensures effective internal IT and IT security governance and management by implementing an information security management program that is informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. | All products and services |
| Measures for certification/assurance of processes and products | DataStax ensures assurance of products and processes by conducting third party audits of the service according to the 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2 Type II Report as issued by the American Institute of Certified Public Accountants. Upon request DataStax will share or provide evidence that a third party audit was conducted. | Astra DB, DataStax Enterprise, Luna & Luna Streaming |
| Measures for ensuring data minimisation | DataStax ensures data minimisation by processing only that data which is relevant and necessary for the provision of the service. | All products and services |
| Measures for ensuring data quality | For data which is available to DataStax within its systems, DataStax ensures data quality by ensuring such details are up to date, reviewing data regularly and following data deletion practices. | All products and services |
| Measures for ensuring limited data retention |
DataStax ensures limited data retention through a data lifecycle program that requires that all data stored within the service is permanently deleted no more than 90 days following the termination of the contractual agreement with the customer. Upon request, the data can be deleted or returned at any time outside of the DataStax data lifecycle program. In relation to support ticket data via the support portal, all data stored within the service is deleted within 7 months following the termination of the contractual agreement with the Customer or deleted upon Customer request. |
Astra DB Luna, Luna Streaming and Technical Support. |
| Measures for ensuring accountability | DataStax ensures accountability through the logging of access activity that is stored in a SIEM. Logs are retained for defined periods and can be reviewed to ensure that any access is proportionate and appropriate. All DataStax employees are required to abide by a data handling and classification program, any violation of these requirements will result in disciplinary procedures up to and including termination. | All products and services |
| Measures for allowing data portability and ensuring erasure |
DataStax ensures data portability by allowing customers to retrieve any data placed within the service into an industry standard data format such as a comma-separated values (CSV) file. Inherent in the service is that customers may erase values using simple CQL statements which will delete the data via compaction. Any personal data stored on Customers’ employees in the provision of the products may be provided in an industry standard data format to Customer upon request. A request may be placed at any time by Customer or their employees for the deletion of that data to privacy@datastax.com |
Astra DB Astra DB & DataStax Enterprise All products and services |
| For transfers to processors, also describe the specific technical and organisational measures to be taken by the DataStax to be able to provide assistance to the Customer | DataStax ensures assistance to the Customer to comply with any data subject or regulatory requests by providing the ability for the data within the service to be easily exported into an industry standard data format such as a CSV file by the Customer. | All products and services |