Skip to content

Shared Security Model

Privacera, our customers, and our partners have a joint responsibility to ensure the confidentiality, integrity, and availability of critical data. As part of our commitment to this goal, and due to the varying and flexible deployment models that Privacera offers, we have developed this shared security model to highlight the obligations of various stakeholders.

Privacera Responsibility#

Access, Authentication, and Authorization#

  • Support customer use of:
    • Single sign-on (SSO) and multi-factor authentication (MFA) via Okta, Azure Active Directory, and others
    • User provisioning via System for Cross-domain Identity Management (SCIM) 2.0
  • Secure metadata derived from sensitive information in customer datasources
    • Secure samples of such information obtained when using Privacera Discovery
  • Secure credentials used to access customer datasources

Secure Development#

  • Use threat models to inform secure product design
  • Mandate code reviews prior to merging
  • Execute regular static and software composition analysis
  • Uphold Apache Ranger heritage
  • Conduct frequent penetration testing
  • Maintain coordinated vulnerability disclosure (CVD) program to facilitate receipt of information regarding security issues

Information Technology Systems#

  • Conduct background checks of all employees
  • Require mobile device management (MDM) and deploy endpoint detection and response (EDR) on company-issued devices
  • Mandate virtual private network (VPN) and MFA usage for accessing production systems

Customer Responsibility#

Governance and Security Teams#

  • Develop Data Access Governance strategy and information security policies
  • Ensure compliance with relevant legislation and regulations (e.g. GDPR, CCPA, HIPAA) Information technology and development teams
  • Identify, maintain, protect, and securely connect to Privacera all datasources with sensitive information
  • Follow externally-developed code policy when using functionality built on top of Privacera products
  • Provision, manage, de-provision, and secure user accounts maintained within supported Identity Providers (IdPs)
  • Enforce industry-standard authentication practices such as MFA

Account Administrators and Data Owners#

  • Implement Privacera features such as discovery scans, tagging rules, and compliance workflows in accordance with governance program
  • Develop access control and encryption policies

All users#

  • Employ strong passwords for authenticating to Privacera products and store them securely
  • Maintain physical security of endpoint devices

Privacera (SaaS) or Customer (Self-hosted) Responsibility#

  • Adhere to relevant compliance frameworks (e.g. PrivaceraCloud offers SOC 2 Type II attestion)
  • Stay up to date with latest versions of Privacera and third-party software
  • Configure software securely, including ensuring the use of industry-standard data-in-motion encryption

IaaS Provider Responsibility#

Secure and ensure availability of cloud hosting infrastructure using own shared responsibility model:

Last update: January 7, 2022