Actian is committed to providing products and services that meet the security and privacy requirements of our customers. We architect, develop and operate our cloud-based products with a Security by Design philosophy. Our security and privacy program considers data privacy and protection across our suite of services, including data submitted by our customers while using our services.
This document describes the architecture and the security-related audits and certifications received for our DataCloud, BX, and Avalanche products. It also describes the administrative and technical controls applicable to these services.
DataCloud and BX are operated in a multi-tenant architecture that is designed to segregate and restrict customer data access based on customer business needs. The architecture allows for the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially development and production.
Avalanche is operated as a single-tenant architecture that ensures there is no opportunity for customer data to be accessed from other tenants. The architecture allows for the use of customer and user role-based privileges.
All of our services run in a public cloud environment, either Microsoft Azure or Amazon Web Services (AWS). We optimize to each public cloud environment to take advantage of environment-specific security and privacy features.
Actian has implemented processes and procedures designed to help ensure that customer data is processed only as instructed by the customer. Actian periodically reviews public cloud service providers to determine if our service providers are using state-of-the-art privacy, data protection, and data security technologies, and comply with most of the major data security standards. See https://aws.amazon.com/compliance/programs/ for AWS compliance programs, and https://azure.microsoft.com/en-us/overview/trusted-cloud/ for Azure compliance programs. Actian heavily leverages the resources that the public cloud providers invest in cloud security and compliance. Other than the public cloud providers, Actian utilizes the following third- party services, which are each covered under their own security and compliance policy:
· Salesforce Identity (https://trust.salesforce.com/en/compliance/) – login verification service provider
· Sumologic (https://www.sumologic.com/security/platform-security/) – security log monitoring service provider
· Qualys (https://www.qualys.com/company/privacy/) – security penetration testing service provider
· EU-US and Swiss-US Privacy Shield Certification: Customer data submitted to the covered services is within the scope of an annual certification to the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as administered by the US Department of Commerce as described in the Actian Privacy Policy at https://www.actian.com/privacy-policy/ The current certification is available at https://www.privacyshield.gov/list by searching under “Actian.”
· Service Organization Control (SOC) Reports. Actian’s information security control environment applicable to the covered services undergoes an independent evaluation in the form of an SSAE-18/ISAE 3402 SOC 2 attestation. Actian’s most recent audit reports are available upon written request by contacting your Actian account representative.
Additionally, the covered services undergo security assessment by internal personnel and third parties, such as third-party penetration testing, on at least an annual basis.
The covered services include a variety of configurable security controls that allow customers to tailor the security of the covered services to their own use. See additional information in each product’s documentation for more information.
The covered services are operated in accordance with the following policies and procedures to enhance security:
· Avalanche uses Salesforce Identity for user login verification. You can use the enhanced security features provided by Salesforce Identity, including two-factor authentication.
· All other customer passwords are stored using a one-way salted hash.
· User access logs are maintained for each service that provide details on user activities.
· Actian personnel will not reset passwords without a form of verification. A customer can initiate a password reset request, and upon verification, Actian will send a unique link to reset the password to the customer’s email on file.
Systems used in processing covered services, including but not limited to firewalls, routers, network switches, operating systems, log information to their respective system log facility, which is then rolled up into a centralized log aggregation system in order to enable security review and analysis.
Actian maintains a security incident response policy for all covered services. Actian notifies impacted users without undue delay of any unauthorized disclosure of their respective customer data by Actian of which Actian becomes aware to the extent allowed by the law.
Actian publishes system status information on the Actian trust websites:
DataCloud – http://trust.pervasive.com
Business Xchange (BX) – http://trust.webdi.com
DataCloud Backup – http://backupstatus.actiandatacloud.com
Integration Manager – http://integrationstatus.actiandatacloud.com
Avalanche – http://avalanchestatus.actiandatacloud.com
Access to covered services requires authentication, either user ID/password or one of the identification methods as defined by Salesforce Identity. This is determined and controlled by the customer. Following a successful login, a session ID is generated and stored in the customer’s browser to preserve and track session state.
The public cloud service providers (Amazon AWS and Microsoft Azure) provide physical security to all data centers processing the covered services. These data centers are designed around very high security and are built to the highest-level industry standards.
Actian internal IT manages their global network of offices that are firewalled and interconnected via secure encrypted VPN tunnels. Access to the Actian Corporate network from external points is restricted through the use of a client SSL VPN system tied to a Multi-Factor Authentication (MFA) framework.
Actian has also established and maintains a formal company-wide information security management system that includes security policies, standards, and procedures. These policies and procedures have been developed to segregate duties and enforce responsibilities based on job functionality. Policies and procedures are reviewed periodically and updated as necessary for the addition of services, changes in technology, or business reorganizations.
Actian uses public cloud service providers’ redundancy capabilities, including all network components and most physical hardware components. All services are configured with multiple active clusters for high availability. DataCloud and BX can survive a range of component failures and can be failed over to another geographically diverse site with minor intervention. All data is automatically replicated between sites, which results in no data loss. All backups are stored in the same data center for speed in access.
For customers with prepaid Avalanche subscriptions, Actian will schedule regular backups of data as mutually agreed to with the customer.
The covered services use industry-standard encryption products to protect customer data and communications during transmission between customer’s network and the covered services, including Transport Layer Security (TLS) leveraging at least 128-bit keys.
All data that is stored in Avalanche is encrypted on disk and all connections into and out of Avalanche are encrypted via Advanced Encryption Standard (AES) 256.
For BX, within 30 days post termination, customers may request the return of their respective customer data submitted to the covered services (to the extent to which this data has not been deleted). Actian will provide such customer data in a .csv file or other common data format.
There is no customer data to return for DataCloud, as the only data that is maintained is system-level information.
For Avalanche, if customer desires Actian to return data to customer after the termination of the Avalanche services, then customer must request the return of data at least thirty (30) days prior to termination of the Avalanche service; otherwise, the data will be automatically deleted upon termination of the Avalanche services. Note that if a customer has deleted its Avalanche clusters containing its data prior to termination of its subscription, then Actian will be unable to retrieve any data as the data will have been deleted. If customer instructs Actian to return its data on physical media or other alternative methods, then customer is responsible for any costs incurred by Actian to return the data to customer.
Except in the case of Avalanche services, after termination of all subscriptions associated with the covered services, customer data is retained in inactive status for 30 days, after which it is securely overwritten or deleted from production. Since Actian has no access to physical media, no physical level destruction is performed on the data. This is subject to applicable legal requirements.
While this Security Policy covers Actian’s security practices, the customer is deemed to have provided all notices and obtained all consents, permissions, and rights necessary for Actian to lawfully process any data provided to Actian as part of the covered services, including compliance with obligations under Data Protection Laws in the possession and processing of any personal data or sensitive information that may be personally identifiable, such as protected health information and payment card information.
Actian may track and analyze information about the usage of the covered services for purposes of helping Actian in security analysis, user experience analysis, feature usage analysis, and other analytical purposes. This analysis will use information generated by the systems, such as systems logs. It will never access customer-provided data. This information will never be provided to third parties.
Actian may provide features which allow the interoperation of Actian cloud-based services with Actian or other on-premise software (for example, Microsoft Office). This usage is at the sole discretion of the customer, and the customer can opt out of providing on-premise access. On-premise access may require the customer to change their on-premise firewall configurations to allow this action. The customer should carefully review any needed change to their on-premise infrastructure before providing this access.
Actian cloud services may interact with other Actian infrastructure such as the Actian Community to optimize the customer service experience. Any such access will be limited solely to the customer’s own information stored in the Community (such as Entitlements).
Updated March 7, 2019