Security by design
SignalFx offers the only in-stream monitoring platform for ingesting, processing, storing, analyzing, visualizing, and alerting on metrics data at massive scale in real real-time. The service was designed from the beginning with security as a key tenet, using best-in-class technologies, infrastructure, and development practices to safeguard customer data while delivering low latency, real-time performance. Our dedicated security function is led by a Chief Security Officer, who works with engineering and product management to deliver enterprise-level product security and continuously improve internal security controls and processes.
Data is sent to SignalFx through a managed collection of open source agents (e.g. collectd, statsd, telegraf, etc), our open source Smart Agent, our Metric Proxy, through a connection to our customer’s cloud infrastructure (e.g. AWS CloudWatch), as well as custom integrations built with SignalFx client libraries. The SignalFx Smart Agent installed on customer infrastructure does not receive any inbound connections. The agent does not have the ability to auto-update, hence all updates must be manually installed and configured by customers. Our cloud infrastructure integrations (AWS, Azure, GCP) use a restricted set of monitoring, list, and describe permissions.
Protecting our customers sensitive data is our key priority. Sensitive data in transit and at rest is encrypted by default.
- All data sent to SignalFx is encrypted with TLS 1.2.
- Any communication between a user’s browser and SignalFx requires an extended validation SSL certificate.
- All requests to SignalFx come through the AWS Elastic Load Balancer (ELB) on port 443. The ELB uses SSL (X.509 certificate) to terminate the connection and then decrypt requests from clients.
SignalFx encrypts customer secrets at rest with AES 256 bit encryption. Each secret is encrypted with a dynamic key which is then encrypted with a root key.
SignalFx has implemented a comprehensive application security program and enterprise level end user application security controls.
- All code changes undergo a rigorous review and approval process
- SignalFx performs a monthly application scan against OWASP Top 10 risks with Qualys
- SignalFx engages a third party agency for an annual code review and penetration testing
- All findings are reviewed, validated, and remediated
- SignalFx provides integrations with common SAML SSO providers
- SignalFx supports user, team, and role based access control
SignalFx designed its AWS architecture in accordance with the AWS Shared Responsibility model, leveraging AWS security best practices.
- SignalFx platform is deployed in a secure VPC with all production microservices running in a private subnet, with no public IP addresses
- Inbound traffic comes through AWS ELB’s listening on port 443
- Every subnet is associated with a routing table and a network access control list (NACL) controlling traffic in and out of the subnet
- Every instance is associated with security groups controlling inbound and outbound instance connections
- Access is managed through IAM users, groups, and roles based on the principle of “least privileged access”
- MFA is required for console and CLI access
- All access keys are rotated every six months
SignalFx has implemented a comprehensive monitoring strategy to identify and address potentially suspicious events.
- All AWS API calls are recorded and monitored
- AWS CloudTrail logs are encrypted at rest and enabled with validation
- All successful and failed connections, and executed commands by SignalFx employees are logged and monitored
SignalFx undergoes a rigorous annual audit conducted by the independent CPA firm of Schellman & Company, LLC. The firm is registered with the Public Company Accounting Oversight Board (PCAOB) and subject to strict auditing standards, inspections, and enforcement. SignalFx currently holds the SOC 2 Type 2 attestation covering the trust criteria for security, availability, and confidentiality.
SignalFx has implemented data protection measures following specific GDPR guidance:
- Our customers can submit a Subject Access Request (SAR) to access their personal data, correct inaccuracies, or erase that data
- SignalFx protects data in transit and at rest with TLS 1.2 and AES 256 algorithms
- SignalFx performs impact assessments to help mitigate the risk of breaches by identifying vulnerabilities and how to resolve them.
- SignalFx breach notification process complies with GDPR
All SARs should be sent to email@example.com
Security & Compliance
For a closer look at the SignalFx platform, download our comprehensive security and compliance whitepaper.