Paxata Security Overview Ensuring your most trusted data remains secure Nenshad Bardoliwalla Co-Founder and Vice President of Products nenshad@paxata.com
Table of Contents: Introduction...3 Secure Data in the Application Lifecycle...3 Authentication...3 Upload and Download...3 Dataset Permissions...3 Robust and Flexible Permission Model...4 Pervasive Auditing...4 Data at Rest...4 Backup and Restore...4 Data Retention...4 Data Centers...5 Our Policies, Practices, and Procedures...5 People Policies...5 Corporate Infrastructure...6 Data Breach Practices...6 Software Development Processes...6 Summary...6 About Paxata...7 2 www.paxata.com
Introduction Paxata s multi-tenant cloud native data preparation platform is used by some of the largest organizations in the world, and we work tirelessly to keep their continued trust. The best organizations know that effective security is not a bolted-on afterthought but rather an integral part of the fabric of both product development and daily operations and thus build security in from the ground up. Paxata invests significant resources in the security and reliability of our data centers, software, and our business operations. While there are hundreds of details behind each section, this paper summarizes the key personnel and technical practices, policies, and procedures that we follow continuously to ensure the security of your business data. Secure Data in the Application Lifecycle Authentication Users must log in to their Paxata accounts before they can engage in any activity in the system, whether via our own user interface or through our API s. Every service call made through the Paxata architecture requires user credentials in the form of a token, which makes the system immune to a number of vulnerabilities including spoofing. Upload and Download Once users have logged in, dataset upload or download can begin. We exchange all traffic between the outside world and our servers using 256-bit encryption via TLS 1.2. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism. Dataset Permissions Once your data has reached our servers after authentication and upload, it then becomes subject to our authorization and audit security within the platform itself. 3 www.paxata.com
Robust and Flexible Permission Model Paxata provides a rich user, roles, and permissions model that is both robust and flexible. We provide out of the box definitions for four classes of users: Admins, Power Users, ReadWriteUsers, and ReadOnly Users. These roles contain specific permissions that allow for granular access to system capabilities, such as whether users can access/add/modify/delete users, roles, projects, sources, targets. The out of the box roles can be completely configured by the administrator. Administrators can set up roles for other users in their tenant with as restrictive a permission set as required and changes are enforced immediately. Pervasive Auditing The Paxata solution s LiveHistory automatically logs every single operation any user does in the system from modifying a single cell of data all the way to deleting datasets. The system also always records who the user was that did the operation, the exact time that the action was taken. While the application does allow users to revert to a previous version of a dataset (effectively undoing an action), even the rollback action itself is recorded in the system. All project modifications can also be searched for discovery, audit, and lineage purposes. Data at Rest Data that is stored on hard drives attached to Paxata servers is persisted in storage using 256-bit encryption. This means that, even with all the security precautions we take at our data centers and with our staff, if anyone unauthorized were to get ahold of Paxata s hard drives, they still would not be able to read your data. The encryption key itself is encrypted with a key encryption key that is stored securely and completely separately from the data. Only a small, select set of personnel who are trained in comprehensive security practices has access to the keys. Backup and Restore Paxata ensures that data is not lost due to device failure. Tenant s data is backed up at a minimum of once a day and can be restored rapidly in the event of incident. Data that is stored in backup is protected by the same encryption techniques as data at rest on our machine hard drives. Data Retention Paxata datasets, when deleted, are removed from the system along with all associated metadata, indexes, etc. In exceptional circumstances, deleted data can be restored from backup for a limited time period. 4 www.paxata.com
Data Centers Paxata uses multiple data centers to host its platform and data, providing essential redundancy. All service providers where Paxata is hosted are audited and compliant with both SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II) as well as SOC 2, Type II. Every service provider we use must publish a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402). The SOC 1 report audit attests that our providers control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. In addition to the SOC 1 report, every service provider we use must publish a Service Organization Controls 2 (SOC 2), Type II report. The SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations. The SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA s Trust Services Principles criteria. This report provides additional transparency into our service providers security based on a defined industry standard and further demonstrates their commitment to protecting customer data. Our Policies, Practices, and Procedures People Policies We strongly believe sound security practices come from management focus and should be driven throughout the organization. Employees are trained on our security policies and procedures. We maintain comprehensive policies (over 200 in all) for Corporate facility access Acceptable use Corporate passwords and production passwords Access privileges Incident response procedures Patch management Standards for hardened systems System configuration Change management 5 www.paxata.com
We have studied and learned from the industry best practices of leading cloud companies like Box and SalesForce and adhere to many of the controls prescribed in the Cloud Security Alliance Cloud Control Matrix. Corporate Infrastructure As a critical enabler of our business operations, Paxata also works to ensure the security of our corporate networks and files with: Network intrusion detection systems and host intrusion detection System, network, and application log reporting, analysis, archiving and retention Continuous internal monitoring Data Breach Practices The Paxata Incident Response Team has a documented plan to handle security incidents If, despite all other protections in place, your data is accessed without authorization, we will notify you If personal information about you or your employees is breached from the Paxata system, Paxata will notify you in accordance with California Law (California Civil Code Section1798.29 and Section 1798.82) Software Development Processes Security is woven in to the fabric of our software development process itself from design to deployment QA is integrated into the development process. Changes in various stages of development are tested on a daily basis Our automated test framework includes both positive and negative testing, with end to-end testing from authentication onward We use both application level and network security testing on an ongoing basis to ensure no new vulnerabilities are created Summary Modern multi-tenant cloud platforms must be designed for security from the ground up, and Paxata takes this very seriously. Our entire business centers on providing business analysts with the tools to create trustworthy, analytic-ready data, and the security of that data is a mission-critical priority for our company. This paper is a high level overview the security policies and practices in place to offer a safe way to import, explore, enrich, combine, and share your data. If at any time you have questions or require details about any of these, please contact us, and we ll be happy to answer them. 6 www.paxata.com
About Paxata Paxata is the first Adaptive Data Preparation platform built for the business analyst. Now everyone has the ability to rapidly turn all raw data into ready data for analytics in minutes, not months accelerating the time to right insights and action. Our customers, Pax Pros, now have the freedom to prepare data on their own or work with peers in a shared, transparent environment as they shape data for analytics. Paxata s seamless connection with BI tools like Tableau, Qlik and Excel gives business people total flexibility to use the visualization and discovery solutions they prefer to use. Paxata is a cloud-based, self-service solution powered by breakthrough technologies including semantic algorithms, distributed computing techniques and a highly interactive visual experience. Paxata dramatically reduces the most painful and manual steps of any analytic exercise, empowering analysts at market-leading companies like Dannon, Box and UBS to drive greater value for the business. In partnership with Cloudera, Tableau and Qlik, Paxata unlocks even greater potential from Big Data and Business Intelligence investments. Founded in January 2012, Paxata is headquartered in Redwood City, California. Visit www.paxata.com, follow @Paxata_News, connect on linkedin.com/company/paxata, follow us at www.facebook.com/paxata and watch us on www.youtube.com/paxatatv. Paxata 811 Hamilton St. Suite 201 Redwood City CA 94063 Phone: 1-855-9-PAXATA or 650-542-7900 Email: info@paxata.com Web: www.paxata.com 2014 Paxata, Inc. Paxata, the Paxata logo and the phrases IntelliFusion, LiveHistory and Adaptive Data Preparation are trademarks of Paxata, Inc. in the US and other countries. 7 www.paxata.com