Data Security Policy

Last updated: 20 September 2024

The following measures describe the minimum security standards that Snowplow maintains to secure Personal Data submitted to Snowplow by its customers. Snowplow may update these measures from time to time, for example to reflect technological developments.

Snowplow’s security controls are designed to address its posture as a cloud-based software-as-a-service (SaaS) provider, both when your data pipeline is hosted in your own cloud account (Private Managed Cloud) or hosted by Snowplow (Cloud), that can be configured to process whatever data a customer chooses to send to the pipeline.

Information Security Policies and Standards

  • Snowplow has implemented an information security policy that describes the organization's information security strategy and objectives, which is reviewed and updated as needed at least annually.
  • Confidentiality requirements are imposed on employees and contractors, and NDAs are required with third parties.

Organization of Information Security

  • Snowplow operates a documented information security management framework that is maintained by dedicated personnel and has executive-level oversight.

Human Resource Security

  • Snowplow ensures that all personnel with access to Personal Data undergo security training when joining the organization and at least annually thereafter
  • Snowplow performs background checks, where legally permissible, of all personnel prior to joining the organization.
  • Snowplow will take disciplinary action in the event of unauthorized access to Personal Data by Snowplow personnel, including, where legally permissible, punishments up to and including termination.
  • Snowplow follows documented procedures for off-boarding personnel, including retrieving and/or wiping assets used to access Personal Data.

Access Control

  • Snowplow ensures the number of users with elevated privileges and extended access rights is kept to a minimum and is based on the principle of least privilege.
  • Snowplow maintains procedures for password management for its personnel, designed to ensure that passwords are personal to each individual, and inaccessible to unauthorized persons, including at least: verifying the identity of the user prior to a new, replacement, or temporary password; cryptographically-protecting passwords when stored in computer systems or in transit; and altering default passwords from vendors.
  • Snowplow controls and monitors its personnel’s access to its systems using at least: established procedures for changing and revoking access rights without undue delay, e.g. when personnel leave the organization or change role within the organization; established procedures for reporting and revoking comprised access credentials (passwords, tokens, etc.); and maintaining appropriate security logs including, where applicable, user IDs and timestamps covering at least authorization changes.

Cryptography

  • Snowplow encrypts all data in transit and at rest.

Physical and Environmental Security

  • Snowplow only uses the public cloud and does not have its own data centers, but ensures that the third-party data centers have suitable physical and environmental protection and safeguards, including at least: controlled access to restricted areas to prevent unauthorized entry; systems that monitor and control the temperature and humidity of the equipment; and back-up power supplies.

Operations Security

  • Snowplow performs regular security and vulnerability testing, and implements procedures for handling vulnerabilities, including patching and updating systems.
  • Snowplow installs anti-malware software on all company-owned mobile devices used by personnel.
  • Snowplow implements regular data backups of systems, services, and source code.

Communications Security

  • Snowplow employs technology that is consistent with industry standards for network segregation.
  • Remote network access to Snowplow systems requires encrypted communication via secured protocols and use of multi-factor authentication.

Information Security Incident Management

  • Snowplow maintains a security incident response plan for monitoring, detecting, and handling possible security incidents, which at least includes definitions of roles and responsibility, communication, and post-mortem reviews, including root cause analysis and remediation plans.
  • Snowplow monitors for any security breaches and malicious activity in its systems.