Last modified on February 1, 2023
Device and User Identity
When end-users install a client locally, StrongDM generates and records a forgery-resistant fingerprint of the device. Each Client and proxy instance have unique cryptographic identities, as distributed via the StrongDM API. Any attempt to access the session from another device will terminate all connections and force re-authentication.
Protecting Data in Transit
Once an end user authenticates and initiates a valid session using the Client, a mutually-verified TLS 1.2 connection is established between the Client and one or several Gateways to ensure the confidentiality and integrity of the connection.
In addition, the Gateway/Relay that is interacting directly with the resource uses the resource’s native encryption method, such as TLS/SSL.
All traffic between the Client and the destination is multiplexed via the encrypted connection regardless of the encryption status or capabilities of the underlying protocol.
All StrongDM API traffic conforms to modern practices for preventing request interception, modification, or replay. Each call is signed using device and session keys unique to the caller’s installation and most recent authentication.
Protecting Data at Rest
StrongDM operates primarily in Amazon Web Services, and we use a number of AWS native encryption methods for protecting data at rest within the configured services.
Accessing Customer Data
We use strict role-based access controls to ensure that only a limited and authorized number of people have the ability to access customer data.
Strict environmental segmentation and StrongDM’s Data Protection Policies prohibit customer data from ever being used in development, testing, or QA environments.
Minimization of Collected Data
The customer data collected by StrongDM represents the amount of data necessary to develop, support, and improve the software.
Collecting Personally Identifiable Information
StrongDM only collects Personally Identifiable Information that is strictly necessary to deliver Platform capabilities to our Customers.
|First and Last Name||User Identification|
|Business Email Address||User Identification|
|IP Address||Audit Logging|