Data Protection

Last modified on February 1, 2023

Device and User Identity

When end-users install a client locally, StrongDM generates and records a forgery-resistant fingerprint of the device. Each Client and proxy instance have unique cryptographic identities, as distributed via the StrongDM API. Any attempt to access the session from another device will terminate all connections and force re-authentication.

Protecting Data in Transit

Encrypted Connections

Once an end user authenticates and initiates a valid session using the Client, a mutually-verified TLS 1.2 connection is established between the Client and one or several Gateways to ensure the confidentiality and integrity of the connection.

In addition, the Gateway/Relay that is interacting directly with the resource uses the resource’s native encryption method, such as TLS/SSL.

All traffic between the Client and the destination is multiplexed via the encrypted connection regardless of the encryption status or capabilities of the underlying protocol.

API Security

All StrongDM API traffic conforms to modern practices for preventing request interception, modification, or replay. Each call is signed using device and session keys unique to the caller’s installation and most recent authentication.

Protecting Data at Rest

StrongDM operates primarily in Amazon Web Services, and we use a number of AWS native encryption methods for protecting data at rest within the configured services.

Accessing Customer Data

We use strict role-based access controls to ensure that only a limited and authorized number of people have the ability to access customer data.

Strict environmental segmentation and StrongDM’s Data Protection Policies prohibit customer data from ever being used in development, testing, or QA environments.

Minimization of Collected Data

The customer data collected by StrongDM represents the amount of data necessary to develop, support, and improve the software.

Collecting Personally Identifiable Information

StrongDM only collects Personally Identifiable Information that is strictly necessary to deliver Platform capabilities to our Customers.

Data ElementUsage
First and Last NameUser Identification
Business Email AddressUser Identification
IP AddressAudit Logging