<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon
Search
Close icon
Search bar icon

StrongDM Security Addendum

Information Security Program

This Information Security Addendum (“ISA”) forms part of the Services Agreement between StrongDM, Inc. (“StrongDM”, “we”, “our”) and the customer identified in the Services Agreement (“Customer”), for the provision of Services by StrongDM (the “Agreement”), to reflect the parties’ agreement with regard to StrongDM’s operation of an Information Security Program and the protection of Customer Data (as such terms are defined herein).

In the course of providing the Services to Customer pursuant to the Agreement, StrongDM maintains Customer Data on behalf of Customer and the parties agree to comply with the following provisions with respect to such processing of Customer Data.

Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.

“Customer Data” means data or information input into the Services by a Customer or generated automatically through the usage of the Services, including:

  • Customer user information (e.g. first and last names, email addresses);
  • Customer log data generated by the Platform (e.g. audit log data);
  • Identifiable data source information, including:
    • Resource names and IP addresses;
    • Hostnames and URLs;
    • Database names;
  • Authentication secrets and related data, including:
    • Usernames;
    • Passwords;
    • Cryptographic keys;
    • Access/API keys

“Customer Personal Data” means any Personal Information that is provided by or on behalf of Customer to StrongDM to provide the Services pursuant to the Agreement.

“Personal Information” means information that is defined as “personal information,” “personal data,” or any analogous term under applicable data protection laws, including any such information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household.

“Security Incident” means a confirmed event resulting in, or reasonably likely to result in:

  • The unauthorized access, acquisition, use, or disclosure of Customer Data; or
  • A material compromise of the security, availability, integrity, or confidentiality of Customer Data.

Excluded from this definition are unsuccessful attempts or activities that do not result in such unauthorized access, acquisition, use, disclosure, or material compromise, including, without limitation, unsuccessful login attempts, pings, port scans, and denial of service attacks.

“StrongDM Personnel” means full and part-time employees of StrongDM and individuals contracting with StrongDM to perform work on StrongDM’s behalf.

Organizational Practices

 

Information Security Program

StrongDM has appointed a senior leader who will oversee the implementation of StrongDM’s Information Security Program (“ISP”). This ISP is designed to maintain commercially reasonable administrative, technical, organizational, and physical safeguards and measures to prevent the compromise, unauthorized disclosure, or loss of Customer Data.

The ISP is based on the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework (CSF) v2.0 and additionally targets compliance with:

  • AICPA Trust Services Criteria 2017 for Security, Availability, Confidentiality, and Privacy
  • Payment Card Industry Data Security Standard v4.0.1 (or subsequent updates)
  • EU & UK General Data Protection Regulations (GDPR)
  • Other relevant national and state data protection laws, as applicable

StrongDM maintains written policies and procedures for each component of its ISP and disseminates those policies to all StrongDM Personnel. These policies are reviewed both at regular intervals and when significant changes occur, and updates are communicated to all relevant parties.

 

Personnel Security

 

Background Checks

StrongDM shall perform industry standard background checks on all candidates offered employment, consistent with all local laws in the jurisdiction where the candidate is located.

Information Security Training

All StrongDM personnel are trained at time of hire and at least annually on their responsibilities for the protection of Customer Data, the nature of existing and emerging information security threats, and StrongDM’s information security policies and processes.

General Security Controls

 

Identity and Access Management

StrongDM maintains an Identity & Access Management program based on the requirements and guidance of NIST SP 800-53 Revision 5, NIST SP 800-63-3, and other current industry best practices.

User Identity

StrongDM maintains a centralized Identity Provider (“IdP”) to manage accounts used within our business systems. All StrongDM Personnel are provided with unique usernames for identification when logging into StrongDM’s systems. Personnel are prohibited from sharing their individually assigned credentials with any other person. Circumstances that require the use of a shared account will be managed on a case-by-case basis and require a business justification before the account may be created.

Authenticator Requirements

Wherever possible, we implement federated authentication through our centralized IdP. Where StrongDM is able to set password requirements, including our centralized IdP, we will enforce standards in line with NIST 800-63B. This means:

  • Passwords must be at least 30 characters in length with multiple complexity requirements;
  • Blocking passwords that include any part of a user’s name or username, or commonly used passwords;
  • Blocking past passwords from being re-used;
  • Locking accounts and notifying users and administrators after 10 failed login attempts;
  • Not requiring arbitrary rotation of passwords based on time;

For systems that StrongDM is either not able to bind authentication to our IdP through SSO or enforce the above specific requirements on passwords, we choose the option that most closely aligns with our policies.

Access Management

Access to StrongDM systems which process or store Customer Data is only performed through the StrongDM Platform itself and is protected by biometric- or hardware-backed multi-factor authentication. When StrongDM Personnel’s employment or contract is terminated, access to StrongDM systems is removed immediately. We conduct quarterly access reviews to ensure that users have access to only those systems needed to perform their duties, and flag unneeded or outdated accounts for suspension and removal. Users must have a demonstrated business need to be granted access to privileged/administrative rights and sensitive information. We conduct quarterly privilege reviews to ensure that users only have the rights they need to perform their duties.

Asset & License Management

StrongDM inventories and tracks all hardware assets, software licenses, and cloud components that are used to deliver the Services to the Customer. Assets are tracked throughout their lifecycle and are securely disposed of at the end of their useful life.

Endpoint and Perimeter Defense

StrongDM maintains endpoint and perimeter defense policies that include system hardening, anti-malware requirements, and vulnerability management controls. Systems are configured against baselines for basic security controls, such as full-disk encryption, local firewalls, minimal user accounts, and minimal installed software. All production systems have endpoint detection and response/anti-malware, file integrity monitoring, and vulnerability scanning agents installed. All corporate systems have endpoint detection and response/anti-malware software deployed that alerts to a central console. Network access controls such as firewalls, gateways, and security groups are configured and maintained through source-controlled Infrastructure as Code repositories to ensure only appropriate and authorized ports are open.

Vulnerability Management

StrongDM maintains vulnerability management policies that prescribe how and when StrongDM systems are evaluated for vulnerabilities and establishes SLAs for the remediation of any discovered vulnerabilities. Vulnerabilities are rated based on a combination of the published CVSS score, the availability of exploit code, and whether the vulnerable system is exposed with public attack surfaces.

Logging & Monitoring

StrongDM aggregates access, security, and event logs to a centralized log storage system, and uses a security information and event management system to correlate logs, send alerts to StrongDM’s Security Team, and facilitate daily security operations monitoring of the StrongDM environment.

Physical Security

Customer acknowledges that StrongDM is a fully remote company and does not maintain its own facilities, including data centers or office space. Facilities which process and store Customer Data must have industry-standard security certifications which are verified through independent third-party audits. These audits must ensure that the data centers have robust physical access controls, visitor logging and monitoring, and strict policies on removal of systems. StrongDM reviews these audit reports as part of its Third-Party Risk Management program.

Data Protection

 

Encryption

Customer Data is encrypted at rest using the Advanced Encryption Standard (“AES”) algorithm with 256-bit keys. Encryption at rest is configured using standard features for the given storage medium. Customer Data is always encrypted in transit using Transport Layer Security (“TLS”) protocol version 1.2 or higher. StrongDM’s Security Team maintains a list of approved algorithms and cipher suites to be used with the TLS protocol.

Data Classification

StrongDM maintains a Data Classification system to properly identify and label data within its possession, and to ensure such data is protected with controls appropriate for its classification. Customer Data is classified separately from Company Data and is always treated as restricted data.

Retention & Destruction

StrongDM retains most Customer Data for as long as there is a business relationship between Customer and StrongDM. Audit Logs are retained for a period of 13 months from their creation and are then automatically deleted through retention lifecycle policies.

At the written request of the Customer to StrongDM’s Data Protection Officer, StrongDM will delete all Customer Data from its servers, primary databases, and other storage locations within 30 days of the date of request. Any Customer Data which remains in automated backups of databases will be deleted 35 days from the date of deletion, when the backup automatically ages out due to retention lifecycle policies.

All requests for the deletion of Customer Data must be submitted in writing to StrongDM’s Data Protection Officer by an authorized representative of the Customer, as designated in Appendix 1 to this ISA.

Notwithstanding any provision to the contrary herein or in the Agreement, StrongDM may retain Customer Data, or portions thereof, to the extent required by applicable law, regulation, or legal process. Any Customer Data so retained shall remain subject to StrongDM’s confidentiality and security obligations as set forth in this ISA and the Agreement.

Data Privacy

StrongDM has appointed a senior leader to oversee a Data Privacy Program. This senior leader is the named Data Protection Officer for the purposes of the various data protection laws StrongDM adheres or is subject to. StrongDM maintains a standard Data Processing Addendum (“DPA”) which is incorporated into the Agreement. If there is any conflict with the provisions of such DPA and those of this ISA, the provisions of the DPA will hold.

Security Incident Management

 

Notification of Incident or Breach

In the event of a Security Incident, StrongDM will notify all customers known or strongly suspected to be affected without undue delay and in no event longer than forty-eight (48) hours from the initiation of our Incident Response process. Notification will be given to the Customer via email to the point of contact listed in Appendix 1.

Such notification shall, to the extent known at the time of notification and legally permissible, include:

  • A description of the nature of the Security Incident;
  • The categories of Customer Data that were or are reasonably suspected to have been affected by the Security Incident;
  • A summary of the measures taken or proposed to be taken by StrongDM to mitigate the potential adverse effects of the Security Incident and to prevent a recurrence;
  • A designated point of contact within StrongDM from whom Customer may obtain additional information.

Notwithstanding the foregoing, StrongDM may delay providing such notification if and to the extent such delay is explicitly requested in writing by a law enforcement agency or a supervisory authority for a limited period, and where StrongDM reasonably determines that notification would impede a criminal investigation or regulatory action. StrongDM shall provide the notification as soon as the reason for the delay no longer exists.

Secure System & Software Development

StrongDM maintains a robust Software/Systems Development Life Cycle to ensure the highest quality code and systems are developed and deployed into StrongDM’s environments. Engineers/developers are trained on StrongDM’s SDLC and secure coding practices relevant to their role.

Separation of Environments

StrongDM maintains physically separate environments for production, staging, and development. Customer Data is prohibited from being used in any non-production environment. Access to production environments is strictly limited to those StrongDM Personnel with a defined business need.

Development and Release

Each change is authored and reviewed by a pair of developers. Development of changes must adhere to all code standards set by StrongDM, including those for linting, licensing, quality, and security. All changes must be reviewed and approved by at least one engineer not responsible for its creation prior to integration and release. All releases to the production environment must have been tested in a lower environment first and must have a documented roll-back plan.

Configuration Management

All StrongDM production and staging systems are centrally managed through relevant configuration management systems or through infrastructure as code. Changes to configurations in the StrongDM Platform or its supporting systems are tracked.

Contingency Planning

 

Contingency Planning

StrongDM maintains a holistic Contingency Planning program to assess and prepare for potential disruptions to our business and our ability to provide the StrongDM Platform to Customers.

Business Continuity

StrongDM is a fully remote company with operations spread across the Western hemisphere, ensuring that a disaster in one region doesn’t affect our ability to continue operating. The systems on which the Services run follow a distributed, highly available architecture to prevent isolated events from interrupting the delivery of the Services to Customers. StrongDM operates redundant business systems to ensure that its Personnel can continue working and supporting the delivery of the Services to Customers during potential outages.

Disaster Recovery

StrongDM maintains disaster recovery plans to ensure that we can continue to deliver the Services to Customers after a major event. Disaster recovery plans include provisioning of redundant systems in geographically diverse data centers, and periodic testing of failover plans. StrongDM has established RTOs and RPOs for restoring the Services after a failure. Executive summaries of test reports are made available to Customers through StrongDM’s Trust Center.

Risk Management

 

Enterprise Risk

StrongDM maintains an Enterprise Risk Management program to evaluate, track, and remediate risks and potential risks to StrongDM. We conduct annual risk assessments and post an executive summary of these risk assessments to our Trust Center.

Third-party/Vendor Risk

StrongDM maintains a Third-Party/Vendor Risk Management program to evaluate and track all vendors that StrongDM engages with. Vendors are evaluated during the procurement process based on the scope of engagement, types of data they will process/store, and other relevant information. Vendors designated as critical or high-risk are reviewed annually.

Independent Testing, Inspections & Audits

 

AICPA SOC 2 Type II

StrongDM maintains compliance with the AICPA Trust Services Criteria and annually engages an independent third-party auditing firm to produce a SOC 2 Type II audit report. StrongDM will post its most recently completed audit report and provide any required bridge letters through our Trust Center.

Payment Card Industry Data Security Standard

StrongDM maintains compliance with the current version of the PCI DSS. Annually, we engage with an independent third-party auditing firm to produce an Attestation of Compliance and Report on Compliance. StrongDM will post its most recently completed audit report through our Trust Center.

Customer Right to Audit

StrongDM provides the independent audit reports described in the preceding sections as evidence that it is complying with this ISA. StrongDM grants the Customer the limited right to audit StrongDM's compliance with this ISA strictly to the extent necessary to comply with any applicable law or regulation, subject to the following conditions:

  • Customer shall provide StrongDM with at least thirty (30) days' prior written notice of its intention to audit;
  • The scope of any such audit shall be limited to those security controls and practices directly relevant to the Services provided to Customer and the protection of Customer Data;
  • Any such audit shall be conducted during StrongDM's normal business hours and in a manner that does not unreasonably interfere with StrongDM's business operations;
  • Such audits may be conducted no more than once in any twelve (12) month period, unless:
    • Expressly required by applicable law or a regulatory authority, or
    • Following a Security Incident that has impacted Customer Data and for which Customer has a reasonable basis to request an additional audit;
  • Any such audit shall be at Customer's sole expense;
  • Unless explicitly required by law, and for the protection of all Customers’ confidentiality, Customer shall not be granted direct access to any StrongDM system or any data or systems belonging to other StrongDM customers.

Customer shall treat all information obtained during such audit as StrongDM's Confidential Information.

Notifications

 

Security and Incident Notifications

All general, security, and incident notifications to StrongDM under this Information Security Addendum shall be made in writing to security@strongdm.com.

Data Deletion Notifications

Notifications pertaining to Personal Data or Data Deletion requests shall be made in writing to dpo@strongdm.com.

Limitation of Liability

Nothing in this Information Security Addendum shall be construed to limit or increase either party’s liability as set forth in the Agreement. The limitations and exclusions of liability set forth in the Agreement shall apply to this Information Security Addendum as if fully set forth herein.

No Third-Party Beneficiaries

This ISA is entered into for the sole benefit of the parties hereto and their respective successors and permitted assigns, and nothing herein, express or implied, is intended to or shall confer upon any other person or entity any legal or equitable right, benefit, or remedy of any nature whatsoever under or by reason of this ISA.

Updates and Modifications

StrongDM may update this Information Security Addendum (ISA) from time to time to address changes in applicable laws, regulations, or generally accepted industry standards or best practices concerning information security and data protection. StrongDM will provide Customer with at least thirty (30) days' prior written notice of any material updates to this ISA. Such notice will be delivered in accordance with the notice provisions set forth in the Agreement, or if no such provisions are specified, to the email address(es) designated by Customer in Appendix 1 for Security and Incident Notifications.

If Customer objects to any material update to this ISA, Customer shall have the right to terminate the Agreement by providing written notice of termination to StrongDM, such notice to be provided prior to the effective date of the update. Customer's failure to provide such notice of termination before the update's effective date, or Customer's continued use of the Services after the effective date of the update, shall constitute Customer's acceptance of the updated ISA.