alert

Periscope Data Cloud Security

Nothing is more important than the security of your data — your business depends on it. That’s why we’ve built a cloud security infrastructure that follows industry wide best practices and standards.

Periscope Data Security Architecture

Periscope Data's security infrastructure

1 Customers connect to Periscope Data over HTTPS, the protocol used for online banking.

2 Periscope's Web and Backend servers connect to each other using encrypted connections over SSL.

3 Periscope connects to customer databases from static IP addresses that customers can whitelist in their firewall settings. For databases in private networks, Periscope can connect through using SSH tunnels.

Security Certifications

Periscope Data conducts a variety of audits to ensure continuous compliance with industry standard best practices. All Periscope Data certifications require an independent 3rd party to audit specific adherence to their respective guidelines annually. In addition to HIPAA and SOC2 audits, Periscope Data performs its own internal audits at regular intervals to ensure ongoing compliance.

  • Periscope Data is SOC2 certified for data security for cloud-based service providers. Documentation available upon request.
  • Periscope Data is HIPAA certified for all medical and patient-centered data. Documentation available upon request. 
  • All servers receive quarterly patching and security updates, and intrusion detection systems monitor for security incidents.

Connections

Our architecture is designed to keep requests encrypted with SSL/TLS connections as they enter and move throughout Periscope Data. Inbound requests enter Periscope Data and are routed throughout our stack. They are only decrypted when reaching their destination and are re-encrypted for transport.

  • All traffic between your web browser and Periscope Data’s servers is encrypted with 256-bit AES encryption.
  • Database connections use JDBC over SSL. For additional layers of security, we recommend connecting through SSH tunnels and whitelisting access to our static IPs.
  • Periscope Data maintains strong connections with HTTP Strict Transport Security (HSTS) protocols to protect against a multitude of security attacks.

Data Security and Information Systems

The following details outline our data security, physical security, and audits. Periscope Data is hosted on Amazon Web Services (AWS), we recommend referencing their compliance documents in addition to our own.

Periscope Data is governed by its Information Security Management System (ISMS), a set of policies and procedures designed to keep customer data and Periscope Data corporate assets safe and restricted to their intended and authorized use. Periscope Data’s ISMS is compliant with the HIPAA HITECH Security Rule and is SOC2 Certified. Details of Periscope Data’s ISMS and compliance audit procedures follow.

  • Periscope Data follows OWASP best practices and security guidelines.
  • No customer data is sold to any 3rd party for any reason.
  • Access to production servers is restricted except for the automated deployment of code written by Periscope Data software engineers, and during declared emergencies by on-call engineers. Non-Periscope Data code is never deployed on our production servers.
  • Periscope Data performs cross-site scripting and SQL injections checks to defend against unauthorized access.

Monitoring, Access Logs, & Intrusion Detection Systems

Periscope Data employs a robust Intrusion Detection System (IDS) and monitoring/auditing framework in our production environment. Any access to Periscope Data system logs the who, what, where, and when details of the transaction.

Data Encryption & Intrusion Prevention

To prevent unauthorized access, Periscope Data has taken a number of steps to ensure that data security is maintained, even in the context of breach.

Network-level Access Control Lists (ACLs) monitor all network-level transactions, and verify that servers attempting to communicate with each other are authorized to do so. These ACLs specify which ports are approved for network communication depending on the individual server’s role in the overall Periscope Data architecture. ACLs are analogous to firewalls that operate at the subnet level. Engineering access to production systems are secured via SSH keys. Passwords and connection configurations are encrypted.  

User-Level Security

  • Periscope Data offers SAML-based Single Sign-On functionality. We support OktaOneLogin, and Google Apps SSO providers.
  • Periscope Data requires strong passwords. Audit logging lets administrators see when users last logged in and when passwords were last changed.
  • Periscope Data empowers all Periscope Data users to secure their access with Two-Factor Authentication.
  • Admins on our Enterprise plan can mandate two-factor authentication for all users.
  • Periscope Data helps you restrict data access to only those who should have it with Data Permissions. Available with Enterprise plans.

Communications and Operations Management

  • All code changes and application updates to our production environment are reviewed for security issues before general release.
  • Periscope Data isolates development, testing, staging, and production environments in different engineering environments.
  • User passwords are salted, irreversibly hashed, and stored in Periscope Data's Postgres database. Periscope Data employees are restricted from accessing user passwords.

Incident Event and Communication Management

  • Periscope Data conducts penetration tests on external networks annually.
  • Periscope Data has formal incident response plans for major events.
  • For major events, our email notification system contacts affected companies within 24 hours.

Disaster and Data Recovery

Periscope Data is distributed across each of the AWS availability zones (AZs) in the US East (N. Virginia) Region. This posture allows for a self-healing infrastructure with redundant servers for critical services present in each AZ. The platform features built-in mechanisms to detect when components are not operating or operating in a degraded state. It will automatically scale within the alternate AZs to ensure that services remain available and responsive.