Confluent, Inc. (“Confluent”)
Last Updated: July 25, 2018
Confluent’s Cloud Security Addendum (“Security Addendum”) outlines the technical and procedural measures that Confluent currently undertakes to protect Content from unauthorized access or disclosure for those Customers who have entered into a Confluent Cloud Enterprise Subscription Agreement with Confluent (“Agreement”) for the Confluent Cloud Enterprise Service (“Confluent Cloud”). Confluent may change this Security Addendum from time to time and such changes will be effective when posted. Capitalized terms used but not defined in this Security Addendum have the meanings as set forth in the Agreement.
1.1 Customer controls access to Confluent Cloud via User IDs and passwords (“User Credentials”). “User ID” or “User IDs” is a unique identifier the Customer creates to establish an account for the Confluent Cloud.
1.2 Confluent Cloud encrypts data in-transit and at rest. For the purposes of data governance and data confidentiality, Customers should encrypt data prior to sending any data to Confluent; in some cases such encryption will be required.
1.3 Confluent uses Content only as appropriate to provide Confluent Cloud to Customer, as specified in the Agreement.
1.4 Content is stored at rest in the Customer’s tenant in the Confluent Cloud production environment, provisioned per the Agreement.
1.5. Content is replicated by Confluent and retained per Customer’s specified retention periods in the Agreement. This gives customers high data durability guarantees. Customers are expected to consume the data they send to Confluent Cloud regularly and store data in their data stores of choice beyond the retention policy specified.
2.1 Confluent Cloud stores Content encrypted at rest. This is done leveraging enterprise grade encryption standards employed on the storage backend.
2.2 Confluent Cloud encrypts traffic in-transit with appropriate encryption standards for data in-motion.
2.3 Confluent Cloud includes logical separation of data between customers. Depending on the product purchased, Confluent Cloud may include Customer-specific, dedicated cloud resources. In all cases, Confluent has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data.
3.1 Access to the systems and infrastructure that support Confluent Cloud is restricted to Confluent Cloud Operations Administrators (CCOA) who require such access as part of their job responsibilities.
3.2 Unique User IDs are assigned to CCOA’s, as part of their hiring and onboarding process.
3.3 Server password policy for Confluent Cloud in the production environment adheres to Confluent password requirements and is in-line with industry recommendations.
3.4 Access privileges of terminated Confluent personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
3.5 Confluent personnel access to the systems and infrastructure that support Confluent Cloud is reviewed yearly.
3.6 AWS Security Groups have deny-all default policies and only enable appropriate network protocols for egress and ingress network traffic.
3.7 Bastion hosts that utilize appropriate security measures are the only enabled remote administration point of access for CCOAs on the Confluent Cloud production environment.
4.1 Confluent maintains a risk management program based on industry guidance.
4.2 Confluent conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.
4.3 Results of assessments, including formal reports as relevant, are reported to head of the Confluent Security Committee (“Security Committee”). The Security Committee meets biannually to review reports, to identify control deficiencies and material changes in the threat environment, and to make recommendations for new or improved controls and threat mitigation strategies to executive management.
4.4 Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.
4.5 Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.
5.1 Vulnerability mitigation is a part of every Confluent Cloud engineer’s responsibility.
5.2 The latest applicable patches and updates are applied promptly after becoming available and being tested in Confluent Cloud’s pre-production environments.
5.3 Potential impacts of vulnerabilities are evaluated by Confluent Cloud engineers.
5.4 Vulnerabilities that trigger alerts and have published exploits are reported to the Security Committee, which determines and supervises appropriate remediation action.
5.5 Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.
5.6 Penetration tests by independent third parties are conducted at least annually. Detailed results from external penetration tests are not distributed or shared with anyone other than Confluent employees with a need to know.
6.1 All access to the Confluent VPCs (e.g., Development and Production accounts) require authentication through an encrypted connection such as SSH, MFA, using regular-rotated ssh keys and never passwords.
6.2 Confluent corporate offices, including LAN and Wi-Fi networks in those offices, require successful authentication in addition to authentication to AWS accounts for access.
6.3 Confluent maintains a policy of not storing Content processed by Confluent Cloud on local desktops, laptops, mobile devices, shared drives, removable media, as well as on public facing systems that do not fall under the administrative control or compliance monitoring processes of Confluent.
7.1 Content is stored in the available Confluent Cloud region identified in the Agreement, for the account requested by Customer.
7.2 Customers are expected to specify the locations.
8.1 Monitoring tools and services are used to monitor systems including network, server events, and AWS API security events, availability events, and resource utilization.
8.2 Confluent infrastructure security event logs are collected in a central system and stored using appropriate security measures designed to prevent tampering. Logs are stored for 3 months.
9.1 Confluent shall create, implement and maintain system administration procedures for systems that access Content that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications), and proper installation of threat detection software as well as daily signature updates of the same.
9.2 Confluent’s security team reviews US-CERT new vulnerabilities announcements weekly and assesses their impact to Confluent based on Confluent-defined risk criteria, including applicability and severity.
9.3 Applicable US-CERT security updates rated as “high” or “critical” are addressed within 30 days of the patch release.
10.1 Confluent maintains a security awareness program for Confluent personnel, which provides initial education, ongoing awareness, and individual Confluent personnel acknowledgment of intent to comply with Confluent’s corporate security policies. New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the Confluent information security policy.
10.2 All Confluent personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Content.
10.3 All Confluent personnel are required to satisfactorily complete security training annually.
11.1 Confluent Cloud is hosted in AWS, GCP, and other public clouds. Therefore, all physical security controls are managed by the applicable public cloud provider. Annually, Confluent reviews the applicable security and compliance reports of the public cloud providers it uses to ensure appropriate physical security controls, including:
11.1.1 Visitor management including tracking and monitoring physical access.
11.1.2 Physical access point to server locations are managed by electronic access control devices.
11.1.3 Monitor and alarm response procedures.
11.1.4 Use of CCTV cameras at facilities.
11.1.5 Video capturing devices in data centers with 90 days of image retention.
11.1.6 Environmental and power management controls
11.1.7 Removal and destruction of physical media including drives
12.1 Confluent will notify Customer in writing within seventy-two (72) hours of confirmed unauthorized access to Content.
12.2 Such notification will summarize the known details of the breach and the status of Confluent’s investigation.
12.3 Confluent will take appropriate actions to contain, investigate, and mitigate any such breach.
13.1 Confluent maintains a Disaster Recovery Plan (DRP) for Confluent Cloud. The DRP is tested annually. Customer disaster recovery strategies may cover recovery of authentication and authorization data comprising account, user information, and data being sent programmatically into Confluent’s infrastructure.
13.2 Confluent’s default DRP covers Customer’s account and user information. To cover data being sent and stored into the Confluent infrastructure, Customer is responsible to ensure Customer purchases the service level with disaster recovery that corresponds with Customer’s DRP strategy.
13.3 Confluent Cloud is delivered to customers from different cloud providers such as AWS and GCP. Each of the cloud providers provides an inbuilt disaster recovery strategy delivered to Customer to be employed as part of Customer’s DRP strategy.
14.1 Confluent hires accredited third parties to perform audits and to attest to various compliance and certifications annually including:
14.1.1 SOC 2 Type II Attestation Report.
14.2 Confluent is pursuing PCI-DSS Level 1 Certification, ISO 27001 & 27018, and compliance with the HIPAA Security Rule.
15.1 Customer is responsible for managing and securing its user accounts, Content and User Credentials within Confluent Cloud and for protecting its own resources, including through the use of encryption. Customer will comply with the terms of its Agreement with Confluent as well as with all applicable laws.
15.2 Customer will immediately notify Confluent if a User Credential has been compromised or if Customer suspects possible suspicious activities that could negatively impact the security of Confluent Cloud or Customer’s account.
15.3 Customer may not perform any security penetration tests or security assessment activities without the express, prior written consent of Confluent’s Director of Information Security.
15.4 Confluent has implemented reasonable security measures designed to prevent unauthorized access to and accidental loss of data uploaded to our service as described in this Addendum. Confluent does not, however, guarantee that unauthorized third parties will not obtain access to Content. Customer is responsible for its Content and the consequences of uploading it to Confluent Cloud.
15.4.1 Customer shall not upload cardholder or sensitive authentication data (as those terms are defined in the PCI DSS standards) or protected health information (PHI as defined under Health Information Portability and Accountability Act (HIPAA)) into Confluent Cloud.
15.4.2 Customer is responsible for ensuring a level of data protection commensurate with the sensitivity of the Content it uploads to Confluent Cloud including, without limitation, an appropriate level of message-level encryption.
15.5 Customer is responsible for managing a backup strategy regarding Content.