Last Updated: July 28, 2020
Confluent’s Cloud Security Addendum (“Security Addendum”) outlines the technical and procedural measures that Confluent undertakes to protect Content from unauthorized access or disclosure. Confluent may change this Security Addendum from time to time and such changes will be effective when posted. Capitalized terms used but not defined in this Security Addendum have the meanings as set forth in the Confluent Cloud Services Agreement or other written or electronic terms of a cloud service or cloud subscription agreement (“Agreement”) entered into by the parties.
1.1 Customer controls access to the Cloud Service via User IDs and passwords (“User Credentials”) or Security Assertion Markup Language (SAML) integration with a Customer’s Identity Provider (IDP). A User ID is a unique identifier the Customer creates to establish an account for the Cloud Service.
1.2 The Cloud Service encrypts data in-transit and at rest. For the purposes of data governance and data confidentiality, Customers should encrypt data prior to sending any data to Confluent; in some cases, such encryption will be required.
1.3 Confluent uses Content only as appropriate to provide the Cloud Service to Customer, as specified in the Agreement.
1.4 Content is stored at rest in the Cloud Service production environment, provisioned per the Agreement.
1.5. Content is replicated by Confluent and retained per Customer’s specified retention periods set by Customer in the Cloud Service. Customers are expected to consume the data they send to the Cloud Service regularly and store data in their data stores of choice beyond the retention policy specified.
2.1 The Cloud Service stores Content encrypted at rest. This is done leveraging enterprise grade encryption standards employed on the storage backend.
2.2 The Cloud Service encrypts traffic in-transit with appropriate encryption standards for data in-motion.
2.3 The Cloud Service includes logical separation of data between customers. Depending on the product purchased, the Cloud Service may include Customer-specific, dedicated cloud resources. In all cases, Confluent has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data.
3.1 Access to the systems and infrastructure that support the Cloud Service is restricted to the Cloud Service Operations Administrators (CSOA) who require such access as part of their job responsibilities.
3.2 Unique User IDs are assigned to CSOAs, as part of their hiring and onboarding process.
3.3 The server password policy for the Cloud Service adheres to Confluent password requirements and is in-line with industry recommendations.
3.4 Access privileges of terminated Confluent personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.
3.5 Confluent personnel access to the systems and infrastructure that support the Cloud Service is reviewed quarterly.
3.6 Cloud provider firewall or firewall-equivalent controls have deny-all default policies and only enable appropriate network protocols for egress and ingress network traffic.
3.7 Bastion hosts that utilize appropriate security measures are the only enabled remote administration point of access for CSOAs on the Cloud Service production environment.
4.1 Confluent maintains a risk management program based on industry guidance.
4.2 Confluent conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.
4.3 Results of assessments, including formal reports as relevant, are reported to the head of the Confluent Security Committee (“Security Committee”). The Security Committee meets biannually to review reports, to identify control deficiencies and material changes in the threat environment, and to make recommendations for new or improved controls and threat mitigation strategies to executive management.
4.4 Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.
4.5 Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.
5.1 Vulnerability mitigation is a part of every Confluent engineer’s responsibilities.
5.2 The latest applicable patches and updates are applied promptly after becoming available and being tested in the Cloud Service’s pre-production environments.
5.3 Potential impacts of vulnerabilities are evaluated by Confluent engineers.
5.4 Vulnerabilities that trigger alerts and have published exploits are reported to security leadership, which determines and supervises appropriate remediation action.
5.5 Security Operations monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.
5.6 Penetration tests by independent third parties are conducted at least annually. Detailed results from external penetration tests are not distributed or shared with anyone other than Confluent employees with a need to know. Redacted summaries are available with appropriate non-disclosure agreements in place.
6.1 All access to the Cloud Service networks requires authentication through an encrypted connection such as SSH, MFA, using regular-rotated SSH keys, and never passwords.
6.2 Confluent corporate offices, including LAN and Wi-Fi networks in those offices, require successful authentication in addition to authentication to public cloud provider accounts for access.
6.3 Confluent maintains a policy of not storing Content processed by the Cloud Service on local desktops, laptops, mobile devices, shared drives, removable media, as well as on public facing systems that do not fall under the administrative control or compliance monitoring processes of Confluent.
7.1 Content is stored in the available Cloud Service region(s) identified in the Agreement, for the account requested by Customer.
7.2 Customers are expected to specify the locations.
8.1 Monitoring tools and services are used to monitor systems including network, server events, availability events, resource utilization, and other security events of interest.
8.2 Confluent infrastructure security event logs are collected in a central system and stored using appropriate security measures designed to prevent tampering. Logs are stored for twelve months.
8.3 Confluent security events of interest are reviewed for malicious or inappropriate activity.
9.1 For systems that access Content, Confluent creates, implements, and maintains system administration procedures that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications), and proper installation of threat detection solution with daily signature updates.
9.2 Confluent’s security team reviews US-CERT new vulnerabilities announcements weekly and assesses their impact to Confluent based on Confluent-defined risk criteria, including applicability and severity.
9.3 Applicable US-CERT security updates rated as “high” or “critical” are addressed within thirty days of the patch release.
10.1 Confluent maintains a security awareness program for Confluent personnel, which provides initial education, ongoing awareness, and individual Confluent personnel acknowledgment of intent to comply with Confluent’s corporate security policies. New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the Confluent information security policy.
10.2 All Confluent personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Content.
10.3 All Confluent personnel are required to satisfactorily complete security training annually.
11.1 The Cloud Service is hosted in AWS, GCP, Azure, and other public clouds. Therefore, all physical security controls are managed by the applicable public cloud provider. Annually, Confluent reviews the applicable security and compliance reports of the public cloud providers it uses to ensure appropriate physical security controls, including:
11.1.1 Visitor management including tracking and monitoring physical access;
11.1.2 Physical access point to server locations are managed by electronic access control devices;
11.1.3 Monitor and alarm response procedures;
11.1.4 Use of CCTV cameras at facilities;
11.1.5 Video capturing devices in data centers with ninety days of image retention;
11.1.6 Environmental and power management controls; and
11.1.7 Removal and destruction of physical media including drives.
12.1 Confluent will notify Customer in writing within seventy-two (72) hours of confirmed unauthorized access to Content.
12.2 Such notification will summarize the known details of the breach and the status of Confluent’s investigation.
12.3 Confluent will take appropriate actions to contain, investigate, and mitigate any such breach.
13.1 Confluent maintains a Disaster Recovery Plan (DRP) for the Cloud Service. The DRP is tested annually. Disaster recovery strategies may cover recovery of authentication and authorization data comprising account, user information, and data being sent programmatically into Confluent’s infrastructure.
13.2 Confluent’s DRP covers Customer’s account and user information. To cover data being sent and stored into the Confluent infrastructure, Customer is responsible for ensuring it purchases the service level with disaster recovery that corresponds with Customer’s disaster recovery strategy.
13.3 The Cloud Service is delivered to customers from different cloud providers such as AWS, Azure, and GCP. Each of the cloud providers provides an inbuilt disaster recovery strategy delivered to Customer to be employed as part of Customer’s disaster recovery strategy.
Confluent hires accredited third parties to perform audits and to attest to various compliance standards and certifications annually including:
14.1.1 SSAE 18 SOC 1 Type II, SOC 2 Type II, and SOC 3.
14.1.2 HIPAA readiness – after a Business Associate Agreement (BAA) has been properly executed with Confluent, Confluent can support Customer data uploaded to the Cloud Service that is regulated under the Health Insurance Portability and Accountability Act of 1996 including all applicable regulations promulgated thereunder (HIPAA).
14.1.3 Payment Card Industry Data Security Standards (PCI-DSS) – Confluent can support PCI data that is message-level encrypted by Customer.
14.1.4 CSA Star Level 1 Attestation.
14.1.5 ISO 27001 certification.
15.1 Customer is responsible for managing and securing its Content and User Credential(s) within the Cloud Service and for protecting its own resources, including through the use of encryption. Customer will comply with the terms of the Agreement as well as all applicable laws.
15.2 Customer will immediately notify Confluent if a User Credential has been compromised or if Customer suspects possible suspicious activities that could negatively impact the security of the Cloud Service or Customer’s account.
15.3 Customer may not perform any security penetration tests or security assessment activities without the express, prior written consent of Confluent’s Head of Information Security.
15.4 Confluent has implemented reasonable security measures designed to prevent unauthorized access to and accidental loss of data uploaded to our service as described in this Security Addendum. Confluent does not, however, guarantee that unauthorized third parties will not obtain access to Content.
15.5 Customer shall not transmit cardholder or sensitive authentication data (as those terms are defined in the PCI DSS standards) unless such data is message-level encrypted by Customer.
15.6 Customer shall not transmit Protected Health Information (as defined under (HIPAA)) into the Cloud Service without first having entered into a BAA with Confluent.
15.7 Customer is responsible for ensuring a level of data protection commensurate with the sensitivity of the Content it uploads to the Cloud Service including, without limitation, an appropriate level of message-level encryption.
15.8 Customer is responsible for managing a backup strategy regarding Content.