Data Storage and Retention

How does Panoptica retain and store data?

As a security company we treat the data we hold very carefully and perform all possible precautionary steps in order to protect it. We are SOC2 compliant and we perform regular penetration testing on a bi-annual basis. Our backend API is under enforcement of all OWASP top 10 security policies, and our data is stored in two different DBs, never shared between customers, and each tenant account is protected via WAF to only allow specific geolocations access.

We treat the data we hold very carefully and take all possible precautionary steps to protect it:

Storage - Data is stored in two different databases:
The first one is the nosql database holding the raw data for backend analytics:

  • The database is encrypted and accessible only via a jump server (ssh) to our R&D team

    The second one is the SQL database with virtual multi-tenant (different schema for each client):

  • The database is encrypted and accessible only via our backend API server

  • The database has scheduled backups stored and encrypted

Account Access

  • Each client has access only to their own tenant, with a dedicated user and access management roles and permissions.
  • You cannot grant access from one tenant user to another.
  • The tenants are protected via WAF enabling only specific geo locations to access.

General

  • The backend API is under enforcement of all OWASP Top 10 security policies
  • The system goes through penetration testing every six months (we can share the report upon request).
  • We leverage 3rd party SAST solutions to secure our code
  • All access to our AWS account is protected via MFA only for our authorized users
  • We are in the process of SOC2 compliance

Retention
For the CVE Scanning, snapshots that are taken for the EC2 instances are deleted right after they are analyzed and the detected CVEs are saved in your tenant DB.

The other data collected (AWS configurations) includes:

  • Current collected AWS services configurations only (we add more from time to time):
    • Account configuration
    • EC2, with its resources
    • VPC, with its resources
    • IAM
    • S3 Buckets
    • RDS
    • Redshift
    • DynamoDB
    • Sagemaker
    • Cloudformation
    • ECS
    • EKS
    • Cloudfront
    • Route53
    • Config
    • Cloudtrail
    • Cloudwatch
    • SQS
    • SNS
    • SES
    • Lambda Functions
    • API Gateway

This data is stored in the same DB for the POC. If we continue beyond the POC, then it is stored for six months. Otherwise, it is deleted once the POC ends and when we destroy the tenant (which happens automatically once a tenant is destroyed).

The data collected is based only on SecurityAudit managed policy, so we cannot read your private data inside S3 Buckets, Databases, or other services.

As for the six months, we can shorten the time per request post-agreement.