OUR APPROACH TO SECURITY
We leverage people, process, and technology to deliver a robust security program in both our product and corporate environments.
Our compliance program is built on well-known frameworks and is verified by independent third-party auditors.
Our privacy program provides transparency on how we collect, use, disclose, transfer, and store customer information.
Being a Trusted Ally
To be an effective security ally, we must put on our own oxygen mask first. We actively manage our comprehensive, risk based security program and validate it with external parties annually to identify areas for improvement. By doing so we ensure that we are prepared at all times to defend and support our customers.”
— Dave Farrow, CISO
See Something? Say Something.
Make us better with the Vulnerability Disclosure Program
Trust is a two-way street. If something catches your eye, we want to know about it. Visit the Vulnerability Disclosure Program to learn more about how you can disclose potential vulnerabilities to us.
Red Canary's Product Security team infuses security into the entire software development lifecycle, from architecture to production.
Developer Security Training
We provide ongoing courses to our developers that improve their understanding of common attacks, frameworks, and mitigation techniques for our products.
Our Product Security team works closely with our Product development teams throughout the design and implementation processes to ensure security is designed into our platform, applications, and services.
Automated Application Security Testing
We leverage automation tools to test our products in both a runtime and development state to discover vulnerabilities before they go live.
Security Risk Assessments
We conduct security assessments throughout the product lifecycle to ensure adherence to our security, privacy, and compliance standards. Deviations from our standards are treated prior to public release.
We engage with third-parties to perform manual security tests of our products. These tests are performed no less than annually. This security testing uncovers more complex security flaws that may not be caught by automated tooling, including business logic abuse.
Our dedicated internal security team works to continuously improve our threat-mitigation practices to protect Red Canary infrastructure.
- Zero Trust: Our Corporate Security team provides verifiably secure, frictionless access to the right systems at the right time. Zero Trust ensures multiple contextual data points are evaluated to provide secure access to systems.
- Threat Management: Red Canary’s threat modeling framework ensures appropriate security controls are in place to mitigate risks on corporate systems.
- Vulnerability Management: This collaborative effort between systems owners and corporate security identifies and remediates vulnerabilities in line with our policy and compliance frameworks.
- Corporate Security Testing: We emulate attackers to test the effectiveness of our corporate controls. This uncovers vulnerabilities and allows us to identify issues long before an adversary does.
Governance, Risk, and Compliance
Governance Framework to Enable the Business
Our governance framework keeps corporate activities aligned to Red Canary’s number one objective: being a security ally to our customers. The keys to accomplish this include business resiliency, ethics, and management controls to drive accountability and results.
Adaptive Security Risk Management
Our security risk management framework sets out the guiding principles and establishes roles and accountability for managing, monitoring, and improving the risk management practice within Red Canary. The program is adaptive to reflect the changing internal and external environment, as well as technology advancements.
Red Canary implements security policies based on industry best practices and regularly conducts internal and external audits, attestations, and third-party security assessments. Attestations and certifications associated with products and services are available here.
Third-party assured to earn your trust
Red Canary models our security program around industry best practices and internationally recognized security and privacy frameworks. Red Canary is SOC 2 Type II attested and ISO 27001:2013 certified, with accredited third party assessments held annually at a minimum. Additionally, our dedicated in-house security teams keep us in compliance with appropriate frameworks and data privacy regulations.
ISO 27001 provides a holistic, risk-based approach to security and a comprehensive and measurable set of information security management practices.
SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.
ISO 27701, published in 2019, is an extension to ISO 27001 and 27002 for privacy information management requirements and guidelines.
JOSCAR (the Joint Supply Chain Accreditation Register) is a collaborative tool used by the aerospace, defense, and security industry to act as a single repository for pre-qualification and compliance information.
What data does Red Canary process?
The Red Canary platform ingests telemetry and alerts from supported third-party endpoint sensors, Red Canary Linux EDR sensors, and supported third-party security products. Whether that data includes any personal or confidential information depends on the customer’s own configurations.
Red Canary does not require access to any personally identifiable information or other sensitive data to provide our services. Our customers’ own security configurations will determine whether, and to what extent, such data is included in the telemetry and alerts that are transmitted to the Red Canary platform.
For more information on specific product integrations and the data processed for each, see https://help.redcanary.com/hc/en-us/categories/360003867473-Integrations.
Where does Red Canary process and store customer data?
Currently, Red Canary processes and stores all customer data in the United States.
How does Red Canary comply with data privacy laws?
Recognizing that customer data may include some personally identifiable information, Red Canary has implemented a robust data privacy program certified under ISO 27701. Customers may add a Data Protection Addendum to their agreement with Red Canary to document compliance with the data privacy laws of the U.S., Canada, EU, UK, Australia, New Zealand, and Switzerland such as GDPR, UK GDPR, CCPA, CPRA, PIPEDA, FDPA, Privacy Act (1998) (Australia), and Privacy Act 2020 (New Zealand). In addition to other elements, the Red Canary DPA includes the necessary standard contractual clauses to cover transfers of any personally identifiable information from the EU, UK, or Switzerland.
Who are Red Canary’s subprocessors?
Red Canary uses some third-party services to provide its services (e.g., cloud hosting, logging, and external notifications). Depending on what data our customers provide to us, the data processed by those third-party tools could contain personal information (in its broadest legal definition). Accordingly, Red Canary conservatively classifies those third-party tools as “subprocessors.” However, those subprocessors are unable to access the contents of the customer data they process as it is encrypted and Red Canary controls the encryption key.
The current list of Red Canary’s subprocessors is available in the Red Canary portal. For security reasons Red Canary does not make that list publicly available, but we will share it with prospective customers under an NDA.
If you are a customer or in the process of becoming a customer, you can request a copy of these reports by emailing email@example.com