Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 

Red Canary Trust Center

We earn your trust by doing what we say—and sharing it with proactive transparency. This is your source for Red Canary’s security, compliance, privacy, and system availability.

Security

We leverage people, process, and technology to deliver a robust security program in both our product and corporate environments.

Compliance

Our compliance program is built on well-known frameworks and is verified by independent third-party auditors.

Privacy

Our privacy program provides transparency on how we collect, use, disclose, transfer, and store customer information.

Status

Use our status page to get ongoing visibility into the uptime of our product offerings.

 
 
 

To be an effective security ally, we must put on our own oxygen mask first. We actively manage our comprehensive, risk based security program and validate it with external parties annually to identify areas for improvement. By doing so we ensure that we are prepared at all times to defend and support our customers.”

— Dave Farrow, CISO
 

Make us better with the Vulnerability Disclosure Program

Trust is a two-way street. If something catches your eye, we want to know about it. Visit the Vulnerability Disclosure Program to learn more about how you can disclose potential vulnerabilities to us.

Red Canary's Product Security team infuses security into the entire software development lifecycle, from architecture to production.

TRACKOVERVIEW
TRACK:

Developer Security Training

OVERVIEW:

We provide ongoing courses to our developers that improve their understanding of common attacks, frameworks, and mitigation techniques for our products.

TRACK:

Design Reviews

OVERVIEW:

Our Product Security team works closely with our Product development teams throughout the design and implementation processes to ensure security is designed into our platform, applications, and services.

TRACK:

Automated Application Security Testing

OVERVIEW:

We leverage automation tools to test our products in both a runtime and development state to discover vulnerabilities before they go live.

TRACK:

Security Risk Assessments

OVERVIEW:

We conduct security assessments throughout the product lifecycle to ensure adherence to our security, privacy, and compliance standards. Deviations from our standards are treated prior to public release.

TRACK:

Penetration Testing

OVERVIEW:

We engage with third-parties to perform manual security tests of our products. These tests are performed no less than annually. This security testing uncovers more complex security flaws that may not be caught by automated tooling, including business logic abuse.

Our dedicated internal security team works to continuously improve our threat-mitigation practices to protect Red Canary infrastructure.

  • Zero Trust: Our Corporate Security team provides verifiably secure, frictionless access to the right systems at the right time. Zero Trust ensures multiple contextual data points are evaluated to provide secure access to systems.
  • Threat Management: Red Canary’s threat modeling framework ensures appropriate security controls are in place to mitigate risks on corporate systems.
  • Vulnerability Management: This collaborative effort between systems owners and corporate security identifies and remediates vulnerabilities in line with our policy and compliance frameworks.
  • Corporate Security Testing: We emulate attackers to test the effectiveness of our corporate controls. This uncovers vulnerabilities and allows us to identify issues long before an adversary does.
Governance Framework to Enable the Business
Governance Framework to Enable the Business

Our governance framework keeps corporate activities aligned to Red Canary’s number one objective: being a security ally to our customers. The keys to accomplish this include business resiliency, ethics, and management controls to drive accountability and results. 

Consulting2
Adaptive Security Risk Management
Adaptive Security Risk Management

Our security risk management framework sets out the guiding principles and establishes roles and accountability for managing, monitoring, and improving the risk management practice within Red Canary. The program is adaptive to reflect the changing internal and external environment, as well as technology advancements.

Ryuk-LP_975x975
Compliance at Red Canary
Compliance

Red Canary implements security policies based on industry best practices and regularly conducts internal and external audits, attestations, and third-party security assessments. Attestations and certifications associated with products and services are available here.

View our latest security certifications
BH_8.17.20_9757x975

Third-party assured to earn your trust

Red Canary models our security program around industry best practices and internationally recognized security and privacy frameworks. Red Canary is SOC 2 Type II attested and ISO 27001:2013 certified, with accredited third party assessments held annually at a minimum. Additionally, our dedicated in-house security teams keep us in compliance with appropriate frameworks and data privacy regulations.

ISO/IEC 27001

ISO 27001 provides a holistic, risk-based approach to security and a comprehensive and measurable set of information security management practices.

SOC 2

SOC 2 (System and Organization Controls) is a regularly refreshed report that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service.

ISO/IEC 27701

ISO 27701, published in 2019, is an extension to ISO 27001 and 27002 for privacy information management requirements and guidelines.

JOSCAR

JOSCAR (the Joint Supply Chain Accreditation Register) is a collaborative tool used by the aerospace, defense, and security industry to act as a single repository for pre-qualification and compliance information.

What data does Red Canary process?

The Red Canary platform ingests telemetry and alerts from supported third-party endpoint sensors, Red Canary Linux EDR sensors, and supported third-party security products. Whether that data includes any personal or confidential information depends on the customer’s own configurations.

Red Canary does not require access to any personally identifiable information or other sensitive data to provide our services. Our customers’ own security configurations will determine whether, and to what extent, such data is included in the telemetry and alerts that are transmitted to the Red Canary platform.

For more information on specific product integrations and the data processed for each, see https://help.redcanary.com/hc/en-us/categories/360003867473-Integrations.

Where does Red Canary process and store customer data?

Currently, Red Canary processes and stores all customer data in the United States.

How does Red Canary comply with data privacy laws?

Recognizing that customer data may include some personally identifiable information, Red Canary has implemented a robust data privacy program certified under ISO 27701. Customers may add a Data Protection Addendum to their agreement with Red Canary to document compliance with the data privacy laws of the U.S., Canada, EU, UK, Australia, New Zealand, and Switzerland such as GDPR, UK GDPR, CCPA, CPRA, PIPEDA, FDPA, Privacy Act (1998) (Australia), and Privacy Act 2020 (New Zealand).

To address transfers of personally identifiable information to the U.S., Red Canary is certified under the Data Privacy Framework Program administered by the U.S. Department of Commerce in conjunction with the European Commission, UK government, and Swiss Federal Administration.  In addition, the Red Canary DPA includes the necessary standard contractual clauses to cover transfers of any personally identifiable information from the EU, UK, or Switzerland to the extent they are not covered by the Data Privacy Framework Program.

Who are Red Canary’s subprocessors?

Red Canary uses some third-party services to provide its services (e.g., cloud hosting, logging, and external notifications). Depending on what data our customers provide to us, the data processed by those third-party tools could contain personal information (in its broadest legal definition). Accordingly, Red Canary conservatively classifies those third-party tools as “subprocessors.” However, those subprocessors are unable to access the contents of the customer data they process as it is encrypted and Red Canary controls the encryption key.
The current list of Red Canary’s subprocessors is available in the Red Canary portal. For security reasons Red Canary does not make that list publicly available, but we will share it with prospective customers under an NDA.

If you are a customer or in the process of becoming a customer, you can request a copy of these reports by emailing grc@redcanary.com 

Trust issues: Proactive transparency drives good business
Trust issues: Proactive transparency drives good business
Trust issues: Building a strong foundation in an ever-changing field
Trust issues: Building a strong foundation in an ever-changing field
Trust issues: The two sides of Say:Do
Trust issues: The two sides of Say:Do
 
 
Back to Top