Last updated: May 1, 2024
Cyberhaven is a data security company, therefore we take security very seriously. We conduct comprehensive audits of our product, source code, systems, and networks to ensure that your data is always protected. The company founders and many members of our staff have extensive security experience and PhDs in computer systems security.
This Security and Privacy policy applies to the Cyberhaven SaaS products and is meant to be a high-level overview of our security and privacy controls. For a more detailed document outlining our security and privacy controls, please email security@cyberhaven.com.
Cloud Security
Physical Security and Data Hosting
Cyberhaven uses Google Cloud Platform (GCP) data centers in the United States.
Data Security
Cyberhaven processes unstructured and semi-structured data that is made available via its endpoint and cloud sensors. Cyberhaven hosts each customer’s data in a public cloud, specifically the Google Cloud Platform on resources dedicated specifically for each customer. Data of SaaS customers is stored in North America. Upon request, other regions are also supported as long as they are supported by Google Cloud.
Isolated Environments
Each customer runs a fully isolated instance of Cyberhaven: no customer data is shared between different customer deployments and there is no shared processing activity between customers. This means that all virtual compute, storage, and network resources are not shared between customers. This is a guarantee provided by Google Cloud Platform.
Intrusion Detection and Prevention
Cyberhaven has designed multiple layers of security monitoring to detect anomalous behavior, including the usage of Google Security Command Center for Kubernetes-native security and 24/7 monitoring. When incidents are detected, our dedicated security team acts upon them with the highest priority.
Vulnerability Management
Cyberhaven uses multiple industry-standard code analysis tools to discover vulnerabilities in 3rd party dependencies, as well as modern runtime security monitoring to mitigate unknown vulnerabilities.
Our architecture uses a micro-services approach built on the principle of least privilege. Each service is stripped to minimum capabilities in order to minimize the attack surface and limit the impact of any compromise.
Cyberhaven is using container and source code-level security tools that handle vulnerability detection and management. Critical vulnerabilities are patched on a continuous basis. We monitor live deployments for vulnerabilities.
If a security vulnerability is found in our product, we prioritize fixing and patching the security vulnerabilities with the highest priority. If the issue is with a third-party component, we patch systems as soon as a fix is available or workaround the vulnerability issue in our own code base.
Penetration Testing
Cyberhaven carries a third-party penetration test annually and multiple internal penetration tests per year. We also use automated vulnerability testing of the application prior to each release.
Encryption
All in-transit data between endpoint sensors and the Cyberhaven backend is encrypted via the latest version of TLS. All in-transit data in between containers of the Cyberhaven backend is encrypted via TLS and isolated from external traffic via Google Cloud’s VPN. We score an “A+” rating on Qualys SSL Labs‘ tests.
All data derived from customer SaaS deployments of Cyberhaven is stored in Google Cloud, which employs industry-leading data at rest encryption.
Key management is done using proven industry standards and leveraging the Google Key Management infrastructure.
Incident Response
Employees are trained on security incident response processes, including communication channels and escalation paths. In case of a security incident, all Cyberhaven engineers and service reliability engineers have direct access to the CISO of Cyberhaven in order to escalate the security incident to the top level. Incident response for Cyberhaven containers is ensured through a container security platform that allows Cyberhaven to enforce incident response security, to take action, kill pods, and thwart attacks.
Monitoring
Cyberhaven has numerous audit and performance logging put in place. These logs also produce alerts for the SRE team when we detect performance or security-related anomalies. Cyberhaven also leverages a 24/7 MDR service to ensure constant monitoring and investigation of anomalies.
Application Security
Secure Code Development (SDLC)
Accessing the Cyberhaven source code repository requires a valid Cyberhaven account, a strong password, and two-factor authentication. All code deployed in production is peer-reviewed and security-audited by at least one other Cyberhaven engineer. The software packages for endpoint sensors are code-signed only by Cyberhaven engineers using hardware and software mechanisms provided by Microsoft and Apple respectively.
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors and Cyberhaven security controls.
Quality Assurance
Dedicated application security engineers identify, test, and triage security vulnerabilities in the Cyberhaven source code.
Authentication & RBAC
Cyberhaven currently supports authentication to the Cyberhaven dashboard via Google SSO (based on OAuth2.0), password-based authentication with mandatory 2FA, and SAML 2.0. We implement best practices with respect to user password and session control, including password complexity checks, two factor authentication, password and session expiration, and password reuse checks.
Cyberhaven currently implements a basic RBAC scheme containing regular users and administrators of the dashboard.
Endpoint Management
Access to customer environments is only granted on a need basis. Such endpoints are protected with state of the art security management, anti-malware, and monitoring tools. All Cyberhaven endpoints are hardened and patched with centrally managed MDM profiles.
HR Security
Training
Cyberhaven requires developers to undergo security development training annually. All employees undergo annual security awareness training as well as continuous phishing simulations that include microtraining opportunities.
Confidentiality
All employee contracts include a confidentiality agreement.