Security Policy
Every day, thousands of people upload, enrich, and download data with Salmon. Your data is valuable, and we strive to ensure that your privacy and data are never compromised. Here are some of the measures we have in place. Contact us for custom enterprise security options.
Compliance
ISO 27001
ISO 27001 is the globally accepted standard for assessing the life cycle of an organization’s security practices. It is a rigorous assessment of both risk, compliance, and governance that verifies that an organization has a mature, well-managed approach to information security. Salmon has not yet achieved ISO 27001 compliance but is in the process.
SOC 2
SOC 2 is a globally recognized auditing standard for service organizations that demonstrates adequate controls and processes. Salmon is in the process of successfully completing the SOC 2 Type 1 audit and the SOC 2 Type 2 audit. Salmon’s SOC 2 report will cover the trust services principles and criteria security and availability. A copy of the most recent audit report will be available to Enterprise customers upon request.
GDPR
Salmon is committed to ensuring that all our customer and employee personal data are treated in a way that complies with the EU’s General Data Protection Regulation (GDPR).
CCPA
The California Consumer Privacy Act (“CCPA”) regulates how organizations handle the personal information of Californian residents and gives them certain rights with respect to their personal information. Salmon is committed to be compliant with the CCPA. As a provider of data tools, Salmon is primarily a service provider under the CCPA.
Privacy Shield
As of July 16, 2020, we no longer rely on the Privacy Shield as a transfer mechanism for data transfers given the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield are no longer valid as a result of the CJEU ruling in Schrems II. However, to the extent Salmon has ongoing obligations under our existing Privacy Shield Certification, we will continue to honor them. Our Privacy Shield certification is available here.
Data Security
All of Salmon's services are hosted in Amazon Web Services (AWS) facilities in the United States. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.
You can find more information about AWS security practices on their cloud security page.
Data classification
Salmon classifies the data they own, use, create, and maintain into the following categories:
- Confidential - Customer and personal data
- Internal - Salmon-internal operational data that should not be disclosed
- Public - For example, the marketing material and content on this website
Encryption at rest
Salmon uses the AWS-managed data stores Aurora, DynamoDB, ElastiCache, and S3 to store customer data, including backups. All these AWS services have been configured to use encryption at rest using AES with 256-bit keys.
Secrets and encryption key management
Salmon uses AWS Parameter Store for securely storing and managing secrets that are used by services. Salmon uses AWS Key Management Service (KMS) to encrypt and decrypt these secrets as well as manage all encryption keys in use by Salmon services. Access to secrets and encryption keys are restricted to the services on a least privilege basis and are managed by the Salmon infrastructure team.
Separation of environments
Salmon fully separates and isolates their production, staging, and development networks and environments.
Product security
Secure development
Salmon practices continuous delivery. We have processes and automation in place that allow us to safely and reliably roll out changes to our cloud infrastructure and web-based applications in a rapid fashion. We deploy new changes to production dozens of times a day.
All code changes are requested through pull requests and are subjected to code reviews and approval prior to being merged to the master and production branches.
Salmon uses GitHub Enterprise and Dependabot to automatically create pull requests to update outdated dependencies.
Salmon uses static source code analysis tools like Code Climate to analyze any source code changes in order to identify any potential code quality issues or security weaknesses.
Salmon uses Sentry to track errors in the web and desktop applications.
Salmon uses SIEM technology for continuous monitoring and overview to our network and applications.
Salmon's security team works closely with the engineering teams to resolve any potential security concerns that may arise during design or development.
External security testing
In addition to our internal security scanning and testing program, Salmon employs third-party firms to conduct extensive penetration tests of all application and cloud infrastructure on a regular basis. Findings from these penetration tests are prioritized, triaged, and remediated by the Salmon security team.
Bug bounty program
Salmon operates a private security bug bounty program that allows security researchers around the world to continuously test the security of Salmon's applications and services. Security engineers who identify valid issues are paid via the program. If you would like to be invited into our bug bounty program, please report a security vulnerability by following our vulnerability disclosure guidelines as outlined below. Based on that we will consider inviting you into our program, which will be determined at our discretion.
Infrastructure and network security
Transport security
Salmon requires the use of TLS to secure the transport of data, both on the internal network between services as well as the public network between the Salmon applications and the Salmon cloud infrastructure. Salmon's TLS configuration requires at least TLS version 1.2 and the use of strong cipher suites, which supports important security features such as Forward Secrecy. To defend against downgrade attacks Salmon has implemented HTTP Strict Transport Security, and has all their production domain names included on the HSTS Preload List.
External attack surface
Salmon only exposes public (web) applications and APIs to the public internet. All other services are only available on the internal network, and accessible by employees using a VPN or single sign-on proxy. The external attack surface is monitored for changes by a third-party service.
Network segmentation
Network segmentation is a foundational aspect of Salmon's cloud security strategy. Salmon achieves segmentation boundaries at various layers of their cloud infrastructure. Salmon uses a multi-account strategy within AWS to isolate production, development, and test environments, but also domains such as logging, security, and marketing. Within AWS, Salmon uses VPCs, security groups, network access control lists, and subnets to further isolate services.
Intrusion detection and prevention
Salmon maintains an extensive centralized logging environment in which network, host, and application logs are collected at a central location. Salmon has also enabled detailed audit trails with critical service providers like Google G Suite, GitHub, and AWS (CloudTrail). These logs and audit trails are analyzed by automated systems for security events, anomalous activity, and undesired behavior. These systems will generate events which are monitored around the clock by a security operations center (SOC).
Organizational security
Security training
All new hires are required to attend the security awareness training as part of their on-boarding. And all employees are required to attend the annual security awareness training. Salmon engineers are required to attend an annual security training designed specifically for engineers.
Asset inventory
Salmon maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices. Access to customer data Access to Salmon customer data is provided on an explicit need-to-know basis and follows the principle of least privilege. Customer data is audited and monitored by the security team. Salmon support and customer employees are only granted access after explicit approval of the respective customer. All Salmon employees have signed a non-disclosure agreement.
Security incident management
The security team at Salmon aggregates logs and audit trails from various sources at a central location and uses tools to analyze, monitor and flag anomalous or suspicious activity. Salmon's internal processes define how alerts are triaged, investigated, and, if needed, escalated. Both customers and non-customers are encouraged to disclose any potential security weaknesses or suspected incidents to Salmon Security. In case of a serious security incident, Salmon the security expertise to investigate security incidents and resolving them to closure. If needed, Salmon has also access to external subject matter experts.
Information security policies
Salmon maintains a number of information security policies that form the basis of our information security program. All Salmon employees are required to review these policies as part of their on-boarding. These security policies cover the following topics and are available to Enterprise customers upon request:
Access control
Change management
Risk management
Data classification and asset inventory management
Incident response and management
Network security
Encryption and key management
Human resources security
Information transfer
Secure development
System monitoring and logging
Vendor management
Vulnerability management and malware protection
Mobile device management and remote working
Business continuity and disaster recovery
Operational security
Backups and disaster recovery
All Salmon customer data is stored redundantly at multiple AWS data centers (availability zones) to ensure availability. Salmon has well-tested backup and restoration procedures in place, which allow for quick recovery in the case of single data center failures and disasters. Customer data is continuously backed up and stored off-site. The restoration of backups are fully tested every 30 days to ensure that our processes and tools work as expected.
Endpoint security
Salmon exclusively uses Apple MacBook devices. These devices are all centrally managed through the internal mobile device management solution, which allow us to enforce security settings such as full disk encryption, network and application firewall, automatic updates, screen time-outs, and anti-malware solutions. In case employee devices get stolen or lost, data on these devices can be remotely wiped.
Risk management and assessment
Salmon performs a periodic risk analysis and assessment to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.
Enterprise security
Salmon Enterprise includes all our general security measures, plus additional features and enhancements to provide even more customization and privacy.
Single sign-on (SSO)
Salmon supports single sign-on (SSO) for Enterprise customers. By using the customer’s existing identity management solution, Salmon provides an easy and secure way for companies to manage their team members’ access. Salmon supports identity providers like Google G Suite, Azure Active Directory, OneLogin, and Okta. Salmon also supports both SAML and OAuth-based OpenID Connect.
Role-based access control (RBAC)
Salmon supports role-based access control, which means the access of team members within an organization are dictated by their role (viewer, collaborator, editor, or administrator). Administrators can assign team members specific roles or revoke access using the Salmon account dashboard.
Security vulnerability disclosure
If you would like to disclose a potential security vulnerability or have security concerns about a Salmon product, please reach out to security@salmonrun.ai. Please include a description of the security vulnerability, steps to reproduce, and the impact the vulnerability may have. You may encrypt your messages using our PGP public key.