SonarSource implements and maintains appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against security incidents. This Security Technical and Organizational Measures document describes those measures.
Customer Responsibilities
Customer is responsible for configuring the Products and using features and functionalities made available by SonarSource to maintain appropriate security and continuity in light of the nature of Customer Data. For Customer’s own environments and systems, the Customer is responsible for the design, development, implementation, and management of its own business continuity plans, including the use of the supplied back-ups provided by SonarSource.
Access Control
SonarSource:
- Restricts access to Customer Data to its employees or contractors who have a defined need-to-know basis or a role requiring such access.
- Requires multi-factor authentication, or equivalent controls, for internal or remote access to the SonarSource network and production systems.
- Maintains user access controls that address the timely provisioning and de-provisioning of SonarSource employee and contractor internal user accounts.
Personnel Security
SonarSource:
- Performs appropriate educational and criminal background checks on its employees and contingent workers, as applicable under the relevant local laws and regulations.
- Ensures that all of SonarSource’s employees and contingent workers receive security awareness and data protection training appropriate for their role upon hire, as well as update training sessions at least annually thereafter.
Audit
SonarSource:
- Maintains ISO 27001:2022 certification, ISO 27018:2019 certification, and/or AICPA SOC 2 attestation.
- Participates in Customer assurance programs, including annual completion of Customer’s security questionnaires, or upon contract renewal(s), if the information provided in SonarSource’s security certification and attestation reports is insufficient.
Business Continuity
SonarSource:
- Maintains business continuity, backup and disaster recovery plans (“BC/DR Plans”) in order to minimize the loss of service and to comply with Applicable Data Protection Law. The BC/DR Plans address threats to the Products and any dependencies, and have an established procedure for resuming access to, and use of, the Products.
- Tests the BC/DR Plans at regular intervals.
- Enables all Customer Product instances with a minimum of 30 days’ of back-ups, to which only the Customer has access to.
- Uses High Availability configuration for all customer instances enabled within the AWS Frankfurt region (EU Hosting) and AWS Northern Virginia region (US Hosting).
Change Control
SonarSource:
- Maintains internal policies and procedures for applying changes to the Products, including the underlying infrastructure and system components, to ensure quality standards are being met.
- Undergoes a penetration test of its network, Products and Support offerings on an annual basis. Any vulnerabilities found during this testing are remediated in accordance with SonarSource’s Vulnerability Management Policies and Procedures and are assessed on the basis of Sonar’s Risk Management Framework.
- Performs regular scans of its network and any vulnerabilities found will be addressed in accordance with SonarSource’s Vulnerability Management Policies and Procedures and are assessed on the basis of Sonar’s Risk Management Framework.
- Applies security patches in accordance with industry best practices.
Data Classification and Security
SonarSource:
- Maintains and enforces formal data classification and handling requirements for all customer, internal, and public-facing data.
- Maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Data, including state of endpoint device protections, anti-malware, IDS/IPS, data loss/leakage prevention (DLP), network and host-based firewalls.
- Logically segregates Customer Data in the production environment.
Logging and Monitoring
SonarSource:
- Logs and correlates all material events from its internal and production environments through SIEM technology, with 24x7x365 security alert and monitoring from its Service Operations Center.
- Logically segregates all Customer instances and production logs and events.
Vulnerability Management
SonarSource:
- Regularly scans internal and production environments for vulnerability and remediates in a timely manner.