Densify takes security very seriously. Hundreds of organizations in many businesses such as banking and finance, entertainment, retail, manufacturing, and other verticals that rely heavily on their cloud have adopted Densify, knowing that we deliver a secure platform and maintain customer data security and integrity with zero past vulnerability issues.
Read on to learn more about Densify security:
If you have more questions about our security, please contact us.
Densify’s production environment and all data is hosted or stored within the US or EU regions of IBM Cloud (SoftLayer), based on customer geographical preference. All virtual and physical servers are physically housed in IBM Cloud’s secure data centers. Data present in Densify backups is also stored in IBM Cloud data centers based on customer geographical preference.
IBM is recognized for the security of their data centers and services. Further information on IBM data center security is available at https://www.ibm.com/cloud/security.
Densify regularly receives and reviews its cloud provider’s (IBM’s) ISO, PCI-DSS, SOC1 and SOC2 reports under NDA. Densify’s cloud providers are also compliant with Privacy Shield.
Further information and compliance reports are available directly from IBM Cloud at https://www.ibm.com/cloud/compliance.
Densify performs regular automated scans of servers in the production environment. All changes are peer reviewed and vulnerability and security lists are actively monitored for CVE and other vulnerability disclosures with appropriate actions taken. A third-party penetration test is commissioned, with all findings mitigated as appropriate. As a general policy, issues that come to our attention through penetration tests, or other means, are fixed with the highest priority.
Separate and distinct production, staging, and development environments are maintained, and production data is not replicated outside of the production environments.
Customer data is never replicated onto employee workstations or mobile devices.
Densify uses third-party providers for DDoS protection and 24x7 monitoring of firewall activity in addition to the tools used by the Densify operations team. This includes an IDS for the production SaaS environment with real time monitoring and alerting on abnormal behavior. Alerts are monitored 24x7 by a third-party provider.
All Densify servers which are part of the production Densify environment run current, and active anti-virus software with real-time monitoring and are updated at least daily.
When users log into their Densify instance using their email address and password, Densify requires a minimum password compliance.
Passwords are stored using AES-128 password encryption; and will never be sent via email—upon account creation and password reset. When required, Densify will send a link to the email associated with the account that will enable the user to create a new password.
Password complexity, and other settings can be customized by the customer, but only when they increase overall password security.
All customer data is considered highly sensitive and protected as such. Only authorized, vetted, and trained members of the Densify operations team have direct access to the systems containing user data. Those who do have direct access to these systems are only permitted to view them in aggregate for operations activities, or in detail for troubleshooting purposes. All operations team members undergo background checks outlined in the vetting section of this document, and are approved by management.
Application data is only viewed by Densify Advisors for delivery of the service, and by Operations or other Densify employees for troubleshooting purposes when consent has expressly been provided.
A list is maintained of members of the Densify team with access to the production environment.
Customer data in very limited cases is shared only with third-party service providers acting as our agent (a user's email address for an email delivery provider, for example) and in strict compliance with signed service agreements.
Customer data is never replicated outside of the production environment and is never replicated onto employee workstations. Because of this, Densify relies on IBM Cloud for physical security compliance. The virtual and physical servers are located in IBM Cloud’s secure data centers. Production critical data is never stored on physical media outside of the cloud provider's production environments.
Further information on the security of IBM Cloud data centers is available directly from IBM Cloud at https://www.ibm.com/cloud-computing/bluemix/trust-security-privacy.
Strict firewall rules control access to the necessary ports for the usage of the service (e.g., 443) and to ensure limited access to the production environment, to our VPN network, and authorized systems. The corporate network has no additional access to the production environment.
Customer data is never stored on employee workstations or removable media. Employee devices are required to time out and lock after a maximum of ten minutes of inactivity.
Densify uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, Densify Connector, and the Densify servers. The Densify Connector is also able to support a variety of customer proxy configurations for sending data to Densify servers. All customer connections are made securely over HTTPS.
Densify takes the need for security seriously, and understand the importance of being able to encrypt data to keep it safe, with provider managed data encrypted by default at no additional cost and no impact on performance. Data drives on database servers holding customer data use full disk, industry-standard AES encryption.
Production customer data is never replicated outside of the production cloud environments and is never stored on employee workstations or removable media. On termination of a Densify Enterprise contract, or at the request of the customer, the data belonging to the customer is completely removed from the live production database within 30 days. The customer Densify database backups is also be destroyed in accordance with this policy.
All changes to the production system require review prior to deployment to the production environment. Hundreds of automated unit tests are run against all production code prior to deployment, as well as regularly conducted automated vulnerability scans and commissioned penetration tests. All changes are tested in a staging environment prior to deployment to production.
Patches to the Densify application are deployed on a rolling basis, usually once a month. Production servers are managed via a centralized configuration system. All system changes are peer reviewed and patches are deployed as relevant to their level of security and stability impact, with critical patches able to be deployed well within 24 hours of availability as appropriate.
Densify restricts access and maintains separate lists of relevant roles with access to source code, development, staging, and production environments. These lists are reviewed quarterly and on role change. We use source code management tools and repositories.
All production servers are running a LTS (Long Term Support) distribution of their operating system to ensure timely updates are available. CVE lists and notifications are actively monitored, and any systems can be patched in a timeline relevant to the severity of the issue. A centralized configuration system is used for the management of production servers, and when needed a patch can be deployed within 24 hours of its availability.
A full list of the open-source libraries used in Densify is available upon request by contacting Densify.
Upon account creation, Densify users are asked for a full name and email. Densify does not collect any other personal identifying information. Densify does not collect any customer data residing within a system being analyzed. All information used by Densify Analytics is System Configuration, Utilization (performance metrics), or Billing data, as enabled by the customer.
Raw data collected by Densify for use in each customer’s instance, is stored in a separate and secured database on a per customer basis.
Admins for an Enterprise account is set via customer account manager. Admin and other account roles can be assigned within Densify itself.
Data stored in Densify is backed up regularly. All backups are encrypted and stored at offsite locations to ensure that they are available in the unlikely event that a restore is necessary. All backups are immediately encrypted with 256-bit AES encryption. Encrypted backups can only be decrypted by members of the Densify operations team who have received training and have been authorized to decrypt the backups.
A backup of the customer’s Densify’s primary database is taken once every 24 hours. This ensures all data collected in previous collection windows can be restored without reloading of data.
Only authorized members of the Densify operations team have access to the backup locations, so they are able to monitor the performance of the backup processes, and in the very unlikely event that a restore becomes necessary.
Densify utilizes a centrally managed anti-virus solution for authorized and trained members of the operations team with access to the production systems. All workstations accessing the production environment must be running current and active anti-virus software with real-time monitoring and at-least-daily updates.
From time to time, as required, Densify’s employees work remotely. Customer data is never replicated outside of the production environment. Strict firewall rules are in place limiting access to the production environment to our VPN network and authorized systems.
The corporate network has no additional access to the production environment. Authorized and trained members of Densify's operations team who have undergone the vetting process, are the only ones able to access Densify SaaS environments.
Security awareness and customer data access policies are covered during employee onboarding as appropriate to the role and employees are updated as relevant policies or practices change. Employees also sign a Confidential Information and Inventions Agreement. Security Awareness training is mandatory for all Densify employees, and must be completed annually.
All Densify employees undergo an extensive interview process before hiring. Employees with direct access to the production environment undergo a series of checks including criminal background, academic, and credit. Other employees may undergo a check depending on their role. NDAs are in place with third parties as appropriate.
When planned maintenance on Densify services is necessary, the Densify Operations team will perform the work during a scheduled maintenance window. We will make reasonable efforts to announce at least 5 days prior to the event.
These windows have been selected with the goal of minimizing service downtime, slowness, or other impact to the people and businesses that rely on Densify. Additionally, due to the nature of Densify’s overnight collection and analytics processes, maintenance windows are scheduled between 9 p.m. and midnight local customer time.
We do our best to make outages as short as possible. Additionally, our maintenance schedule is evaluated frequently to ensure that we keep user impact as low as possible.
From time to time, due to unforeseen events, we may have to perform emergency maintenance on Densify infrastructure or software components. This maintenance might cause some or all of the Densify services to be inaccessible by our users for a period of time. It is our goal to do this as infrequently as possible. Any emergency maintenance will be announced by email to the identified customer contacts with as much advance notice as reasonably possible. As with planned maintenance, we do our best to minimize disruption caused by service outages.