Security and Compliance

Cloud Security

LogDNA’s security, confidentiality, and availability architecture is built on top of ISO 27001:2013 controls, SOC 2 Focus Points, PCI DSS, and HIPAA frameworks to enable best practice protection controls, implemented based on industry standards. 

Physical Security and Data hosting

LogDNA uses Amazon Web Services (AWS) Data Centers which are located in the United States of America. For IBM Customers, there are data centers located across multiple regions.

Dedicated Security Team

LogDNA’s Security Team is actively monitoring and on-call to respond to security alerts and/or events.

Logical Access

LogDNA’s Production Environment uses role-based (RBAC) security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists. These measures are actively monitored and audited based on the industry standard frameworks. Access reviews are performed quarterly to ensure all access is appropriate. 

Back Ups

LogDNA does not store customer log data for more than 30 days. For longer retention, we provide an archiving service that automatically exports older logs to customer preferred cloud storage service. LogDNA offers 7/14/30 days searchable log data plans, and our systems are configured to automatically purge the logs securely after 30 days.

Disaster Recovery

Non-Log Production data are replicated among discrete operating environments to protect theavailability of LogDNA’s service in the event of catastrophic events. LogDNA performs restoration testing annually to ensure the completeness and accuracy of backup data. The available LogDNA data archiving service provides the mitigation of data loss for customer logs in the event of catastrophic events.

Intrusion Detection and Prevention

LogDNA utilizes intrusion detection and prevention systems to detect and/or prevent intrusions into the environment. Active monitoring, alerts, and tools are in place to ensure action is taken by the appropriate on-duty teams if any intrusion and/or security events exceed predetermined thresholds. 

Pentests & Vulnerability Scanning

LogDNA utilizes third-party security scanning tools to perform continuous vulnerability scans. Our dedicated security team reviews and responds to the security vulnerabilities in a timely manner. Annually, we engage independent third-party security experts to perform detailed penetration tests on the LogDNA application and network.

Security Incident Response

LogDNA has established policies and procedures for responding to potential security incidents. All incidents are managed by LogDNA’s dedicated Incident Response Team. LogDNA defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

Encryption

LogDNA transmits data over public networks using strong encryption. This includes data transmitted between LogDNA clients and the LogDNA service. LogDNA supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS protocols, encryption, and hashing algorithms, as supported by the clients. This applies to all types of data at rest within LogDNA’s systems.

Secure by Design - Application Security

LogDNA’s products and capabilities have been designed to be foundationally secure.

Software Development Life Cycle (SDLC)

LogDNA assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, LogDNA undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages the OWASP Top 10. Based on this analysis, LogDNA creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. Annually, engineers are required to participate in secure code training covering the OWASP top 10 security risks, common attack vectors, and security controls.

Framework Security Controls

LogDNA leverages modern and secure frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), Buffer Overflows, Broken Authentication/Session, and Cross Site Request Forgery (CSRF), among others.

Separate Environments

Testing and staging environments are logically separated from the Production environment. No Production Data is used in our development or test environments.

Organizational Security

LogDNA has established a security program dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our security program is aligned with the SOC 2, ISO 27001:2013, HIPAA and PCI standards and is regularly audited and assessed by third parties.

Onboarding and Training

All employees complete the latest available Security and Awareness training modules during onboarding and annually thereafter.

Personnel Security

LogDNA’s personnel practices apply to all members of the LogDNA workforce. All workers are required to understand and follow internal policies and standards. Upon termination of work at LogDNA, all access to LogDNA systems is removed immediately.

Policies and Procedures

LogDNA maintains a set of policies, standards, procedures, and guidelines (“security documents”) that provide the LogDNA workforce with the “rules of the road” for operating. Our security documents help ensure that LogDNA customers can rely on our workers to behave ethically and for our service to operate securely. These policies are living documents, they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.

Employee Screening

LogDNA performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. 

Confidentiality

All employee contracts include a confidentiality agreement.

Compliance

HIPAA

HIPAA

The Health Insurance Portability and Accountability Act of 1996 Title II (HIPAA) addresses safeguards to secure electronically protected health information (ePHI), including log management and audit requirements. LogDNA’s systems and processes are fully compliant with HIPAA, and we are audited for HIPAA and HITECH compliance every year by a third-party qualified security assessor. For customers on our HIPAA-compliant logging plan, LogDNA will sign a Business Associate Agreement (BAA) and take on the associated legal liability of handling your sensitive data.

HIPAA requires a minimum of 6 years of retention of audit log data. To ensure compliance, LogDNA provides a secure and convenient archiving service for logs older than the retention period of your LogDNA plan.
Please contact your account manager or outreach@logdna.com to request LogDNA’s most recent report.

GDRR

GDPR

LogDNA is committed to ensuring the highest level of privacy protection. As a General Data Protection Regulation (GDPR) compliant organization, LogDNA has standardized user data privacy across the EU nations, regardless of where the organizations themselves are located.

Learn more about LogDNA's approach to GDPR.

SOC 2 Type 2

SOC 2 Type 2

The SOC 2 Report demonstrates LogDNA’s commitment to meeting the most rigorous security, availability, and confidentiality standards in the industry. It verifies that LogDNA’s security controls are in accordance with the AICPA Trust Services Principles and Criteria.
Please contact your account manager or outreach@logdna.com to request LogDNA’s most recent report.

PCI DSS Compliant

PCI-DSS

LogDNA has been audited by an independent PCI-DSS Qualified Security Assessor (QSA) and is certified as a PCI-DSS Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Please contact your account manager or outreach@logdna.com to request LogDNA’s most recent report.

EU_US Privacy Shield

EU-US Privacy Shield

To comply with EU data protection requirements, LogDNA is Privacy Shield certified. This enacts protections for the personal data of EU individuals when it is transferred to the United States.

Learn more about LogDNA's approach to Privacy Shield.

CCPA

CCPA

LogDNA complies with the California Consumer Privacy Act (CCPA) and supports our customers’ compliance with the CCPA. As a provider of enterprise log management tools, LogDNA is primarily a service provider under the CCPA. You can read more about LogDNA’s commitment to compliance in our Privacy Policy.

Learn more about LogDNA's approach to CCPA.

Security Concern?

If you think you may have found a security vulnerability, please get in touch with our security team at security@logdna.com

Report a Problem