LinkedIn

Twitter

GitHub

Security and Trust

Protecting your data with the industry’s highest standards.

security_and_trust_hero

Sisense security and trust center

Everything begins with trust

begins_with_trust_visual

Trust is the cornerstone of any successful partnership, which is why we provide every customer with a reliable and secure platform for our products and services to empower analytics. And since we believe trust also requires transparency, the security and trust center gives you an overview of how we protect your data, ensure compliance, and adhere to industry standard best practices.

Privacy & data protection

responsible_disclosure

We are deeply committed to protecting your privacy and the privacy of your customers. We encourage you to review our privacy and data protection center to learn more about how we enable our customers to comply with regulatory requirements such as GDPR, CCPA, and HIPAA.

Security staff and management
Sisense employs certified Information Security professionals who have the responsibility for developing and driving Sisense’s security program. The program encompasses both physical and logical security of the Sisense application and infrastructure, as well as Sisense’s internal and external IT systems, vendors, and suppliers. In addition, Sisense’s security program includes policies and procedures regarding compliance with SOC 2, HIPAA and ISO 27001 frameworks.
People security
Sisense performs background checks on its employees in accordance with applicable law and employees sign confidentiality agreements and receive on-boarding training on relevant security topics. 
Security policies / processes
Sisense maintains a suite of security related policies and procedures including an Acceptable Use Policy, a Data Retention Policy and a Business Continuity and Disaster Recovery Plan, among others. Updates to Sisense’s security policies and procedures are performed on at least a yearly basis. A full list of Sisense’s security related policies is available upon request. 
Security incident response
Sisense maintains a Security Incident Response Plan, which details the procedures to be followed in the event of a confirmed or reasonably suspected incident of unauthorized access to, or use of, Sisense’s or Sisense’s Customer’s Data. Our incident response process is tested at least annually.
Application security
Sisense has established guidelines and processes with the goal of architecting, developing and maintaining the Sisense platform and applications free from security vulnerabilities. Security is built into our Software Development Lifecycle process. Regular internal and third-party assessments are conducted utilizing source code analysis tools, and we are constantly on the lookout for new and emerging threats and vulnerabilities that could impact the Sisense application. Discovered applicable vulnerabilities are addressed in a timely manner. 
Physical security
Sisense has physical security measures in place to control physical access to office facilities, paper records and corporate IT systems. In addition, Sisense’s data centers that store or process Customer Data are SOC 2 compliant and include the following controls:
<ul>
<li>Badge access</li>
<li>Biometrics</li>
<li>Man-traps</li>
<li>CCTV</li>
<li>24&#215;7 security</li>
<li>Environmental controls</li>
</ul>
Network and host security
Sisense deploys network intrusion detection capabilities, firewalls and commercial grade malware protection. The operating systems and applications associated with Sisense Customer Data and Sisense’s own sensitive data go through a hardening process and are patched within a commercially reasonable time period after Sisense has knowledge of any security vulnerabilities or vendor patch releases.

Security

Sisense undergoes a variety of internal and third-party audits to validate our compliance with the following security frameworks. Upon completion of each audit, a written report of the findings and recommendations is created and maintained in a secure central repository. Sisense will promptly address any non-compliance, deficiency or other finding that is discovered during the course of an audit. 
 
ISO 27001
Sisense undergoes an ISO 27001 audit which certifies our information security management program against the requirements and expectations set forth by ISO standards. Our ISO 27001 certificate is available upon request and following the requester’s execution of a non-disclosure agreement.
HIPAA
Sisense maintains readiness associated with the Health Insurance Portability and Accountability Act (HIPAA) and maintains an independent HIPAA opinion and certificate from an independent third-party audit firm. The current opinion is available to certain parties (including customers and prospective customers) upon their request and following their execution of a non-disclosure agreement.
SOC 2
Sisense maintains an SSAE SOC 2 opinion from an independent third-party audit firm. The current opinion is available to certain parties (including customers and prospective customers) upon their request and following their execution of a non-disclosure agreement.
ISAE 3402
Sisense is in the process of obtaining an International Standard on Assurance Engagements (ISAE) 3402 opinion from an independent third-party audit firm. Once complete, the opinion will be available to certain parties (including customers and prospective customers) upon their request and following their execution of a non-disclosure agreement.

Audit and compliance

Education / awareness
Sisense requires that all employees have undergone periodic security training in the previous twelve (12) months. Such security training includes, but is not limited to, training on topics such as acceptable use, social engineering, personnel security, data protection, privacy and incident reporting. Sisense’s application developers and engineers are provided with additional application development related security training which includes the top ten security risks outlined by the Open Web Application Security Project (OWASP Top 10). In addition to formal security training, employees are informed of Sisense’s security policies and procedures during new hire orientation, and throughout the year via email reminders.
Access control
All Sisense employees are required to have valid user IDs and passwords to access the Sisense corporate network, as well as Sisense internal and SaaS based applications regardless of whether they are accessing the network or applications from Sisense offices or remotely via a Virtual Private Network (VPN) with multi-factor authentication.
Email
We mitigate the impact of spyware, adware and other phishing and security attacks by:
<ul>
<li>Inspecting web-based email traffic for indicators of suspicious activity;</li>
<li>Installing, configuring and maintaining anti-spyware / malware software;</li>
<li>Identifying and blocking email phishing attacks for corporate email;</li>
<li>Testing our employees ability to identify and take appropriate action on phishing emails; and</li>
<li>Providing relevant training and periodic advisories to workers related to email threats.</li>
</ul>

Education / awareness / access control & email

Sisense conducts regular internal risk assessments and penetration tests and also engages independent third parties to conduct risk assessments and penetration tests on data applications, systems and infrastructure associated with accessing, processing, storage, and/or transmission of data that is uploaded, loaded, created or generated by Sisense customers within the Sisense application (all such data, “Customer Data”). Summary reports of the results of such penetration tests are available to certain parties (including customers and prospective customers) upon their request and following their execution of a non-disclosure agreement. 
In addition, Sisense has partnered with HackerOne for our bug bounty program. External anonymous reports regarding bugs in Sisense’s website and/or the Sisense platform may be submitted to: <a href="mailto:responsible.disclosure@sisense.com.">responsible.disclosure@sisense.com.</a>

Risk assessment and penetration testing

Data recovery
Sisense has the ability to recover data in the event of a disaster or for business continuity purposes. Sisense maintains a data recovery process covering back-up and restoration procedures for Sisense Customer Data. For managed services customers, our SLAs include both a Restore Point Objective (RPO) of 24 hours and Restore Time Objective (RTO) of no more than 1 hour.
Backups
Sisense adheres to and maintains measures to secure backup data. This includes:
<ul>
<li>Storing back-ups in a secure location</li>
<li>Maintaining strict control over the internal or external distribution and sharing of any back-ups containing Sisense Customer Data</li>
<li>Transmission and storage of data via secured protocols</li>
</ul>
Data loss prevention
Sisense has implemented a variety of processes and technologies to identify and manage both overt (purposeful) and inadvertent data loss events across key Sisense internal business applications, such as corporate email and collaboration tools.
Data disposal and hardware sanitization
Sisense performs sanitization of media containing sensitive Sisense internal or Customer Data. Data is disposed of using one of the following methods:
<ul>
<li>Overwriting &#8211; A software process that replaces the data previously stored on magnetic storage media with a predetermined set of meaningless data, rendering the data unrecoverable.</li>
<li>Degaussing &#8211; Exposing the media to strong magnetic fields to destroy its contents. This method eliminates any data still on the media.</li>
<li>Physical destruction &#8211; This includes shredding or any other method of physical destruction. Physical destruction is accomplished in a manner that precludes further use of the media.</li>

Business continuity and disaster recovery 

Sisense has developed and implemented a process for evaluating third-party vendors, partners and suppliers prior to engaging in a business relationship with them and regularly thereafter.

Vendor / supplier management

Sisense utilizes a variety of monitoring services to monitor system activity within the Sisense platform and Sisense internal corporate systems. When there is a system wide impact to the availability of the Sisense application, we communicate this to our customers by posting to our publicly available status page, <a href="https://status.sisense.com">https://status.sisense.com.</a>

System and application monitoring

Encryption and key management
Sisense protects Customer Data through a combination of access controls and encryption. 
Encryption is used if:
<ul>
<li>Customer Data is transmitted over public networks; </li>
<li>The use of encryption is mandated by law or regulation; or </li>
<li>Sisense determines that encryption is necessary to protect Customer Data.</li>
</ul>
When data is transmitted over public networks or over private or public wireless networks, cryptography and industry standard encryption techniques such as TLS 1.2+ are used.
When encryption at rest is mandated by law or regulation, or Sisense determines that encryption is necessary, Customer Data is rendered unreadable anywhere it is stored (at rest), by using industry standard encryption techniques, such as AES 256.
Change management
Changes to information resources are managed and executed according to a defined ticket and change management process. This process helps us review, authorize, test, document, implement and release in-scope proposed changes in a controlled manner; and monitor the status of each proposed change.
Privacy
Sisense is committed to complying with data protection laws that apply to our business and operations. As a result, we have implemented numerous technical and administrative controls for the protection and security of Customer Data. Please read more about the protection we apply to Customer Data at our <a href="https://www.sisense.com/platform/privacy-and-data-protection-center/">Privacy and Data Protection Center</a>.

Management & privacy

At Sisense, we frequently use the term “Shared Responsibility” as a model to describe the controls Sisense has in place to address security and the controls we provide to our customers to allow them to further secure their environment. Selected controls are listed below. For information on the full range of available security controls please see: https://docs.sisense.com/main/SisenseLinux/security-at-sisense.htm. 
Password and sign-in controls
Sisense offers a variety of configuration options related to how users login and interact with your Sisense tenant. Some of the controls have minimum default values set by Sisense, however we provide customers the ability to increase security according to their security policies, compliance requirements or general risk appetite. For more information on user entity controls for security, please refer to: <a href="https://docs.sisense.com/main/SisenseLinux/general-settings.htm">https://docs.sisense.com/main/SisenseLinux/general-settings.htm</a>
Data security
Sisense provides a variety of options to address data security within your implementation of Sisense. For more information on data security please visit: <a href="https://documentation.sisense.com/latest/administration/sisense-security/securing-data/data-security.htm">https://documentation.sisense.com/latest/administration/sisense-security/securing-data/data-security.htm</a>
Logging/reporting
Sisense provides several options to visualize logs from within the Sisense environment. For more information regarding product logging, please visit the following product document: <a href="https://docs.sisense.com/main/SisenseLinux/audit-logs.htm">https://docs.sisense.com/main/SisenseLinux/audit-logs.htm</a>
Single sign-on (SSO)
Sisense supports Security Assertion Markup Language 2.0 (SAML 2.0) for customers who have an existing SSO provider and would like to centrally control how users authenticate to their Sisense tenant. If you choose SSO for authentication, Sisense will direct users to your SSO provider and will not challenge users with Sisense credentials. We recommend that for customers who enable SSO, they enable Multi-Factor Authentication as part of their SSO deployment. For more information on SSO, please visit: <a href="https://documentation.sisense.com/docs/using-single-sign-on-to-access-sisense">https://documentation.sisense.com/docs/using-single-sign-on-to-access-sisense</a>

Product security options

Sisense has developed a cloud security policy which conforms to sound prudent practices as dictated by various institutional knowledge frameworks to include: Amazon Web Services (AWS), Center for Internet Security (CIS) and National Institute of Standards (NIST). Our cloud security policy is reviewed regularly, and incorporated as code to ensure we obtain a consistent approach to the security of the environments in which Sisense is deployed. The policy includes but is not limited to:
Identity and access management (IAM): Establishing strong IAM policies that control how and who can access our AWS resources, and what they can do with those resources.
Data protection: Ensuring sensitive data is properly encrypted both at rest and in transit, and that data access policies are in place to restrict access to authorized personnel.
Network security: Defining security groups and network access control lists (ACLs) to control network traffic within and between AWS environments, and implementing intrusion detection to identify and respond to potential security threats.
Compliance: Understanding and adhering to regulatory requirements and industry best practices for security, such as HIPAA, GDPR, SOC2 and ISO27001.
Disaster recovery: Implementing backup and recovery policies to ensure that critical data and systems can be restored in the event of a disaster or other disruption.
Logging and monitoring: Collecting and analyzing logs and other data to identify and respond to security indicators of compromise, and implementing automated alerting and notifications systems to enable our security teams to respond to security incidents.
Automation and standardization: Automating security processes wherever possible to ensure consistency and reduce the risk of human error. Standardization ensures that security policies and practices are consistently applied across all AWS environments
Penetration testing and vulnerability scanning: Sisense conducts both internal and external regular penetration testing and vulnerability scanning using commercial cloud security posture management (CSPM) services and other third party and AWS native tools to identify potential security vulnerabilities and the results are analyzed, prioritized and action taken to remediate.
Infrastructure as code scanning: Sisense performs scanning of Terraform and other automation scripts, which enables the security and DevOps teams to correlate production risks back to the IaC template that was originally used to create the production instance in order to assign new issues directly to the proper development or DevOps team