JupiterOne Policies, Standards, and Procedures

Data Management Policy

2020.1

This policy outlines the requirements and controls/procedures JupiterOne has implemented to manage the end-to-end data lifecycle, from data creation/acquisition to retention and deletion.

Additionally, this policy outlines requirements and procedures to create and maintain retrievable exact copies of sensitive and/or critical customer/business data.

Data backup is an important part of the day-to-day operations of JupiterOne. To protect the confidentiality, integrity, and availability of customer data, both for JupiterOne and JupiterOne Customers, complete backups are done daily to assure that data remains available when it needed and in case of a disaster.

Policy Statements

JupiterOne policy requires that

(a) Data should be classified at time of creation or acquisition according to the JupiterOne data classification model, by labeling or tagging the data.

(b) Maintain an up-to-date inventory and data flow mappings of all critical data.

(c) All business data should be stored or replicated to a company-controlled repository, including data on end-user computing systems.

(d) Data must be backed up according to its level defined in JupiterOne data classification.

(e) Data backup must be validated for integrity.

(f) Data retention period must be defined and comply with any and all applicable regulatory and contractual requirements. More specifically:

(g) By default, all security documentation and audit trails are kept for a minimum of 3 years, unless otherwise specified by JupiterOne policy. Data retention exceptions may arise due to requirements for data classification, technical capabilities or limitations, specific regulations, or contractual agreements.

Controls and Procedures

Data Classification Model

JupiterOne defines the following four classifications of data: Critical, Confidential, Internal, and Public.

Critical

Critical data includes data that must be protected due to regulatory requirements, privacy, and/or security sensitivities.

Unauthorized disclosure of critical data may result in major disruption to business operations, significant cost, irreparable reputation damage, and/or legal prosecution to JupiterOne.

External disclosure of critical data is strictly prohibited without an approved process and agreement in place, and approval of the Security Officer.

Example Critical Data Types include:

Confidential

Confidential data represents proprietary company secrets and is of significant value to JupiterOne.

Unauthorized disclosure may result in disruption to business operations and loss in value.

Disclosure requires the signing of NDA and management approval.

Example Confidential Data Types include:

Internal

Internal data contains information used for internal operations.

Unauthorized disclosure may cause undesirable outcome to business operations.

Disclosure requires management approval. NDA is usually required but may be waived on a case-by-case basis.

Example Internal Data Types include:

Public

Public data is information intended for public consumption. Although non-confidential, the integrity and availability of public data should be protected.

Example Public Data Types include:

Data Handling Requirements Matrix

Requirements for data handling, such as the need for encryption and the duration of retention, are defined for each of the defined JupiterOne Data Classifications.

Data Labeling or Tagging Segregated Storage Endpoint Storage Encrypt At Rest Encrypt In Transit Encrypt In Use[^1] Controlled Access Monitoring Destruction at Disposal Retention Period Backup Recovery
Critical Required Required Prohibited Required Required Required Access is blocked to end users by default; Temporary access for privileged users only Required Required 7 years for audit trails; Varies for customer-owned data† Required
Confidential Required N/R Allowed Required Required Required All access is based on need-to-know Required Required 7 years for official documentation; Others vary based on business need Required
Internal Required N/R Allowed N/R N/R N/R All employees and contractors (read); Data owners and authorized individuals (write) N/R N/R Varies based on business need Optional
Public N/R N/R Allowed N/R N/R N/R Everyone (read); Data owners and authorized individuals (write) N/R N/R Varies based on business need Optional

N/R = Not Required

† customer-owned data is stored for as long as they remain as a JupiterOne customer, or as required by regulations such as HIPAA and GDPR, whichever is longer. Customer may request their data to be deleted at any time; unless retention is required by law.

[^1] S3 encryption requirements are: * Critical Data sources require us to manage our own Keys through AWS KMS (aka SSE-KMS). * All other data sources can utilize SSE-S3, or SSE-KMS.

Data Inventory and Lifecycle Management

JupiterOne Security team uses the JupiterOne Platform to query across our cloud-based infrastructure, including but not limited to AWS, to obtain detailed records of all data repositories, including but not limited to:

Records are tagged with owner/project and classification when applicable. All records are kept up to date via automation. The system is also designed to track movement of data and update/alert accordingly.

AWS S3 Object Lifecycle Management

The JupiterOne platform will automatically adjust the storage class for certain types of data based on its usage pattern and age. This allows the JupiterOne platform to provide competitive pricing while still allowing the customer to store large amounts of data.

AWS provides the following storage classes:

S3 lifecycle policies are used to manage the storage class for certain types of data. In most cases, the JupiterOne platform automatically adjusts the storage class but we may give customers the ability to adjust the storage class manually to meet their pricing or performance needs.

JupiterOne performs regular backups of all production data using automated systems or configuration provided by AWS. These backups are stored in AWS S3.

We leverage S3 lifecycle policies to automatically remove old backup data. This allows older data to “age out” instead of having to explicitly delete it. S3 lifecycle policies are also used to adjust the storage class of data backups based on the age of the backup.

Other Business Data

All internal and confidential business records and documents, such as product plans, business strategies, presentations and reports, are stored outside of an employee workstation or laptop.

Transient Data Management

Data may be temporarily stored by a system for processing. For example, a storage device may be used to stage large customer files prior to being uploaded to the production environment in AWS. These transient data repositories are not intended for long term storage, and data is purged immediately after use.

JupiterOne currently does NOT use transient storage for any sensitive data.

Backup and Recovery

Customer Data

JupiterOne stores data in a secure production account in AWS, using a combination of S3, Elasticsearch, DynamoDB, and Neptune databases. By default, Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects.

JupiterOne performs automatic backup of all customer and system data to protect against catastrophic loss due to unforeseen events that impact the entire system. An automated process will back up all data to a separate AWS region in the same country (e.g. US East to US West). By default, data will be backed up daily. The backups are encrypted in the same way as live production data.

Customers can also utilize the JupiterOne Platform Application Programming Interface (API) to extract and store their data elsewhere. Standard API usage fees will apply.

Source code

JupiterOne stores its source in git repositories hosted by Bitbucket and GitHub.

Source code repositories are backed up to JupiterOne’s AWS S3 infrastructure account on a weekly basis with a common set of configuration for each repository to enforce SDLC processes.

In the event that a version control system suffers a catastrophic loss of data, source code (with full git history) will be restored from the backups in AWS S3.

Business records and documents

Each data owner/creator is responsible for maintaining a backup copy of their business files local on their laptop/workstation to the appropriate location on JupiterOne’s Google Drive . Examples of business files include, but are not limited to:

System backups of user workstations/devices are self managed by each device owner. System backups may be stored on an external hard drive or using a cloud service such as iCloud if and only if the data is both encrypted and password protected (passwords must meet JupiterOne requirements).

!!! Note No Critical information is ever stored on or directly accessible from user endpoint devices.

Data Deletion Procedures

For Platform Customers

JupiterOne has created and implemented the following procedures to make it easier for JupiterOne Customers to support and comply with data retention laws.

Some types of customer data may be automatically transitioned to a storage class that is appropriate for archival or infrequent usage. The guidelines for transitioning data to different storage classes is at the discretion of JupiterOne.

Customer data is retained for as long as the account is in active status.

Data enters an expired state when the account is voluntarily closed. Expired account data will be retained for 14 days. After 14 days, the project/account and related data will be removed. Customers that wish to voluntarily close their account should download their data manually or via the API prior to closing their account.

If an account is involuntarily suspended, then there is a 14 day grace period during which the account will be inaccessible but can be re-opened if the customer meets their payment obligations and resolves any terms-of-service violations. If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the API and user interface will be available for their use. After 14 days, the suspended account will be closed and the data will be permanently removed (except when required by law to retain).