The Enterprise Shield Package offers the highest level of security for compliance/assurance including:
- Everything included in standard Security Shield package.
- Annual completion of customer security questionnaire.
- Customized security compliance reporting (agreed upon in contract).
- Implementation of the TLS certificate provided by the customer.
- Audit Log that allows loading of GoodData Platform events into customer SIEM.
- Additionally, for the period between one week ago and three weeks ago, one backup package per week is stored for a project.
Full Audit Trail of all Access of GoodData Personnel to Customer Data
- No customer data outside of GoodData Platform (Strong technical controls, all access to customer data is restricted to secure and fully audited terminal server within the platform security perimeter)
- Dedicated S3 bucket with IP whitelisting & dual set of credentials
- All GD employee access to data from Terminal Server where all user sessions are fully recorded and audited
- All Support access to customer projects via impersonation (full audit trail who accessed the data)
- Impersonation of customer accounts requires written permission from the customer
- All support access to customer data by means of impersonation of platform users are subject to audit
Additional Assurance on Selected Workspaces
ISO 27001 compliant processes for implementation and maintenance of the solution
- Implementation in Services follows formal processes to increase robustness of the implementation, decrease risks related to human error, which might be otherwise acceptable in agile environment with limited compliance requirements, and to produce records that demonstrate adherence both to industry standard secure SDLC practices and to process requirements:
- Documented customer data flow
- Formal architectural review
- Secure coding practices enforced via code review
- Formal security review of the solution
- Formal change management of the solution including Segregation of Duties
- Management and compliance approval before go-live
For standard implementations, Professional Services follow industry standard best practices, however, for the sake of agility and cost-efficiency, there is limited formal documentation (typically just a customer sign-off prior to go-live) and segregation of duties is not enforced (one engineer may be responsible for design, implementation, testing and roll-out).
Additional Regulatory Compliance
In order to ensure that the customer complies with the applicable regulatory requirements and data protection laws GoodData offers the additional security add-ons. The add-ons must be purchased by the customer on top of Enterprise Shield to ensure that the customer complies with the applicable regulatory requirements and data protection laws.