Security overview of Daton
Saras Analytics is dedicated to security and is concerned about the safety of you and your data. While connecting, extracting, and loading data from your data sources, Daton complies to industry-leading standards.
- Daton’s web application enforces SSL to ensure communication remains secure.
- All credentials used to access other systems (i.e., your database or a SaaS integration) are encrypted before Daton stores them.
- Data is always encrypted in transit and at rest within the Daton environment. At rest, Daton uses AES-256 to encrypt data.
- Daton offers several secure options for creating connections to integrations and destinations:
- All plans include SSL/TLS, SSH tunnels, and IP whitelisting for integrations and destinations that support these features.
The Daton application enforces SSL to ensure all communication with Daton remains secure.
Connections that use verified SSL by default
For any connection using an HTTP API - for example, integrations like Salesforce or Facebook Ads, Daton will use SSL/TLS-based encryption by default.
This also applies to all supported Daton destinations including Redshift, BigQuery, and Snowflake destination support.
Connections to these integrations and destinations will attempt to use verified SSL by default.
For some integrations like a database hosted on your server - Daton may support configurable SSL. To use SSL with a database Daton supports, the database must be configured to support and allow SSL connections.
If a database you want to connect to Daton doesn’t support SSL connections or isn’t publicly accessible, you can use an SSH tunnel. The steps for setting up an SSH connection vary depending on where your database is hosted. Contact our support team by sending an email to [email protected] if you have questions.
- Connections to customer's software-as-a-service (SaaS) platforms are encrypted through HTTPS.
- Connections to customers' database sources and destinations support SSL encryption which is provided as an option to the user to select.
- Daton only requires READ permissions to your data sources. For data sources that by default grant permissions beyond read-only, Daton will never make use of those permissions.
- Destinations - Daton requires the CREATE and MANAGE permissions. This permission allows Daton to CREATE a schema and perform DDL operations within your destination, CREATE tables within that schema, and WRITE to those tables. Daton is then able to READ only the data it has written.
All customer data, besides what is needed for replicationi as listed in the paragraph below, is purged from Daton's system as soon as it is successfully written to the destination. In addition to files being purged as the last step of the load process, Object lifecycle management is also set to ensure that files do not stay longer than one day in our system. Retrieving schema information for sources that support custom columns – For all sources that have custom schema support, data is temporarily retrieved into the memory, purely for the purposes of schema determination. This data is cleared from memory upon the successful setup of a source integration.
Daton retains subsets of a customer's data that are required to provide and maintain Daton's solution. This only includes the following data:
- Customer access keys - Daton retains customer database credentials and SaaS OAuth tokens to extract data and troubleshoot customer issues securely and continuously. These credentials are securely stored in a key management system (KMS). The key management system is backed by a hardware security module (HSM) that is managed by our cloud provider.
- Customer metadata - Daton retains configuration details and data points (such as table and column names) for each connector so that this information can be shown to your organization in your Daton dashboard.
By default, we store that event data in a cloud storage service in one of the following locations:
- the EU region (for destinations run in the EU region)
- the US region (for all other destinations)
Access to Daton production infrastructure is only allowed via hardened bastion hosts, which require an active account protected by MFA (multi-factor authentication) to authenticate. Further access to the environment and enforcement of least privilege is controlled by IAM (identity and access management) policies. Privileged actions taken from bastion host are captured in audit logs for review and anomalous behavior detection.
Physical and environmental security is handled entirely by our cloud service providers. Each of our cloud service providers provides an extensive list of compliance and regulatory assurances, including SOC 1/2-3, PCI-DSS, and ISO27001.
Daton runs data connectors on servers in the United States (US), European Union (EU), United Kingdom (UK), and Singapore. You can select your preferred data processing location when configuring your destination. All connectors configured in a destination run in the destination's designated location. This means that in most cases, your data will not leave our region-specific servers during processing. For example, if you configure your destination to run in a EU region, your data will not leave the EU during processing.
Daton runs our services on Google Cloud Platform (GCP) and Amazon Web Services (AWS). The following table lists regions supported by Daton for each service provider:
- Only users of your organization registered within Daton have access to your organization's Daton dashboard.
- Your organization's Daton Dashboard provides visibility into the status of each integration, metadata for each integration, and the ability to pause or delete the integration connection and run any on-demand sync operations.
- Organization administrators can use the Daton dashboard to revoke an organization member's access at any point.
- Organization administrators can request Daton’s support team to revoke an organization member's access at any point. These requests are fulfilled within 1 business day.
- Daton requires that all employees comply with security policies designed to keep all customer information safe, and address multiple security compliance standards, rules, and regulations.
- Two-factor authentication and strong password controls are required for administrative access to systems.
- Security policies and procedures are documented and reviewed on a regular basis.
- Networks are strictly segregated according to security level. Modern, restrictive firewalls protect all connections between networks.
- Create a dedicated user for Daton whenever possible. This applies to any integration or destination.
- For database connections, utilize Daton's built-in support for SSH and SSL/TLS connections to encrypt data in transit.
- For SaaS data, keep any credentials or sensitive information such as passwords, API keys or tokens, etc. secure.
- If your database(s) or SaaS account(s) have been hacked, we recommend that you:
Our team can help you remediate any data issues that might have occurred as a result of the breach.
- 1.Immediately recycle any credentials used to access your system or service,
- 2.Generate new credentials, and
- 3.Update the credentials for the appropriate integration(s) in Daton.
To date, Daton has not experienced a breach in security of any kind. In the event of such an occurrence, Daton protocol is such that customers would be made aware as soon as the compromise is confirmed.
At Daton, we are committed to keeping our systems, data and product(s) secure. Despite the measures we take, security vulnerabilities will always be possible.
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
Please make a good faith effort to avoid privacy violations as well as destruction, interruption, or segregation of services and/or data.
We will respond to your report within 5 business days of receipt and will attempt to keep you regularly informed of our progress toward resolving the vulnerability. If you have followed the above instructions, we will not take any legal action against you regarding the report.
IMPORTANT: Daton cannot access your data without your approval.
When working on a support ticket, we may need to access your data to troubleshoot or fix your broken connector or destination. In that case, we will ask you to grant Daton access to your data for the next 30 days. You can allow or deny data access. If you grant us data access, you can revoke it at any moment before the 30-day diagnostic period has expired.