Legal terms
May 31, 2023
Snyk Security Addendum
Introduction
This Information Security Addendum (“ISA”) is incorporated by reference into the services agreement between Customer and Snyk (“Agreement”). This ISA describes the minimum information security standards that Snyk maintains to protect Customer Data. Requirements in this ISA are in addition to any requirements in the Agreement. Capitalized terms used but not defined in this ISA have the meanings given to them in the Agreement.
1. Snyk Security Program
1.1 Scope and Contents.
Snyk’s security program: (A) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data; and, (B) is appropriate for the nature, size and complexity of Snyk's business operations.
Snyk follows AICPA ISAE3402 SOC2 Type II, ISO27001:2013 and ISO27017:2015 requirements and reviews its controls annually with qualified and impartial independent external auditors. Snyk also conducts internal audits aligned with Snyk's information security program controls and these compliance frameworks. Snyk’s internal audit validates that controls are operating effectively. Any identified issues are documented, tracked and remediated (SOC: MON-1). For convenience, customers can access third-party audit reports and related security documentation in the SnykTrust portal. Additionally, Snyk has referenced some of the applicable ISO27001 and SOC2 controls in this document.
1.2 Security Program Changes.
The Snyk Chief Information Security Officer or other leader, as assigned by Snyk, and the security team develop, maintain, review and approve Snyk security policies. Snyk policies and operating procedures related to security, confidentiality, integrity and availability are accessible by all Snyk personnel via its corporate intranet. Security policies are reviewed, updated (as needed), and approved at least annually. Snyk personnel are required to review and acknowledge security policies during on-boarding and annually thereafter (SOC: ORG-2).
1.3 Security Training & Awareness.
All Snyk personnel are required to complete security awareness and privacy training at least annually (SOC: ORG-8). Snyk conducts periodic security awareness education to give personnel direction for creating and maintaining a secure workplace (SOC: COM-11).
2. Human Resources Security
During hiring, Snyk implements the following controls:
Conducts seven-year employment history checks and criminal background checks for all Snyk personnel to the extent not prohibited by local laws and regulations (SOC: ORG-5);
Enters into employment contracts that require protection of personal data and confidential information both during and after the employment period (SOC: C-2).
Snyk maintains a disciplinary process to take action against personnel that do not comply with company policies, including Snyk security policies (SOC: ORG-3).
Access to Snyk systems and networks is disabled promptly upon notification of termination of personnel (SOC: LA-7).
3. Asset Configuration and Security
Snyk uses endpoint detection and response (EDR) technology on all Snyk endpoints to monitor for viruses and malware. Endpoint devices are scanned in real-time and anti-virus agent monitoring ensures that regular scans are conducted. The EDR technology automatically pushes updated virus definitions to all endpoints (SOC: LA-11). All endpoints have full-disk encryption and are monitored using industry recognized tools which alert IT administrators of discrepancies between Snyk security policies and a user's endpoint settings (SOC: LA-12). Snyk maintains an inventory of its corporate hardware, software and cloud infrastructure assets, and systematically reconciles the asset inventory annually (SOC: OPS-5). Additionally, Snyk classifies information in accordance with its data classification guidelines (SOC: C-5).
4. Access and Authentication Controls
Snyk employees identify and authenticate via Single Sign-On and multi-factor authentication (MFA) to access the corporate network and tools. Snyk requires minimum password complexity for all the corporate network access. Snyk’s access controls are role-based and align to the principle of least privilege. Requests to access Snyk security tools are approved by the designated approvers on the security or information technology team prior to provisioning access (SOC: LA-1).
Additionally, Snyk uses separate administrative accounts which are restricted to authorized personnel to perform privileged functions (SOC: LA-9). Snyk reviews: (A) administrator access to confidential and restricted systems semiannually; and, (B) access permissions to the production environment and to sensitive corporate systems quarterly. Any access which is inappropriate for a role function is promptly removed and the impacted individual and their direct manager are notified of the change (SOC: LA-8).
The Snyk production network is secured via a Software Defined Perimeter (SDP). In addition, to access Snyk’s Services, including the production network, Snyk employees must use MFA. The combination of SDP and MFA gives Snyk granular control around permissions, connectivity and auditability compared to a traditional VPN.
5. Encryption and Key Management
Snyk uses industry-standard encryption techniques to encrypt Customer Data at rest and in transit using TLS1.2, AES-256-CBC or greater encryption standards (SOC: C-10). Snyk monitors encryption best practices and updates its encryption standards as appropriate to align with industry-standards. All connections are authenticated and encrypted using industry standard encryption technology (SOC: C-11). Snyk uses keys that are generated using methods consistent with industry accepted best practices and the keys are reviewed and replaced on, at least, an annual basis. (SOC: C-12) Snyk monitors Customer Data for integrity, including for accuracy, completeness and consistency, during transit to detect data tampering or corruption (SOC: C-9).
6. Physical Security
Snyk’s offices are collaboration spaces for its employees and none of the Services are hosted from its offices. Snyk grants office access based on employees’ geographic location and job responsibility, and removes access as part of the separation or internal job transfer when such access is no longer required (SOC: LA-21; SOC: LA-22). Access to Snyk offices is managed by a badging system that logs access, including any unauthorized attempts, which are denied. Snyk maintains visitor logs and requires visitors to be escorted by Snyk personnel (SOC: LA-23).
Snyk utilizes AWS and GCP data centers for all hosting requirements. AWS and GCP are responsible for the physical and environmental security policies of their hosting environments. These controls are annually validated to ensure they comply with ISO27001:2013 and SOC2 physical security standards.
7. Logging and Monitoring
Snyk continuously monitors application, infrastructure, network, data storage space and system performance (SOC: OPS-1). Snyk utilizes a security information event monitoring (SIEM) system to pull real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices. The SIEM is configured to send the Snyk compliance team alerts and is monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events. Snyk reviews this information and remediates, as appropriate, potential security risks (SOC: OPS-2).
8. Network Security
Snyk utilizes GCP and AWS network perimeter defense solutions, as well as internal IDS and firewalls, to monitor, detect and prevent malicious network activity. Security takes appropriate action to respond to anomalous activity (SOC: LA-15). Firewall rule changes follow the Snyk change management process and require approval by designated approvers (SOC: LA-16). Snyk's corporate and cloud networks are logically segmented by virtual local area networks (VLANs) and firewalls monitor traffic to restrict access to authorized users, systems and services (SOC: LA-17).
9. Secure Development
Snyk’s software development life cycle (SDLC) process governs the acquisition, development, implementation, configuration, maintenance, modification and management of Snyk’s Services, including ensuring alignment with Snyk security policies (SOC: CM-4). Snyk utilizes a code versioning control system to maintain the integrity and security of the application source code (SOC: CM-8). Prior to the final release of a new version of the Services to the production environment, code is tested in non-production environments and certified (SOC: CM-6). Snyk follows secure coding guidelines which are reviewed and updated regularly and available to employees via Snyk’s corporate intranet. Snyk developers receive annual secure coding training (SOC: CM-7).
10. Support and Maintenance
Snyk deploys changes to the Services during scheduled maintenance windows, details of which are posted to the - Snyk Status page prior to the scheduled period. Snyk also posts notices of service interruptions and provides status updates, high level information regarding upgrades, new release availability, and minimum release version requirements to the Snyk Updates and Status pages(SOC: CM-11).
11. Third Party Security
For existing and new third party vendors, Snyk employs a risk-based scoring model (SOC: MON-2). Snyk requires third parties to enter into contractual commitments that contain security, availability, processing integrity and confidentiality requirements as applicable to the services the third-party will be providing (SOC: COM-9). Snyk evaluates the physical security controls and assurance reports for its data centers on an annual basis. Snyk assesses the impact of any issues identified and tracks any remediation efforts (SOC: MON-3).
12. Incident Response and Notification
Snyk has an incident response plan, including a process, to assess, escalate, and respond to identified security incidents that impact Snyk, Snyk customers, or any Snyk or customer data. The incident response plan is reviewed and updated at least annually (SOC: OPS-4).
13. Risk Management
Snyk’s security risk assessment policy and process enable Snyk to identify and remediate potential threats to its infrastructure. Snyk assigns risk ratings to all identified risks, and remediation is managed by security personnel (SOC: RM-1). Executive management is kept apprised of the risk posture of the organization.
Snyk’s security program includes an insider threat risk management program to monitor, alert and investigate threats posed by both non-malicious and malicious actors inside the organization. .
14. Threat and Vulnerability Management
Snyk's Threat and Vulnerability Management (TVM) program monitors the Snyk product infrastructure and Snyk end points for vulnerabilities on an on-going basis (SOC: RM-3). Snyk conducts monthly internal and external vulnerability scans using industry-recognized vulnerability scanning tools. Identified vulnerabilities are evaluated, documented and remediated to address the associated risk(s) (SOC: RM-6). Snyk manages an ongoing bug bounty program and annual external penetration tests conducted by an independent third party. Findings from these tests are evaluated, documented and remediated (SOC: RM-7).
15. Change Management
Snyk has change management policies and procedures for requesting, testing and approving application, infrastructure and product related changes. All changes receive a risk score based on risk and impact criteria. Risks are assessed and changes are approved based on score with higher score risks receiving greater scrutiny. Change documentation and approvals are maintained in a ticketing system (SOC: CM-1). Product development changes undergo various levels of review and testing based on change type, including security and code reviews, regression, and user acceptance testing prior to approval for deployment (SOC: CM-2). Following the successful completion of testing, changes are reviewed and approved by leadership prior to implementation to production (SOC: CM-3). Snyk uses dedicated environments separate from production for development and testing activities. Access to move code into production is limited and restricted to authorized personnel (SOC: CM-9).
16. Business Continuity Plan
Snyk maintains a Business Continuity Plan and a Disaster Recovery Plan to manage significant disruptions to Snyk operations and infrastructure. These plans are reviewed, updated (as needed) and approved annually (SOC: A-5). Snyk conducts business continuity exercises at least annually to evaluate Snyk tools, processes and subject matter expertise in response to specific incidents. Results of these exercises are documented and any issues identified are tracked to remediation (SOC: A-6).