Security is of paramount importance at Gremlin. To ensure we maintain a safe and secure environment we use a variety of industry-standard technologies and practices managed by our dedicated security team. We provide regular security awareness training to our employees in both technical and non-technical roles to ensure that security is always given utmost priority and importance. If you have any questions, concerns, or encounter any issues, please contact us at firstname.lastname@example.org.
Being secure is a guiding principle behind the Gremlin product. Achieving it starts with our agile development process and use of continuous integration, which allows for quick resolution of security issues as well as functional issues; and our strict adherence to a security centric change management and incident management programs.
For customers desiring more control over authentication, we support SAML 2, allowing us to integrate with many enterprise authentication systems. We also support Google OAuth2 for customers desiring to integration with Gmail or Gsuite. Don't host your own authentication system? That's OK, we also provide username/password based logins!
Gremlin provides MFA for use with password logins. When enabled, MFA provides added security by requiring a separate rotating 6 digit code, typically via an app on your phone. This ensures that if your password were to be compromised your account would remain secure.
Using a proxy for your outbound network traffic? That's just fine, the Gremlin client supports HTTP/HTTPS proxies via standard Linux methods.
All access to the system is logged and made available to administrators in JSON or CSV format to facilitate integration with customer security monitoring systems.
Gremlin operates on the principle of least privileges. Only those with a strict business need to access data are allowed to do so, and only after signing non-disclosure agreements. We employ multiple layers of authentication and access control to ensure only those authorized to access data are allowed to do so and monitor that access in real-time, altering to suspicious activity. All data is encrypted both in transit using TLS and at rest using AES-256. Passwords are randomly seeded and hashed using SHA2 prior to encrypted storage. All customer data is logically segregated and tagged with ownership to ensure it cannot be accessed or used by unauthorized users.
Gremlin's systems are hosted in a secure server environment that is ISO 27001 & 27017, PCI DSS Level 1, and SOC 1 & 2 & 3 compliant and utilizes advanced security technologies that include biometric and hardware token identification. All Gremlin systems are hardened and regularly updated with the latest security patches. All systems are monitored in real-time and regularly audited to ensure they remain in compliance.
All systems are regularly audited by our dedicated security team at least quarterly and for systems with access to sensitive data, at least monthly and in some cases daily.
We employ a 3rd party security auditing and penetration testing firm at least annually, or anytime there are major changes to our systems or architecture. This ensures that our internal systems and processes are performing as we believe they are.
We employ multiple real-time monitoring system with 24/7 alerting to inform us of violations of policy as well as suspicious activity that may indicate a compromise.
We've recently completed auditing for the Service Organization Control (SOC) 2 Type II report. Compiled by Peterson & Sullivan, the report documents how Gremlin's information security practices, policies, and procedures are suitable to meet the SOC 2 trust principles criteria for security and confidentiality.
The goal of the report is to verify the existence of internal controls designed and implemented to meet the requirements for the security principles set forth in the Trust Services Principles and Criteria for Security. It provides a thorough review of how Gremlin’s internal controls affect the security, availability, processing integrity, and confidentiality of the systems it uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. This independent validation of security controls is crucial for customers in highly regulated industries.
All data centers used by Gremlin are ISO 27001, SOC 1 & 2 certified. Access to facilities are restricted to authorized users via electronic means, including biometrics. All facilities are monitored by professional security staff.