The security and privacy of your data are critically important to SolarWinds.
Protecting your data is very important to SolarWinds and the Pingdom team.
You are placing your trust in SolarWinds® Pingdom®, so we want you to know we’ve implemented strong security standards both within the product and outside with operational processes, using industry standards that will protect your data today and into the future.
Below are some details specific to data protection and retention that we think will answer many of the questions you might have about how we’ve implemented data protection within Pingdom. At the bottom of the page, we’ve also provided a link to the detailed SolarWinds security that blankets all of our products.
What encryption algorithms are used to protect customer data?
All the primary Pingdom databases are encrypted. Encrypted DB instances use the industry standard AES-256 encryption algorithm and the encryption key is protected by FIPS 140-2 validated cryptographic modules.
Data in transit will use TLS 1.2 or above and AES256 for data at rest.
Additional encryption for transaction monitoring
Inputs such as username/password in our multi-step recorded synthetic tests (what we call “transaction monitoring”) are stored encrypted.
Are customers provided with the ability to generate a unique encryption key?
No. All data sent to the Pingdom monitoring service is stored in an encrypted database. This includes any backup data. Encryption keys to the database are centrally managed by the Pingdom Service Reliability and Engineering (SRE) team. Authorized requests to read data are decrypted on the fly as the data is needed. Access level management to sensitive systems are limited to a restricted number of authorized Pingdom personnel.
What additional safeguards are in place to protect user credentials beyond the use of basic encryption?
Credentials are stored through a one-way hash function. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know/least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.
Are data segmentation and separation capability between clients provided?
All data in Pingdom is tagged with the Pingdom account ID. All access requests carry this information on the active user and the organization to which the user belongs. The Pingdom platform authorizes these requests using software-enforced policies.
What data will you be storing about us?
We only collect data that is necessary for running our service and provided by our customers. This type of data primarily includes billing information and monitoring configuration.
How do you ensure production data is never used in a development or test environment?
Our production and test environments are completely isolated (air-gapped).
Do you have a data retention policy?
There are documented retention and destruction policies and procedures. The organization creates, protects, and retains information system audit records based on customer requirements (depending on data source and applicable regulations) to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
How long will data about our organization be kept following a contract termination?
Data is retained according to SolarWinds’ internal data retention policies and destruction schedule. As part of GDPR, customers are, however, entitled to request earlier purging of data by contacting customer support.