Surreal Cloud beta is LIVE! Get started for free.

Security Addendum

Security

This Security Addendum is incorporated into and made a part of the written agreement that governs Customer’s use of the Services between SurrealDB Ltd. or its Affiliates (“SurrealDB”) and Customer that references this Security Addendum (“Agreement”). All capitalised terms not defined herein shall have the meaning set forth in the Agreement. For the purposes of the Security Addendum only, and except where otherwise indicated, the term “Customer” shall include Customer and its Affiliates.

  1. Overview

    1. General. SurrealDB has an established information security program, with documented Information Security Management System (ISMS), policies and procedures based on industry standard security frameworks to protect confidentiality, availability and integrity of SurrealDB data and systems. Surreal implements and maintains administrative, physical, and technical security measures as set out hereunder to protect the Services, Support Services and the security and confidentiality of Customer Data (including any Personal Data that may be contained therein) (each as defined in the Agreement).
    2. Governance. SurrealDB’s Head of Security leads the information security program, and develops, reviews and approves (together with other relevant stakeholders), the ISMS, Policies and Procedures
    3. Maintenance. The information security program is subject to audit by 3rd parties and reviewed and updated at least annually to reflect changes to business context, applicable laws and regulations, and to ensure continued efficacy of controls over data and information systems. SurrealDB may review and update this Security Addendum at any time without prior notice. Such updates are always subject to the SurrealDB warranties provided to Customer under the Agreement.

  2. SurrealDB Shared Responsibility Model

    1. Cloud Shared Responsibility Model. Surreal Cloud is a product that offers a hosted instance of SurrealDB for customers to consume. Customer acknowledges this is a shared responsibility model where SurrealDB is responsible for the hosting of the SurrealDB instance, storage and network access, and the Customer is responsible for the secure use of the SurrealDB instance. Each party must therefore undertake certain technical and organisational measures in order to protect the Services and Customer Data.
    2. SurrealDB Security Configuration. The configuration of Surreal Cloud instances can be viewed within the Instance Capabilities panel for each instance. Customers have an obligation to ensure that these capabilities and other SurrealDB security features are configured appropriately. These features are covered in more detail in our Documentation.

  3. Application Security

    1. Open Source Security. The SurrealDB open source project has an open source security policy extending its security process to the wider community. This policy is made available through Github, and allows SurrealDB to benefit from the security expertise and resources of its community. In turn, it provides the community with safe and responsible avenues to contribute to the security of an open source product that they rely on.
    2. Responsible Disclosure. SurrealDB encourages external contributors to report security vulnerabilities following a small set of practices described in the policy. SurrealDB commits to address all legitimate reports within three business days, work on resolving the issue while keeping the reporter updated and crediting the reporter when an advisory is eventually published. The responsible disclosure process protects legitimate security reporters from legal repercussions and promotes an open discussion around the security of SurrealDB.
    3. Security Advisory. SurrealDB releases security advisories whenever a significant security issue has been resolved in the open source project. These advisories provide details about the vulnerability, its potential impact, affected versions and possible workarounds. The publication of advisories assists both humans and automations in identifying existing risks early as well as being aware of how to immediately mitigate or resolve them.
    4. Software Development Lifecycle (SDLC). The SDLC for the SurrealDB open source project features dependency analysis and automated update tooling to identify vulnerable dependencies, linting and dynamic application security tooling to detect bugs and security issues. The SDLC for Surrealist features static code analysis and automated dependency update tooling.
    5. Credential Management. Within Surreal Cloud, secrets are stored within a 3rd party key store and dynamically loaded into the application at runtime. Access to the keystore is logged. Use of plaintext keys embedded within the codebase is forbidden.

  4. Corporate Security

    1. Employee Education. During the employee onboarding process, and annually thereafter, employees must read and acknowledge SurrealDB information security policies.
    2. Background Checks. SurrealDB performs background checks on employees upon hire in accordance with local laws and regulations.
    3. Internal Audits. Internal Security Audits and Risk assessments are performed at least annually at Surreal DB.
    4. Multi-Factor Authentication (MFA). Where available, MFA is required for all employees to log into SurrealDB systems.
    5. Corporate Offices. SurrealDB has implemented administrative, physical, and technical safeguards for its corporate offices. These include, but are not limited to, the below:
      • Visitors are required to sign in, and be escorted by SurrealDB personnel while on premises
      • SurrealDB personnel badge into the offices
      • Badges are not shared or loaned to others without authorization
      • Physical entry points to office premises are recorded by CCTV and have an access card verification system at every door, allowing only authorised employees to enter the office premises
      • Equipment and other SurrealDB-issued assets are inventoried and tracked
    6. Penetration Testing. SurrealDB conducts third-party penetration tests at least annually.
    7. Vulnerability and patch management. SurrealDB performs vulnerability scanning and package monitoring on cloud hosts and services. Discovered issues are triaged and resolved according to severity.

  5. Access Control

    1. Role Based Access. SurrealDB assigns access permissions to staff on a least privilege basis, based on their role and responsibilities. All access is logged and permissions are reviewed at least annually.
    2. Password Policy. In addition to the enforcement of MFA (When supported by the system), SurealDB maintains a stringent password policy with complexity and length requirements. In addition all employees are provided with a password manager to encourage the use of unique, lengthy and complex passwords.

  6. Infrastructure & Platform Security

    1. Infrastructure and Physical Security. Surreal Cloud is hosted on AWS, AWS maintains a list of reports, certifications, and third party assessments to ensure best physical and information security practices, including ISO 27001:2013, ISO 27017:2015, and ISO 27018:2014.
    2. Environment Segregation. Surreal Cloud uses dedicated and segregated Development, Testing and Production environments. Customer data is never stored in Non-Production environments.
    3. Anti-DDoS. Surreal Cloud relies on inbuilt AWS protections to defend against the most common, frequently occurring network and transport layer DDoS attacks.
    4. Access Monitoring. Surreal Cloud has logging enabled on all constituent AWS services, including, but not limited to, administrator access, system configuration changes, and data store access logs.
    5. Cloud Native Threat Detection SurrealDB uses threat detection services that monitor for malicious activity and anomalous behavior within the cloud environment.
    6. Data Erasure. Secure deletion of Customer Data is reliant on AWS processes. Customer Data shall be immediately deleted and not capable of retrieval if deleted by Customer through their account, i.e. through instance deletion. Surreal Cloud will delete Customer Data within 30 days of an account closure request. Suspended accounts will remain suspended for 30 days, following which they are closed with data removed 10 days thereafter (except when required by law to retain).
    7. Encryption at Rest. Customer data at rest constituting the Surreal Cloud datastores is encrypted at the disk and/or file level using AES-256.
    8. Encryption in Transit. Data sent in-transit across public networks and to datastores is encrypted using TLS v1.2 or successors.

  7. Endpoint Security

    1. Centralised Device Management. SurrealDB owned laptops are centrally managed with management agents installed, and best practices enforced such as automatic updates, enforcement of password policies, enablement of disk encryption and device level firewalls.
    2. Endpoint Detection and Response (EDR). All SurrealDB owned laptops feature an EDR solution to monitor for and alert upon threats.
line