Security Overview

The following topics provide technical information about how Kentik ensures the security of its systems and processed data:

• Security Summary
• Security FAQ
• Security Details

Note: For a high level overview of Kentik’s security program, see https://www.kentik.com/pdfs/KentikSecurityOverview.pdf.

When you partner with us, you trust us with metadata and device information related to your private network(s). We’ve designed our systems to make sure that this information is safe at all times. Core features of our security program include:

• We provide multiple ways to ensure all data sent to us can be encrypted in transit, including legacy data types historically sent in clear text.
  Note: For detailed information about our kproxy agent, which helps encrypt NetFlow and SNMP information, see About the Proxy Agent.
• All customer data stored by Kentik (public SaaS, private SaaS, and on premises) is encrypted at rest using AES-256, which is compatible with the FIPS 140-2 standard.
• Access to all Kentik systems is strictly protected. Our engineers connect over VPNs and use hardware security tokens (Yubikeys) to perform technical maintenance, and we have support for both SSO integrations (via SAML 2.0) and the ability to enforce MFA for customer access. For security reasons, we limit MFA to TOTP tokens (e.g. Google Authenticator) and hardware-based tokens (e.g. Yubikey) to protect against MFA phishing or SMS & email takeover attempts.
  Note: For more about support SSO integrations, see About SSO.
• Kentik maintains annual SOC 2 audits and penetration testing, alongside continuous membership in a bug bounty program. Audit reports are available for customer inspection under NDA.
• Strict segregation is maintained between customers at all times, with use of customer-specific databases to further segment accounts.
• Security logs, including authentication-related events, are available in our Audit Log.
• Our default SLA for uptime is 99.99%, and we post information about any downtime, service degradations, or maintenance to a public-facing status page at https://status.kentik.com (US) and https://status.kentik.eu (EU).
  Note: You can read more about our support and SLA commitments at https://www.kentik.com/pdfs/KentikSupportSLA.pdf.

The following table shows how the system and data are protected:

The Kentik Platform is designed to provide scalability, reliability, and security using layered protections, and most Kentik customers use our service via our multi-tenant SaaS platform. While the answers in the following FAQ topics address how we handle security concerns in the SaaS environment, many will apply as well to on-prem deployments:

• General Security Questions
• Compliance and Certification
• Data Protection and Segregation
• Access and Identity Management
• Application Security Questions
• Privacy Questions

• Does Kentik hold a SOC 2 Type 2, ISO27001, or similar third-party audit report?
  Yes. Kentik completes annual SOC 2 (type II) attestations, and we’re happy to share our audit reports with customers and prospects under NDA. We also ensure that all data center locations where Kentik operates production systems and/or stores customer data are required to maintain strict and reputable audit certifications, including SOC 2, ISO 27001, and similar quality certifications.
• Has Kentik undergone a vulnerability assessment or penetration test of its production environment within the past twelve months?
  Yes. Kentik performs vulnerability assessments covering both internal and public-facing systems several times per month. Kentik also engages with an independent third party firm to perform penetration tests on an annual basis, or when significant changes to the infrastructure have occurred.
• How does Kentik monitor the system for security events?
  Platform events are logged and aggregated in a dedicated platform. Notable events are aggregated into dashboards, with notifications for anomalous activity sent to internal communications or incident response channels. Certain log types, including access logs, are provided directly to customer admins in-app. Customers may contact Kentik to report suspected or confirmed security incidents via email at security@kentik.com, or as otherwise specified in your signed MSA and DPA.
• Does Kentik notify customers if their data is involved in a security incident?
  Yes. While the language in our signed MSAs and DPAs should be considered authoritative, we include customer notification as a component of our incident response procedures and typically commit to notifying customers within 48-72 hours (or as otherwise specified in relevant data protection law) of a confirmed security incident affecting their data. You can find a copy of our standard DPA here: https://www.kentik.com/pdfs/KentikDataProtectionAddendum.pdf.
• Does Kentik maintain cyber-liability insurance?
  Yes. We maintain cyber liability coverage in addition to other types of business insurance. We’re happy to share a copy of our certificate of insurance (COI) upon request.
• How does Kentik ensure that security concerns are addressed throughout the company?
  Kentik’s corporate security measures and security culture are addressed holistically in the Kentik Security Overview PDF. In brief, we ensure that technical staff are trained on our SDLC, which includes review of the OWASP top 10, Security by Design and Privacy by Design principles, supply chain security (including vulnerability management), and much more. Generally speaking, we employ intelligent, driven staff that care about doing the right thing, and we make sure organizational resources are in place to support them. Our Security department includes a CISO; compliance, privacy, and assurance focused staff; and technical security experts. Each of these team members maintains strong ties across the organization to ensure security is considered across a wide variety of business initiatives.

• Are the hosting facilities SOC 2 or ISO 27001 certified?
  Yes. All of our hosting centers are SOC 2 and/or ISO 27001 certified, and most include additional security- and privacy-focused certifications. You can find certification information from our co-location facilities at https://www.equinix.com/data-centers/design/standards-compliance and https://deft.com/compliance.
• Is Kentik’s service PCI and HIPAA compliant?
  Kentik doesn’t process or store PCI or ePHI data from customer networks. If you plan to use Kentik services in a PCI or HIPAA environment, please discuss your security and compliance needs with our sales or customer engineering staff.
• Can Kentik work with customers subject to the GDPR?
  Yes. Our privacy program is designed to meet GDPR requirements. In short, we minimize processing of personal information, provide customers with options to redact IP addresses before they hit our servers, use a Data Protection Agreement (DPA) that includes the EU Standard Contractual Clauses (EU SCCs) by default in all of our customer agreements, and we offer the option of hosting out of a data center in Frankfurt, Germany. When you have specific requirements or commitments under the GDPR, such as correcting/deleting information or completing specific types of audits and impact assessments, we commit to helping you meet those. For the avoidance of doubt, Kentik does not expect to process information classified as "sensitive" under the GDPR. To review a copy of our DPA, please see https://www.kentik.com/pdfs/KentikDataProtectionAddendum.pdf.
• Are customers allowed to conduct vulnerability assessments or penetration testing?
  Yes. We’re open to coordinating such activity; however, security testing in multi-tenant environments requires some care to ensure risks are minimized. Please coordinate any penetration testing with your point of contact in advance. Penetration testing should be limited to non-destructive tests, rate-limited to reasonable levels that minimize the chance to disrupt business operations, and be designed to avoid tests that could result in data corruption. Tests are conducted at customer expense and must be completed against up-to-date copies of Kentik’s platform. If you need to perform more aggressive forms of testing, please arrange a dedicated test environment that is segregated from production infrastructure. Passive forms of vulnerability testing may be performed without prior coordination, but should be limited to once per month at most (preferably once per quarter) and use reasonable rate limits.
• How does Kentik manage risks?
  Kentik performs annual or more frequent risk assessment exercises that include executive and security involvement. Risk assessments are designed to address underlying risks, evaluate the effectiveness of Kentik’s compensating controls, and evaluate the severity and likelihood of any residual risks. This process helps us formally consider risks and identify those that require further treatment, including by transferring risks to other parties, pursuing mitigation plans, or avoiding activities that put us at risk. Risk assessments are formal activities that are reviewed by Kentik’s auditors and included in audit reports. At a high level, assessments include review of risks to privacy, security, data integrity, uptime, business continuity, fraud, compliance, and other areas.

• How does Kentik keep customer data separate in a multi-tenant system?
  Customer data in our public SaaS is stored with multiple internal system safeguards to ensure that data cannot cross customer boundaries:
  - The Kentik Data Engine (KDE) stores each customer’s network data (flow records, BGP, GeoIP, SNMP) in separate logical databases and tables.
  - Customer access is strictly limited to databases and tables associated with their customer record.
  - Data access audit logs are maintained for all activity within the environment.
  - Kentik’s internal access to production systems and infrastructure is limited to those with a compelling business need. These users access our infrastructure over dedicated VPNs and use hardware-based security tokens to authenticate with the relevant infrastructure. Any such access is subject to internal logging and access review protocols.
• Is data encrypted at rest?
  All customer data across all production systems is encrypted at rest using AES-256, which is consistent with FIPS 140-2 standards.
• Is data encrypted in transit?
  Customers can choose to enable encryption, using TLS 1.2 or better, for all data sent to Kentik, including by use of a proxy agent that can gather and encrypt info from devices on your network. We also support private network interconnects (PNIs) to keep data from traversing public networks. Note that Kentik does process several types of non-TCP protocols that were historically sent unencrypted. All user access to our SaaS web platform is encrypted using TLS 1.2+. To learn more about using our proxy agent, see About the Proxy Agent.
• Can data be removed at customer’s request and per customer’s policies?
  Yes. Kentik retains telemetry data according to the retention period specified in our signed MSA and configured by the customer (typically 45 days for full resolution data and 120 days for summarized or derived metrics). The data is automatically deleted upon expiration of the retention period. If a customer discontinues use of Kentik, we ensure that all of their data is removed from our primary systems. Data can also be optionally removed at any time per customer request. Note that certain data, like device configurations, is retained for the duration of the customer relationship or until it is deleted by the customer.
• Will customer data be shared with third party vendors?
  - Kentik never sells your information to third parties or discloses it without your express permission. For certain customer relationships, Kentik may seek express written consent to use agreed portions or aggregated data for Kentik’s marketing or research purposes as covered in Kentik’s customer contracts, but this is done only with formally established written consent.
  - Kentik uses subprocessors to provide our service (you can find a list on our Legal page), and certain types of subprocessors may have limited interactions with customer-related information. The vendor hosting our support ticketing system, for example, will process any information shared by customers in support tickets.
  - Any third-party vendors or subprocessors used by Kentik undergo a thorough security assessment by dedicated security staff, and we ensure that all such vendors provide security commitments that are substantially similar to the commitments we make to our own customers. Vendor security controls are periodically reassessed during the duration of services, consistent with our SOC 2 commitments. Kentik ensures that all data is returned and/or deleted at the end of a vendor relationship.
• Are there any interfaces or connections with third party systems?
  To make the most of our data and insights, Kentik offers a number of integrations to third party systems. Customers are always in the driver’s seat when it comes to integration management, and integrations are configured by and authenticated against customer accounts. Kentik offers integrations to notification and alerting channels, DDoS mitigation systems, SSO providers, and more (see Integrations).

• What forms of user management features and controls exist in Kentik?
  - Access to the underlying infrastructure of our SaaS platform requires the use of Kentik's corporate VPN connections and separate authentication with hardware tokens (e.g. Yubikeys) to ensure that access is rigorously protected. Access rights to infrastructure are strictly controlled, with regular internal audits and independent (external) auditor inspection of our processes.
  - User logins to the SaaS platform may, at the customer's option, require MFA. We support both TOTP/app-based MFA devices (like Google authenticator) and hardware tokens (such as Yubikey) to ensure MFA devices are resilient against attacks. We also support SSO integrations via SAML 2.0, which put our customers in the driver’s seat on authentication management. For more information on SSO, see About SSO; for information about configuration of MFA, see Two-factor Authentication.
  - Kentik supports tiered user roles — including user, admin, and super admin — that are designed to be managed by customer administrators. RBAC is also available to further limit user access in accordance with the least-privilege principle, as described in Kentik RBAC.
  - API access tokens are generated at the individual account level and can be reset at any time; see API Token.
• Does Kentik offer single sign-on (SSO)?
  Yes. Kentik supports SSO integrations via SAML 2.0; see About SSO.
• Is multi-factor authentication deployed for "high-risk" environments?
  Yes. Kentik uses MFA to protect its corporate environment and prevent unauthorized access to the infrastructure underlying the Kentik platform. We also make MFA options available for customer use to protect access to the Kentik SaaS.
• Do you conduct background checks against your employees & contractors (pursuant to local laws)?
  Yes. Kentik performs criminal background checks for all employees and contractors, including international workers (consistent with local laws). US checks include review of federal, state, and local records.
• Are employees required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?
  Yes.
• What are Kentik’s user termination procedures and timelines?
  - Customer users are immediately deleted from the system as soon as they are removed via the User administration section of the portal.
  - Kentik staff accounts are audited via Kentik’s access review program and subject to SOC 2 audit. Staff accounts are reviewed promptly upon change in role, with access reassigned as necessary, and disabled immediately upon termination (24 hours maximum).
• What is Kentik’s password policy for systems and infrastructure that is used to host customer data?
  Kentik employs secure-key, 2-factor authentication, and all access is logged to multiple endpoints.

• Does Kentik employ a formal secure application methodology?
  We maintain a formal SDLC and train technical staff on our security expectations. Training includes review of the OWASP Top 10, Security by Design (SbD) and Privacy by Design (PbD) principles, supply chain security, vulnerability and dependency management, internal policy requirements, and other security concepts and expectations.
• What are your processes for security code review and secure development lifecycle?
  Kentik maintains a formal SDLC that includes use of security tools and automation to mitigate the risks of insecure or vulnerable code making its way into production environments. All code is subject to peer review, automated and manual testing, CI/CD integration checks, and a staged migration from test environments to the production system. We continuously monitor and enhance our SDLC to ensure it is aligned with industry best practices. More SDLC details are included in our SOC 2 report.
• Can engineers push code directly to Production?
  All code changes are subject to peer review and tracked in a dedicated project and code management system that includes attribution for changes, support for reverting changes, and the ability to enforce various protections to ensure changes follow steps defined in our SDLC and change control processes. Servers are managed via an Infrastructure as Code (IAC) system to ensure deployment is secure, repeatable, and protected against unauthorized changes or drift.

• Does Kentik have a Data Protection Officer (DPO)?
  Kentik has a designated individual within our security and compliance department filling the role of DPO. Questions for our DPO may be sent to privacy@kentik.com.
• Does Kentik have a breach notification policy?
  Breach notification is included as a component of incident response. Kentik commits to notifying customers of security incidents consistent with relevant data protection law and our signed DPAs, which typically specify a notification period of 48-72 hours following confirmation of a security incident.
• How long does Kentik store data?
  Our standard retention period for full resolution flow data is 45 days, with 120 days retention for derived statistics (“trending” resolution). Customers may negotiate these retention periods within their signed contract, with the negotiated retention period specified in the signed MSA. For customers using the NMS product, data retention is either set to 3 months or 13 months, depending on the plan tier. Certain data, such as device configurations, is stored as long as you are an active customer. Should you decide to move on, Kentik automatically purges your data from our system. You can also purge your data at any time.
• Where are your servers located?
  Our U.S. servers are located in several distinct colocation facilities in and around Ashburn, VA. We also offer EU hosting in data centers in Frankfurt, Germany. Customers who wish to use EU hosting should specify this at the time of signing.
• Can customers control access to features in app?
  Kentik historically supported a tiered permissions structure with user, admin, and super-admin roles. We are moving toward a full role-based access control structure (see Kentik RBAC) where permissions can be managed at more granular levels, which helps our customers better align with the least-privilege principle.

The tables in the following topics contain information frequently requested by prospective customers to assess security concerns related to their vendors:

• Data Types
• Data Handling
• Compliance
• Security Monitoring
• Security Methodology
• Infrastructure Security
• Disaster Recovery

The categories of data that Kentik does and does not collect and store:

What Kentik does with collected data, and where:

Current compliance-related information:

Information on security-related monitoring:

Information about the processes used to ensure the security of the application:

Information related to security on production servers (application and database):

Basic disaster recovery information: