Security

Platform Security Overview

At Synack not only have we built a world class Penetration Testing as a Service (PTaaS) Platform that’s instilled security from the very beginning. But we’ve taken the best aspects of security and compliance and melded them into a robust program. This is evident with how we handle sensitive customer data, manage  upgrades, patch management, code releases, and operational security practices incorporating relevant security, policy, and evaluation frameworks such as OWASP, CREST, ISO 27001, FedRAMP Moderate, and other best practices and meaningful standards.

  • Secure Hosting. Our hosting infrastructure leverages multiple independent service providers, including Google Cloud Platform, that are PCI DSS Level 1 and ISO 27001-certified, SSAE 16-audited, and maintain robust physical security with no public datacenter access.
  • Confidentiality. Data is protected using encryption in transit with high-grade TLS and encryption at rest with 256-bit AES. Encryption keys are securely stored in separate locations.
  • Availability. Services are provided from multiple US geographic regions with automatic failover between sites.
  • Data Integrity & Backup. Backups are maintained in encrypted form only.
  • Authentication. Multi-factor: Our SaaS platform provides multi-factor authentication capabilities to our clients as an enhanced security measure. Single-sign-on (SSO) integration is available to integrate with enterprise identity providers via SAML 2.0.
  • Continuous Monitoring & Offensive Management. The Synack Red Team (SRT) provides a continuous offensive assessment of our applications and infrastructure. We leverage a combination of SRT, third-party providers, and technology platforms to maintain situational awareness.

Certifications & Third-Party Attestations

ISO 27001:2022 is a framework that provides a set of standardized requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within an organization. The goal of an ISMS based on ISO 27001 is to help organizations manage and protect their information assets, ensuring confidentiality, integrity, and availability.

FedRAMP Moderate is a U.S. Government program defined by the Federal Risk and Authorization Management Program (FedRAMP) which represents a standardized approach to security assessment, authorization, and  continuous monitoring for cloud products and services and baseline of security controls suitable for cloud services that handle personally identifiable information (PII) and sensitive but unclassified (SBU) information.  Cloud Service Providers (CSP) at the FedRAMP Moderate authorization must implement a baseline set of 323 security controls defined by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. 

TX-RAMP Level 2 is a state-wide initiative created by the Texas Department of Information Resources (DIR) to establish a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of Texas state agencies and higher education institutions.  It applies to cloud computing services as defined by Texas Government Code, Section 2054.0593(a).

IASME Cyber Essentials is a UK government-backed cybersecurity certification scheme designed to help organizations of all sizes protect themselves against common cyber threats. IASME (Information Assurance for Small and Medium Enterprises) is one of the National Cyber Security Centre’s (NCSC) official delivery partners for the Cyber Essentials scheme. It centers around five key security controls that, when implemented correctly, can prevent a large percentage of cyber attacks.

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security industry.  Service providers have to meet rigorous standards for business processes, data security, and testing methodologies. This gives clients assurance that they are working with a reputable and competent organization.

Privacy Shield
Synack complies with the U.S.-E.U. and U.S.-Swiss Privacy Shield frameworks as set forth by the U.S. Department of Commerce (the “Privacy Shield”) regarding the collection, use, and retention of personal data (as defined by the Privacy Shield) from the European Union and Switzerland. 

 

Trust Center 

Synack has established a Trust Center that further solidifies Synack’s commitment to our customers of transparency, trust and leading change within the cybersecurity industry. You can quickly pull-down policies, procedures, certificates, questionnaires and any other security and compliance related information.  Request access today: trustcenter.synack.com

Responsible Disclosure

To report a security vulnerability, please visit https://www.synack.com/vdp/synack/.

A successful submission may result in an invitation to join the Synack Red Team.