Security

When we started Evident.io, the first thing we did was plan for security. Unlike companies who put the product first, we put our customers ahead of everything else. It’s your data, and we’re the vigilant guardians protecting it. Expect nothing less from a true modern security organization.

The Evident Security Platform (ESP) exceeds industry standards when it comes to security practices. We make “the other guys” blush when compared head-to-head in enterprise security audits, and that makes us proud. Go ahead, put us through the gauntlet. We love it.

Data collected by ESP:

Evident Security Platform collects metadata describing your AWS infrastructure and assembles a global security picture to provide your organization with everything they need to mitigate existing and future threats against your cloud infrastructure. This data collection is controlled by an IAM Security Policy that is owned by the customer organization, and frequently updated by AWS. This read-only policy allows us to run basic informational API calls like Describe and List, allowing us to build a full picture of your environment without granting us access to read actual data inside the environment. We cannot modify your resources at any time under this policy — in fact, we’ll alert you should you accidentally add those kinds of rights to the policy attached to our service role. That’s how serious we are about protecting your cloud.

Data Handling:

Your data is encrypted at all touch points in our infrastructure. From collection, where it is secured by HMAC-SHA256 signed API requests with STS authentication, to processing where it is encrypted in flight and on disk, to at rest or in the database where it sleeps in encrypted harmony… we use every sensible mechanism to protect your data. Even your session to view the dashboard and alert data is protected by TLS1.2. Sorry IE6 users.

Customer Access to Data:

We make sure our platform is open and available for customers to obtain their data via various methods, and then get it where it needs to be in order to be most effective. This means you have multiple vehicles to choose from, all of which are tightly secured and monitored by our security operations team.

When it comes to using the ESP Console, we encourage (sometimes forcefully) users to diversify their security measures and layer them. For example, we support MFA but don’t turn it on by default. That doesn’t mean we won’t send you the occasional nag email to ask you to enable it — it’s for your own good. We’re like a caring mother, who also happens to know a lot about protecting the cloud. Many users have commented on our 12-character minimum password with complexity requirements… We require some base level security for your own good, and for the safety of your organization’s data. Mom’s always right. Remember?

Payment Information & PCI Compliance:

Our complete payment system is actually Stripe, which is PCI Service Provider Level 1 Certified and awesome. So swipe away with that credit-card, it’s safer than any gas pump, pizza joint, or big-box store you’ve visited recently.

Datacenter Facilities:

Our platform is operated in secure computing facilities owned by Amazon Web Services (yes, we’re a customer too!) and subject to their underlying security protocols. You can learn more about their 20+ achieved certifications on the AWS Compliance Page.

Our Team:

None of these security measures are worth squat without the right humans backing it up. We not only put together a team of the most sophisticated cloud security professionals on the planet, but we continue to challenge them through training and continued education. Nobody invests more time in improving the collective intelligence of their cloud security team than we do.

Our Affiliations and Partnerships:

We forged a strong alliance with AWS before we ever existed as Evident.io. We’ve carried that partnership through to the highest level recognized by AWS today —Advanced Technology Partner with special recognition for Security Competency.

We also go beyond the ecosystem and spend time improving security for the whole industry as it migrates to the cloud. We are a proud sponsor corporation and contributing member of the Cloud Security Alliance, and a member of the PCI Security Services Council.

We bring all of these together to provide our customers with the latest in security awareness, leading-edge practices to protect against 0-day attacks, and the freshest security insights on emerging technologies. By actively participating and shaping the future of our industry, we ensure that our customers needs are not only met… but exceeded.

Responsible Disclosure and the Security Community:

Evident.io operates a bug bounty program through HackerOne, which is private and requires security researchers to be invited to participate. If you would like to report a security vulnerability to Evident.io or discuss an issue you have identified, please follow this process:

  1. Go to the HackerOne website (https://hackerone.com/)
  2. Sign up for a HackerOne account
  3. Send an email to security@evident.io with your HackerOne username and the email address associated with your account so we can add you to our bug bounty program
  4. Once invited to the Evident.io bug bounty program, go to https://hackerone.com/evident and submit your bug report
  5. Wait for a response from the Evident.io security team

Thank you in advance for your participation in protecting our platform’s users.

Our Public Key:

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1
mQMuBFXbRMYRCAC9Cqr6R7Iw/i7+vgOHcyugDoqnIdxTzL+Ei1c3WYVIxMa6Bqi3
FpyURVpvoOdBW4ePOC4IF9xj/AeshRJHHdCsfUrxdTbrsBlJpa5+mBDYmnQUCvp6
dsxodYW+YkBc9BycadGbN/fNqtv4hWlULzxj6SuDycIeJOuwM8yZjTUeufBo3gOt
D6fDSJnpeWHnY0IOLfAjpVvI/VwdYGBleDVdv2z4Ihc/H0hcDSS85fg0s5G3f1RF
/2RyWzhVXlpOaRli1QXUfI+Kbsgyk0uw/i8hl6gj7+CRVHqw0IyYO/zZMBqIH76o
tB8bZJFg1qv6CiCCtYCfvIVubdOIi99j6CLAQD+8gV4BcYv/adj5LmQienuOUmT
yMJT0440HI+cOw5/rQf/WGSbfbYvj8pWNcHu7L4ByFZxVg8omMmwgehbu1VWfJlS
CDTJJSuBeznDtYuhUbrNCTonfPWPhmhbVEQUq6YyvuYtt5mCeEGA0yiYA/mIDSwU
dtUlgaSkpGnnkJrkwpORIYcqrXO6ujC7vof0Km4DlF0MT/ezoiTaOJKNh8Qe15vh
cE88e6/6k/sI21+8lniQsT/mLA25Q6X8mPpBw5PHndQbkWOjE83+AOSEfFOWVJVH
TaVOdeWukFTuOq5pb2LKor8e+K9YtV1cRcTLkn34BL3UVIx8qgptknKvt8JKw8jm
z4yoLBoQfu7fgrge3Q0OWRgMz7agBXMFy3En/SU/pggAt7BsKXHye5jAGjWsLVJf
PKMpyh7/QI9LTKcfFEdSSFkc4CYs0z85FTjVvVRNYvKasoqlgQ8hBoyFL3qjayHn
PeofghguNLICobbORs87V5oA06/MTFT/9I9SI+UJ/BzEpLAk1ojGrdTUugshnoc3
CxLy+mQ0T83Z4ovmKWqvmbLSbqAGZFeiIqGmjMl28jgN1CzH+BfZQtdF8/ENJPAe
wfcFqytc9psNxLvfUIYd5kQ2uxQC/1wE5A44LpoBvcAJ7xCtPS/Ma6D2lhFATDph
DLnBQG6j1JC3O1qp1EVXSGp7i2Cz34DMrxrivN1d7dv8ukLCuDu9g0szeKv6zJxH
rbQeRG91ZyBIZWFkbGV5IDxkb3VnQGV2aWRlbnQuaW8+iHoEExEIACIFAlXbRMYC
GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJIbCSrLoZGqBx0A/3CcStIq
+EH/06aQOKt1HM0dpxxGFjo8I+lCj7s2u0AQD0/GA86UyJ2ns4VjPj5S3hl32D
lUaDxhGc35ImiqWZc7kCDQRV20TGEAgApm6BxC5gRtB7L640k4ncW6anxtVFdxBG
uou6iuhdYe9iGgm/nndzuUA0oznjA7V+FcJ8oibI/hRYQbI+LAYAF9TkFyfl0NUh
p6egTl40c2IB22nxgfviAafVI98YF1NmSSQqQrWUT6wz85h3OO95uDyp7mKwDVF6
eMzYeyUufPLaEoKPfRFoaVq5zFU90lhFEyWQPMmlltz3qrWrv8zHPIJZOIwryXvG
TPw6KJoaDKzeQDd8JCtZC8yofRKiDRNvoX0HjBKzpfaDa2mjFezy+QLHmFotjeXU
UVOjYWXwFnbAX/evK3fvIEkKWG/iO0m8qY0WGSk7S0nWf7fJO9XRTwADBQf/fPwx
wFF7VekHD9ALg470Bz9o9zVqj5vNVax5MAHHsopcHXaTps54roj7h45zDNfQ0Okf
gGVZGEZNjVBLLTSmsUnxeN6JcIDdwLWRWbW1L2U+GaAAF+cODHE3e3UkxkqZW1
XiygKv5pxVb4HDSzr7/3rPGFfIgLYuu1rFsvHQVnSXJ5n2Fm9Ti6rAuKk+YunThz
DISJnqYNNqdLjpwOGT41CYkMNC2RmCr6nayKMHhSHeWAsfbNhkYYz+Ddhj3U78Sd
MMCoRbgjM6bTLOf30YxgY9wBSHQt81daoaLqjmFiUCptVnWu2WnR8Hh8Q96DLOby
N0uuUID5bmbSM9b4CohhBBgRCAAJBQJV20TGAhsMAAoJEJIbCSrLoZGqTxAA/RhQ
V8E014A15nMD+l6pGfc2GR7TyBIbW/A0gRQd/H5LAP4xWh1SHTTAaXg2P349xbhv
PLMLIrXSSjV6lw7FMuTkiA==
=wzF1
—–END PGP PUBLIC KEY BLOCK—–