SentinelOne Security Statement
In addition to creating the world’s most advance endpoint protection Solutions, we are also dedicated to protecting all the data that we collect subscribers to the Solutions, in accordance with industry best standards and practices. Our customers demand the highest levels of data security, and many have tested our Solutions to verify that it meets their standards. We have surpassed expectations and received high praises from some of the most sophisticated, security-minded organizations in the world.
We recognize that our customers’ information must be well managed, controlled and protected. To that end, We have a dedicated security team that oversees SentinelOne’s information security program, which encompasses high-quality network security, application security, identity and access controls, change management, vulnerability management and third-party pentesting, log/event management, vendor risk management, physical security, endpoint security, physical security, governance & compliance, and people/HR security, disaster recovery and a host of additional controls. Among other things, Our servers are protected by high-end firewall systems, scans are performed regularly to ensure that any exposed vulnerabilities are quickly found and patched, complete penetration tests are performed yearly, customer data is processed and stored at a specific location known to the customer within a specific region such as North America, Europe or Asia, access to systems is restricted to specific individuals based on “need to know” principles and monitored and audited for compliance, We use Transport Layer Security (TLS) encryption (also known as HTTPS) for all customer data transfers, and customers can elect to have all their data encrypted at rest Our Solutions are hosted by AWS, which is independently audited using the ISO 27001 and SOC3 TypeII Standards as described here. To ensure that we maintains the highest possible levels of information security, SentinelOne has procured the auditing services of a reputable third party auditors and audits its information security practices annually under the ISO27001 Standard SentinelOne is also working on a FedRAMP compliance program, with FedRamp Moderate ATO expected in Q3 2020.
Finally, if you are a customer we ask that you ensure that your administrators of the Solutions ensure sound security practices in maintaining access credentials to your instance of the Solutions, including strong account passwords and access restrictions to your accounts to authorized persons. Where customers become aware of a compromise to any of their account credentials, we ask that you notify us immediately by contacting our Support Team.
SentinelOne has certified its compliance with the E.U-U.S. and U.S.-Swiss Privacy shield Frameworks since February 2018. Compliance with these Frameworks provide companies assurance that Personally Identifiable Information (PII) transfers between Europe and the US are done under specific rules, and protection of PII is robust.
As a participant in the Frameworks we ensure compliance with all Privacy Shield Principles of Notice, Choice, Onward Transfer, Security, Data Integrity/Purpose Limitation, Access, and Recourse/Enforcement. See SentinelOne’s certification under the Privacy Shield Framework.
SentinelOne provides endpoint protection Solutions that collect and process various datasets equally, without regard to how a customer might classify their data. Any processing of specific data types is purely incidental, and not required to use the Solutions. SentinelOne does not collect any Non-Public Information (NPI) as defined in GLBA
SentinelOne has designed and implemented an elaborate information security program to protect its customers data in accordance with GLBA’s Safeguard Rule, and is now GLB compliant with the Rule.
ISO 27001 Certification
In September 2018, SentinelOne achieved its ISO/IEC 27001:2013 certification, which affirms SentinelOne’s commitment to and maintenance of the highest levels of information security.
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and improving the information security management system within the organization.
The SentinelOne ISO/IEC 27001:2013 certification was issued by Schellman & Company LLC following an exhaustive audit process: view the SentinelOne certificate. You may also Independently verify the status of the certification.
SentinelOne provides endpoint protection solutions that collect and process various datasets equally, without regard to how a customer might classify their data. As such, SentinelOne does not treat any specific dataset processed by its Solutions as Personal Healthcare Information (PHI) under HIPAA and/or HITECH. Any processing of specific data types is purely incidental, and not required to use the Solutions. SentinelOne does not collect any PHI in providing its Solutions to customers.
SentinelOne has implemented a host of information security controls to protect all customers data it processes on behalf of its customers in accordance with HIPAA’s Privacy and Security Rules, and ensure confidentiality, integrity, protection against anticipated threats, workforce management, and access controls among a host of technical, administrative and physical safeguard. As such, SentinelOne is now HIPAA compliant and able to enter business associate agreements to such effect. For more information about SentinelOne’s Business Associate Agreement (“BAA”), please contact SentinelOne privacy team at [email protected]
SentinelOne has implemented a range of privacy and security controls across the organization to ensure compliance with the General Data Protection Regulation (GDPR) by the May 2018 deadline.
Among other things, SentinelOne has trained its employees and established an ongoing training program, added a host of technical security measures, mapped PII storage throughout the organization, defined appropriate access right limitations, ensured that individual access/portability/right-to-be-forgotten rights are respected, appointed a Data Protection Officer (DPO), entered into Data Processing Addendums (DPAs) with relevant data processors, and offers to enter into DPAs with EU-based customers subscribing to the Solutions at certain pricing levels.
SentinelOne is committed to continued compliance with GDPR and all other relevant privacy regulations for the benefit of its customers. Contact us for more information about Our privacy program.
How SentinelOne Can Help Your Organization’s Compliance Needs
Privacy Shield Compliance
The SentinelOne Solution, including automated EDR, Deep Visibility, Static and behavioral AI and Vigilance automated SOC can help your organization achieve compliance with Privacy Shield Principle Number 4, which requires that organizations creating, maintaining, using or disseminating personal information take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
The SentinelOne malware Solution can help your organization achieve PCI DSS compliance with PCI DSS Requirement Number 5, which requires that organizations use and regularly update anti-virus software or programs on all systems commonly affected by malicious software.
For more information about how SentinelOne can help your organization’s PCI compliance, read the Tevora PCI and HIPAA Whitepaper.
The SentinelOne malware Solution can help your organization achieve GLB compliance under the Safeguard Rule, which requires that financial institutions under FTC jurisdiction have measures in place to keep customer information secure and in accordance with the FTC compliance instructions, which require financial organizations to use anti-virus and anti-spyware software that updates automatically.
The SentinelOne Solution can help your organization achieve GDPR compliance with the data protection by design and by default requirement in Article 25, the security of processing requirement in Article 32 which require applying technical and organizational measures for data processors and with Articles 33 and 34 which apply specific requirement for breach notification, assessment and remediation.
For more information about how SentinelOne can help your organization’s GDPR compliance, read the SentinelOne GDPR Datasheet.
The SentinelOne Solution can help your organization achieve compliance with HIPAA Security Rule, which requires that organizations use and regularly update anti-virus software or programs on all systems commonly affected by malicious software.
The SentinelOne Static and behavioral AI can help your organization to detect and respond to malware attacks.
The SentinelOne Vigilance automated SOC services can add another level of security to your organization, by offering the services of security experts that can proactively help your organization detect and respond to threats.
For more information about how SentinelOne can help your organization’s HIPAA compliance, read the Tevora PCI and HIPAA Whitepaper.