Security at Immuta

Five years ago, data teams were siloed and focused on helping users find and query more data. But today, data consumers exist across organizations and are going much further — transforming data, collaborating with cross-company teams, and creating new data products, models, and pipelines at a rapid pace. This new era of democratized data use is driving unprecedented adoption of cloud platforms and data exchanges, but the future has to be secure and compliant.

Matthew Carroll CEO at Immuta

Key Security Features

Immuta’s platform security controls, processes, and procedures are designed to meet business objectives while containing risk. Commitments relative to security controls are documented and communicated in agreements with clients and third-party service providers. Operational requirements supporting security controls are communicated in the Company’s policies and procedures, system design documentation, and contracts with clients and third-party service providers. Those security controls include, but are not limited to:

  • Formalized policies and procedures
  • System logging and monitoring
  • Vulnerability and Patch management
  • Antivirus/antimalware software
  • Identity and access (logical and physical) management
  • Multi Factor authentication
  • Secured remote access
  • Firewall and network security group management
  • Backup management
  • Incident management and response, including contracted third-party industry response experts

Compliance and Regulations

Immuta SaaS
Services & the GDPR

Under the GDPR, Immuta acts as both a data processor and a data controller.

Immuta Data Processing Agreement
Immuta as a Data Processor

When licensees use Immuta SaaS services to manage access to licensee personal data, Immuta acts as a data processor. Licensees may act as data controllers or data processors, and Immuta acts as a data processor or sub-processor. Immuta contractual terms incorporate Immuta’s commitments as a data processor. Our security controls are described below and our list of sub-processors is available here.

Immuta as a Data Controller

When Immuta processes personal data and determines the purposes and means of processing that personal data, it acts as a data controller. As a data controller in relation to Immuta SaaS services, Immuta usually processes account information for account registration, administration, billing, and fraud prevention, as well as usage data for service optimization, service improvement, and fraud prevention.

For more information about how Immuta processes personal data as a data controller, see Immuta Privacy Notice.

List of Subprocessors

Last Modified: February 20, 2024

Immuta, Inc. (“Immuta”) uses certain Subprocessors (as listed below) to assist it in providing the SaaS Services as described in the written agreement you have with Immuta (“Agreement”). You will be notified by email when we add new Subprocessors.

What is a Subprocessor?

A Subprocessor is a third party utilized by Immuta to deliver its SaaS Services as a data processor. Immuta engages different types of Subprocessors to perform the various services explained below.

Process to Engage New Subprocessors

Prior to the addition or change of any Subprocessors described in this policy, Immuta shall provide notice to Licensee through emails no less than thirty (30) days prior to the date on which the Subprocessor shall commence processing personal data. Licensee can object in writing to the processing of its personal data by a new Subprocessor within ten (10) days after the reception of the email and shall describe its legitimate reasons to object. If Licensee does not object during such time period, the new Subprocessor(s) shall be deemed accepted.

During the Objection Period, objections (if any) to Immuta’s appointment of the new Subprocessor must be provided to Immuta in writing and based on reasonable grounds relating to data protection. In such an event, the Parties will discuss those objections in good faith with a view to achieving resolution. If it can be reasonably demonstrated to Immuta that the new Subprocessor is unable to process Licensee personal data in compliance with agreed terms and Immuta cannot provide an alternative Subprocessor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Licensee, as its sole and exclusive remedy, may provide written notice to Immuta terminating the offering with respect only to those aspects of the Services which cannot be provided by Immuta without the use of the new Subprocessor.

The following is an up-to-date list (as of the date mentioned below) of the names and locations of Immuta’s Subprocessors (including members of the Immuta Group and third parties):

Third Party Subprocessors

Immuta utilizes AWS cloud service provider to host Immuta SaaS services. Licensee metadata, such as data dictionaries, policy-related data, user data, and audit logs will thus live in an AWS environment, in the Immuta geographical region selected by Licensee, which could be Immuta APJ, EU or US.

Entity Name Purpose Location of Processing
Amazon Web Services, Inc. Host Immuta’s SaaS services in the region elected by customers. In region
Elasticsearch Inc. Manage audit service in the region elected by customers. In region
Datadog Inc. Manage security logs. US
Google LLC Communicate with customers. US
Zoom Video Communications, Inc. Communicate with customers. US
Slack Technologies LLC Communicate with customers. US
Salesforce, Inc. Manage customer support platform through Salesforce Service Cloud. US
Immuta Group Subprocessors

Immuta works with a few third parties to support specific services within its overall SaaS offering. These providers are Subprocessors, as they may have access to personal data related to Licensee’s authorized users.

Entity Name Purpose Location of Processing
Immuta Ltd Perform customer support tasks. UK
Immuta Pty Ltd Perform customer support tasks. Australia

Security Controls at Immuta

Infrastructure Security

Immuta is cloud-native, including all our supporting cloud computing infrastructure and our software solution (Software-as-a-Service).

Our cloud computing infrastructure is provided by Amazon Web Services (AWS). This infrastructure is built and managed not only according to security best practices and standards, but also with the unique needs of the cloud in mind. AWS uses redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24×7.

Every 24 hours we make a backup which we keep for 7 days. In case of an incident, we can restore this backup immediately.

Physical Security

We rely on AWS for the physical security of our supporting cloud computing infrastructure. We also take physical security measures for our own offices (such as badge access and video surveillance).

Product Security

We have a clearly defined process for creating high quality software, ensuring that our software is well tested and ready for production use before we roll out our software.

We take security measures to protect our software solution from cyber attacks and to detect fraudulent or malicious activities. Our software is monitored and protected by an industry-leading continuous process of cloud security improvement and adaptation which includes active defenses against known and unknown attacks. In addition, we also have periodic security measures carried out by a qualified external party (such as penetration testing).

We also take many other security measures to ensure that your data is safe (such as encrypting your data both at rest and in transit, restricting access based on roles and attributes, applying the need-to-know principle, requiring strong passwords and multi-factor authentication, monitoring logs, etc.).

Data Security

We always process your data in accordance with the applicable legislation, both in terms of security and data protection. Every other party we work with also complies with the applicable legislation through the agreements we conclude with them.

We do not keep your data longer than necessary. We will hold your data for as long as you request our services. In case of termination, we will delete your data 90 days after the termination. In the case of a trial period, we will retain your data for 90 days after the trial period ends, unless you request that we delete your data sooner.

Our software solution is set up in the same region as your infrastructure and thus does not cross regional lines.

We only access your data on request or with your permission.

Attestation & Certification

We can demonstrate that we have appropriate controls in place to mitigate security, availability, confidentiality, processing integrity, or privacy risks.

Our security measures are audited annually by an independent and external party. If you need more information or if you would like to receive a copy of our SOC2 or SOC3 report, please contact us: [email protected]

Ready to get started

If you believe you’ve discovered a bug in Immuta’s security, please get in touch at [email protected] . Please do not email sensitive data. A member of the Office of the CISO will contact you directly for any required follow-up. We request that you not publicly disclose the issue until we have had a chance to address it.

Get in touch