Security and compliance

Already read Why should I trust you? and wondering about specifics? Read on.

Security, Asset Management, and Data Protection

Before going any further, please review our Security Statement and Vendor Data Protection Requirements. These, combined with the information below should cover most questions. For everything else, please get in touch. Discussing these issues and helping set up and configure secure logging is something we love to do. This document is meant as a starting point, not an ending point, to our conversation. This includes questions and topics that cover confidential and sensitive areas.

Location of Data

The entirety of Papertrail’s systems are located inside the United States. Log data will only be stored outside the United States if a customer attaches an S3 bucket from a non-US region to their Papertrail account. This bucket would be used to store copies of log archives that can be retained for a potentially indefinite amount of time by the customer.

Encryption

Please see our security statement.

Can Papertrail staff see our data?

Access to the datastore is restricted to a very small number of people, and there’s no way for us to “impersonate” or view customer log data via an account switcher interface or see it through the admin UI (see It’s your information). In cases where we need log data for troubleshooting purposes, we’ll either request a couple of sample lines or get your explicit permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time). Access to our own infrastructure is logged and we get notified when password changes take place.

When and how is stored data deleted?

On account closure, data is deleted, automatically. Archives are removed from Papertrail’s bucket after 7 days (free accounts) or 1 year (paid accounts). Searchable log data is removed when the retention period has passed. If sensitive data was inadvertently logged, it can be deleted by account members or, on request, by Papertrail staff. Ask us for help.

Security and Vulnerability Testing and Prevention

See our Security Statement for information related to our Software Development Lifecycle.

Bug Bounties

We’re interested in actual security, so if someone reported what we felt was both:

  • A serious vulnerability (and not just a low/zero-risk XSS), and
  • Discovered during routine use of the service as an actual user – not via a pen test, which would have been unauthorized

…we’d look kindly on that and might consider sending a thank-you bonus.

Region-specific policies

Privacy Shield

SolarWinds is Privacy Shield compliant. More information about the steps we’ve taken can be found here.

General Data Protection Regulation (GDPR)

SolarWinds is GDPR compliant. See the SolarWinds GDPR Resource Center for more information about the steps we’ve taken to reach compliance as well as resources for understanding GDPR.

Data Protection Addendum (DPA) and execution

We are able to sign a Data Processing Agreement (DPA) for compliance with the European Union’s Data Protection Directive (EU DPD–sometimes called “model clauses”). We’ve aimed to make this as self-service as possible and have provided a pre-signed, GDPR-compliant DPA for download here. Send the completed form as a PDF to privacy@solarwinds.com.

Submitting a Data Subject Request

Information on how to submit a GDPR Data Subject Request can be found here. With regards to second-party requests see Purging logs for how to remove searchable logs from Papertrail. Do not 2nd-party requests via email. They will not be honored.

Limiting Archive Rentention

Please email us if you need to limit the duration in which Papertrail stores log archives.

Australia’s Privacy Act

Papertrail isn’t compliant with Australia’s Privacy Act requirements for cloud providers, so if your systems need to log personal information from Australia, Papertrail is likely not the best solution. For questions on any other countries, please reach out - we’re always happy to talk about setting up logging safely.

Based on the Australian Privacy Principles, we do not:

  • certify that our privacy policy meets the requirements in the APPs,
  • certify that data shared with 3rd parties as defined in our Privacy Policy oblige by the APPs,
  • have a formal process for Australians to request stored personal data and submit corrections of said data, nor
  • have a presence in Australia for sensitive data that needs to remain within the borders (all data is currently stored within the United States).

Certifications

SOC 2

Papertrail isn’t itself SOC2 compliant, but our datacenter provider is. To review their report, please contact us and we’ll work with you. Including contact information and the reason for the request (for example, a requirement of a certification process) will speed things up.

PCI

Because PCI compliance is based on what’s being logged and how it’s used, there’s no one answer to this question. Papertrail follows PCI best practices with regards to the encryption and transmission of credit card information and does not store this information on our servers. Papertrail log intake and storage isn’t designed or implemented specifically to meet PCI standards, but it can be a tool that makes it easier to meet the log-related portions of PCI DSS. For example, Papertrail’s archives can often be used to satisfy the log retention requirements, and since it’s a hosted service, it may also satisfy the untrusted third-party/log mutability requirements. For both general security and enhancing compliance, we always recommend obscuring identifiable information before logging so that it’s not recoverable without access to another system.

HIPAA

Papertrail was designed for functionality and security, but not for compliance with a specific regulation. There’s some overlap between “security” and HIPAA’s requirements, but not complete overlap. Since Papertrail has no way to determine what data is or isn’t PII, we’d have to treat all log data differently, which we haven’t yet found a good solution for.

Additionally:

  • HIPAA puts a huge amount of responsibility on the provider.
  • There’s no way to craft a custom BAA that mitigates that. Normally we’d try to come up with something that thoughtfully explains each party’s responsibilities, but HIPAA makes that impossible. One party or the other is responsible and the wording of the BAA doesn’t matter much.
  • Because it’s not feasible for us to take complete legal responsibility for your PII, it’s also not feasible to sign a BAA.

If HIPAA compliance is a requirement, Papertrail may not be a good fit, but we’re happy to continue the conversation in more detail if you have more questions about the possibility of logging safely from a HIPAA-covered environment. Notably, if the focus is on server behavior and performance, and data is de-identified or anonymized, HIPAA compliance may not be required and Papertrail could serve those logging needs.

ISO 27001

Not specifically. We opted to spend our time and collective years of experience and knowledge making the product secure and useful, rather than doing a certain set of tasks to check off boxes to get a certification like ISO 27001.