Guru has been built from the ground up with security in mind. Our founding team has decades worth of experience building out cloud data integration systems for some of the largest enterprises in the world with industry leading security measures.
Guru uses an independent third party to conduct a SOC 2, Type II audit on its knowledge management system. This audit covers the SOC 2 Common Criteria and the Confidentiality and Privacy trust services criteria. We’re happy to share this report with clients or prospects with a signed non-disclosure agreement on file.
Guru fully adheres to the spirit and the letter of the EU’s General Data Protection Regulation (GDPR). By developing policies and mechanisms to address data subject rights and third party contractual obligations, Guru meets the requirements called out by the US Department of Commerce Privacy Shield program. Find us here.
Guru does not process PCI data, but uses a third party for payment purposes. Accordingly, Guru conducts an annual Self Assessment Questionnaire (A-EP) and leverages the Trustwave “Trustkeeper” program to conduct monthly network scans against all of Guru’s public facing connections.
Guru takes the data handling of our EU customers seriously. Before the GDPR became enforceable in May 2018, we'd already added multiple processes to our security control framework and required our subprocessors to commit to security minimums through Data Processing Agreements. We're ready to meet data subject requests wherever and whenever they happen.
We have a control framework based on the Center for Internet Security Controls, covering a wide compliance spectrum and ensuring we’re focused on the right things. We have nine separate policies that govern the following:
The program is run by a dedicated risk and compliance manager who works in tandem with executive leadership and subject matter experts to codify procedures and ensure execution.
Guru hires an independent audit firm to conduct an annual SOC 2, Type II audit, which includes not only the Common Criteria, but the Confidentiality and Privacy trust services criteria too.
Yes. We look at changes in the product line, the regulatory environment and the cyber threat. We assign risk scores and document an executive leadership review at least quarterly. These steps are verified in the annual SOC 2 audit.
Guru’s infrastructure is hosted exclusively by Amazon Web Services (AWS), and all data in transit and data at rest is encrypted using the most up-to-date protocols (specifically TLS V1.2 and AES-256).
Guru ingests and uses customer data in slightly different ways depending on how the service is configured, but here’s a very high level explanation of how the system works
Customer data is stored in multi-tenant datastores and assigned a unique tenant token, which prevents one customer from accessing another customer's data.
Production access is limited to a small group, and is granted through explicit signed permission from the CTO. An account review is done quarterly and documented accordingly.
In addition to AWS, Guru uses some third parties to perform certain components of its operations. Only vendors who have successfully demonstrated sufficient security capabilities and commitments are authorized to support the Guru system.
Any vendor with the potential to access sensitive client data is required to provide an external audit or, at a minimum, submit to a risk interview and demonstrate best security practices. These artifacts are refreshed annually to ensure no lapse in oversight. Moreover, each vendor is required to sign a Data Processing Agreement and contractually commit to data security practices.
Our public facing network is scanned monthly through Trustwave’s Trustkeeper software, and our application containers are scanned through AWS prior to deployment to discover and address vulnerabilities.
Both the desktop and mobile applications are pen tested quarterly by an independent third party.
We replicate data between our disaster recovery site hourly and maintain a redundant database in a separate geographic zone from the primary. We run a daily integrity check on that backup to make sure it’s usable if needed. The recovery point objective is 1 hour, with a recovery time objective of 24 hours.
Guru maintains a comprehensive incident classification and response procedure, rehearsing potential incidents twice annually through a formal tabletop exercise. Participants capture lessons learned and constantly strive to make the program better. Though highly unlikely, any data breach would be communicated to a client’s Guru administrator within 24 hours of confirmation.
Security is baked into the coding process, and a number of checks are performed to validate new code prior to deployment. Also, Guru’s developers undergo specialized security training to address common vulnerabilities such as Cross Site Scripting and SQL injection.
Guru fully respects both established and emerging privacy regulations and has created the necessary processes to support the rights of data subjects. Guru offers a Data Protection Agreement and contractually agrees to support any and all emerging privacy regulations as they apply to the service. Third parties are also required to document their security commitments consistent with laws and regulations.
He worries about security so that you don't have to.
Learn more about Wes's role in security at Guru on our blog.