Cluvio Security & Privacy Overview

Architecture and Hosting

Cluvio is a software-as-a-service platform for data analytics. This document outlines the security architecture of Cluvio as well as topics related to the security of database connections and your data.

The Cluvio platform is deployed and runs on Amazon Web Services in the eu-central-1 region of AWS located in Frankfurt, Germany. Cluvio utilizes 3rd party services, such as Recurly (billing), Elev.io (in-app help), Sendgrid (email), PaperTrail (logging), PagerDuty (alerting) or Sentry, Pingdom and NewRelic (monitoring).

Cluvio leverages a set of best-practices that guarantee the system security and data privacy:

  • Share-nothing/stateless approach to services
  • Multi-layered approach to system security and system/data access
  • Strong encryption of data in transit and at rest
  • Auditing of all operations, i.e. all changes can be attributed to a user account
  • Continuous monitoring both from inside and outside

Here is a basic overview of the Cluvio architecture, showing its role as a mediator for data access and visualisation.

Database connection security

To be able to run queries that power the analytical reports, Cluvio needs access to your database or data warehouse. Cluvio supports all the widely used approaches to secure data access that evolved over the last 10 years of increasing use and acceptance of Cloud BI tools. This applies to both connections to cloud hosted databases (AWS RDS, Redshift, Snowflake, Google Cloud, BigQuery, CloudSpanner, Microsoft Azure) as well as databases installed on your own servers on cloud providers or dedicated hardware behind a firewall. Concretely:

  • Firewalling Cluvio access based on IP addresses and database specific port numbers.
  • Using transport-layer security for database connections, if supported by the database.
  • Using an SSH tunnel to proxy access to the database.
  • Encouraging the use of a Cluvio-specific read-only users in the database to control precisely what operations Cluvio can perform on the database.

More details can be found in the Cluvio Documentation.

How Cluvio uses data in your database

Cluvio analytics are based on SQL and as such do not perform other operations on the database than running specific SQL queries for retreiving database metadata and running SQL queries on request of an authenticated and authorized user in order to to fetch the data that underlies the analytical reports.

The results of the database schema queries are stored as metadata on the data source, as long as the data source exists. The results of the report query executions are stored in a transient cache in the Cluvio backend for up to 24 hours, after which all the data are automatically purged and no copies of it are retained.

In more detail, the queries that Cluvio performs against your database are as follows:

  • On initial connection to your database, Cluvio runs SQL queries to determine metadata about the database (version, time zone, number of connections allowed) and the schema of the database (e.g. schemas, tables and columns). The schema information is refreshed every 24 hours so that it is kept up to date.
  • On running a query in the query editor by an authorised user, the SQL is executed against the database. The exact SQL query executed can be seen the Results tab in the query editor.
  • For existing reports on a dashboard, the corresponding query is executed against the database whenever one of the following conditions applies:
    • The report is manually refreshed (i.e. the user hits Refresh on a report or the entire dashboard.
    • The dashboard is accessed and the source data for a report are not present in the Cluvio cache.
    • The dashboard parameters are changed and the results for that specific combination of parameters is not in the Cluvio cache.
  • For SQL alerts, the query associated with the alert is executed according to the configured schedule.
  • For custom filters on a query, the query is executed to refresh the values according to the schedule configured for the filter.

Data security

Any data that is either related to your account or a result of one of the analytical queries is protected in transit and at rest.

Data in transit

In transit security refers to security of the data as it is transmitted between the Cluvio services and the end user’s computer. All Cluvio communication is performed with transport-layer security (TLS/HTTPS). The Cluvio API is not accessible via unencrypted HTTP connections and clients requesting such connections are immediately redirected to secure transport protocols. Furthermore, all API operations that contain account information or data require user authentication and authorisation.

Data at rest

Cluvio stores all account data in a database that is encrypted at rest and all backups of the data are encrypted as well. User passwords are stored as salted, cryptographic hashes to prevent recovery and abuse even in the case of a compromised database. Database connection passwords or authorization strings are stored with 256-bit symmetric encryption.

Access security

All Cluvio APIs that provide access to the account data require authentication via email and password. The result of successful authentication is a time-constrained session and an access token that authorizes API access in the context of that session. The following measures are taken to prevent abuse and facilitate recovery:

  • A minimum length requirement for user passwords of at least 8 characters.
  • Email confirmation is required for any new user account or changes to a user's email address.
  • Accounts are locked after a certain number of failed login attempts, requiring unlocking through a link that is sent to the account's email address.
  • A password reset can be performed through a link that is sent to an account's registered email address.

Auditing

Cluvio audits all changes made by a user in the context of an organization. This includes logging in or out (with IP address recording), running queries and creating, changing or deleting reports, dashboards or any other objects. The audit logs will be exposed to the account admins at a later stage when this feature is implemented as part of the Cluvio admin section.

Monitoring

Cluvio employs a wide range of monitoring services that guarantee the uptime of the Cluvio platform and allow us to respond quickly to any operational problems. This includes:

  • API availability monitoring
  • Server log monitoring
  • Server components and services availability monitoring
  • Browser error monitoring

The summary of the Cluvio platform status, as well as historical incidents, can be viewed at any time at http://status.cluvio.com.

Data retention & physical media

Data retention

Cluvio never stores results of your analytical queries other than in the context of transient caching of results (kept for up to 24 hours and purged afterwards). Account data are stored as part of a database backup in encrypted form. These backups are kept for a limited time (usually at most 30 days).

Physical media

All physical storage devices of Cluvio are on AWS. Amazon AWS employs the Guidelines for Media Sanitization (NIST 800-88 or DoD 5220.22-M) where all physical devices are destroyed within Amazon premises without leaving these locations. A detailed description can be found in the AWS Security Whitepaper on page 8, section “Storage Device Decommissioning”.

Certifications & Compliance

Amazon AWS complies with some of the most demanding certifications, namely:

  • Sarbanes-Oxley (SOX) compliance
  • ISO 27001 Certification
  • PCI DSS Level I Certification
  • HIPAA compliant architecture
  • SOC1 Audit, SOC2, SOC3
  • FISMA MediumATO
  • Service Health Dashboard

For an up-to-date list of certifications and compliance audit reports, please see https://aws.amazon.com/compliance.

Responsible Disclosure Policy

If you are a security expert or researcher and you believe that you have found a security issue in Cluvio, we encourage you to notify us at security@cluvio.com. Please make a good faith effort to protect our users' privacy and data. We look forward to working with you to resolve the issue as soon as possible and will award bug bounties if applicable.