StreamNative's Cloud Security Addendum outlines technical and procedural measures for securing the Cloud Service. StreamNative may update this document periodically, with changes effective upon posting. Capitalized terms follow definitions in the StreamNative Cloud Services Agreement.
1. Customer Data Access and Management
1.1 Customers control Cloud Service access through User IDs, passwords, or Identity Provider integration.
1.2 For data governance and confidentiality, customers should encrypt data before transmission; encryption is mandatory in certain cases (see section 15).
1.3 StreamNative uses Content solely to provide the Cloud Service as specified in the Agreement.
1.4 Message data sent to Pulsar topics is stored in the production environment selected by the customer.
1.5 Message Content replicates per customer-specified retention periods. Customers must consume Content regularly and maintain separate storage for data beyond retention policies.
2. Encryption and Logical Separation
2.1 Content at rest uses enterprise-grade encryption standards on storage backends.
2.2 Communications between customer endpoints and the Cloud Service employ appropriate encryption for data in motion.
2.3 The service provides logical data separation between customers. Dedicated cloud resources are available for purchase. Controls prevent unauthorized cross-customer access.
3. StreamNative Service Infrastructure Access Management
3.1 Infrastructure access restricts to personnel requiring it for job duties.
3.2 Unique User IDs are assigned during hiring and onboarding.
3.3 Server password policies align with StreamNative requirements and industry recommendations.
3.4 Terminated personnel access is disabled promptly; transferring employees' privileges adjust accordingly.
3.5 Personnel access to Cloud Service infrastructure undergoes quarterly review.
3.6 Cloud provider firewalls implement deny-all defaults, enabling only necessary protocols.
3.7 Remote administration uses appropriate security measures.
4. Risk Management
4.1 StreamNative maintains a risk management program based on industry guidance.
4.2 Risk assessments occur throughout the year, including self and third-party evaluations, automated scans, and manual reviews.
4.3 Assessment results report to the Security Committee head. The Committee meets biannually to review findings, identify control gaps, assess threat environment changes, and recommend improvements.
4.4 Control and mitigation strategy changes receive risk-adjusted evaluation and prioritization.
4.5 Threat monitoring occurs through threat intelligence services, vendor notifications, and trusted public sources.
5. Vulnerability Management and Penetration Testing
5.1 Vulnerability mitigation is every StreamNative employee's responsibility.
5.2 Latest patches and updates apply promptly after testing in pre-production environments.
5.3 StreamNative engineers evaluate potential vulnerability impacts.
5.4 Vulnerabilities triggering alerts with published exploits escalate to Security leadership for remediation.
5.5 Security Operations monitors trusted vulnerability and threat intelligence sources.
5.6 Independent third-party penetration tests occur annually. Detailed results remain restricted; redacted summaries require appropriate non-disclosure agreements.
6. Remote Access & Wireless Network
6.1 Cloud Service network access requires encrypted connections (SSH, MFA, regularly rotated SSH keys), never passwords.
6.2 StreamNative corporate offices require authentication for LAN and Wi-Fi access plus public cloud provider account authentication.
6.3 Content processing data cannot be stored on local desktops, laptops, mobile devices, shared drives, removable media, or non-StreamNative-controlled public systems.
7. Cloud Service Location
7.1 Message Content storage follows customer-specified region selections via the Cloud Service.
8. System Event Logging
8.1 Monitoring tools track network, server, availability, resource utilization, and security events.
8.2 Infrastructure security event logs centralize and store using security measures preventing tampering, retained for twelve months.
8.3 Security events undergo review for malicious or inappropriate activity.
9. System Administration and Patch Management
9.1 StreamNative creates, implements, and maintains system administration procedures meeting or exceeding industry standards, including system hardening, patching, and threat detection with daily updates.
9.2 The security team reviews US-CERT announcements weekly and assesses impact using StreamNative-defined risk criteria.
9.3 High or critical US-CERT security updates receive attention within thirty days of release.
10. StreamNative Security Training and Personnel
10.1 StreamNative maintains a security awareness program providing initial education, ongoing awareness, and personnel acknowledgment of policy compliance intent. New hires complete security training, sign proprietary information agreements, and digitally acknowledge information security policies.
10.2 All personnel acknowledge responsibility for reporting actual or suspected concerns, thefts, breaches, losses, and unauthorized access or disclosure.
10.3 All personnel complete annual security training.
11. Physical Security
11.1 The Cloud Service hosts on AWS, GCP, Azure, and other public clouds. Public cloud providers manage physical security. StreamNative annually reviews applicable security and compliance reports ensuring appropriate controls:
- 11.1.1 Visitor management including physical access tracking and monitoring
- 11.1.2 Electronic access control devices manage server location access points
- 11.1.3 Monitor and alarm response procedures
- 11.1.4 CCTV cameras at facilities
- 11.1.5 Video capturing devices in data centers with ninety-day retention
- 11.1.6 Environmental and power management controls
- 11.1.7 Physical media removal and destruction procedures
12. Notification of Security Breach
12.1 StreamNative notifies customers in writing within seventy-two hours of confirmed unauthorized Message Content access.
12.2 Notification summarizes known breach details and investigation status.
12.3 StreamNative implements appropriate containment, investigation, and mitigation actions.
13. Availability and Disaster Recovery
13.1 StreamNative maintains an annually-tested Disaster Recovery Plan for the Cloud Service.
13.2 Disaster recovery strategies cover authentication, authorization data, account information, and data within Cloud Service infrastructure. StreamNative's DRP covers account and user information. Customers are responsible for disaster recovery strategies for transmitted and stored data.
Each cloud platform provider offers inbuilt disaster recovery solutions customers should employ.
14. StreamNative Security Compliance, Certifications, and Third-party Attestations
14.1 StreamNative hires accredited third parties for annual audits and compliance attestations:
- 14.1.1 SSAE 18 SOC 2 Type II
- 14.1.2 HIPAA readiness — with executed Business Associate Agreement, StreamNative supports HIPAA-regulated Message Content
- 14.1.3 ISO 27001 Certification
14.2 StreamNative's Trust Center (https://trust.streamnative.io/) provides compliance certification information and documentation request portals.
15. Additional Customer Responsibilities
15.1 Customers manage and secure User Credentials and protect resources sending Content to the Cloud Service.
15.2 Customers immediately notify StreamNative of compromised credentials or suspected suspicious activities affecting Cloud Service security or account integrity.
15.3 Security penetration tests and assessment activities require express prior written Chief Information Security Officer consent.
15.4 StreamNative implements reasonable security measures preventing unauthorized access and accidental data loss. However, no guarantee exists against all unauthorized third-party access to Content.
15.5 Customers cannot transmit cardholder or sensitive authentication data (per PCI DSS standards) unless message-level encrypted by the customer.
15.6 Protected Health Information (HIPAA-defined) cannot transmit without prior Business Associate Agreement execution.
15.7 Customers ensure data protection levels matching Message Content sensitivity, including appropriate message-level encryption.
15.8 Customers manage backup strategies for Message Content.