Splunk Protects

Data Privacy. Security. Compliance.
These matter to you. They are imperative to us.
Guiding Principles

Customers turn to Splunk’s Data-to-EverythingTM Platform to predict, identify and solve problems in real time on a global scale. Everywhere our customers go, data privacy, security and compliance are top of mind. Splunk’s global privacy, security and compliance programs are designed to meet our customers’ needs internationally and comply with global standards. Read on for more information about privacy, security and compliance at Splunk.

Data Privacy

As a big data company, Splunk understands the importance of data privacy. Our programs, products and services are structured to provide effective data privacy protections for Splunk, its customers, partners and employees.

Security

Security by Design is top-of-mind throughout our development process. Our products and services are designed to meet your data security needs, including access controls, monitoring and encryption.

Compliance

Splunk complies with industry and international security standards. This includes participating in rigorous third-party audits that verify security controls for our Cloud services.

The Details

Cloud Infrastructure

Splunk uses a range of technologies to prevent unauthorized access or compromise of Splunk’s network, servers or applications, which include such things as logical and physical controls to segment data, systems and networks. Splunk monitors demarcation points used to restrict access such as firewalls and security group enforcement points. Remote users must authenticate with two-factor authentication prior to accessing Splunk networks containing customer content.

Splunk Employee Access Control

Splunk grants system privileges and permissions to users on a “least privilege” principle. Customer stacks are logically separated from each other. Splunk leverages the benefits of virtualization at the server, storage and network layers to ensure that there is strict separation for each customer instance. Logical access policies and procedures delineate Splunk's required activities and responsibilities for credential management, user access provisioning, privileged access, monitoring and intrusion detection.

Role-based access and audit controls allow our customers to manage the actions Splunk users can take and what data, tools and dashboards they can access.

  • Learn more about configuring role-based user access and audit controls.
  • You can build your own roles to map to your organization’s data access policies for different classes of users. You can also map Lightweight Directory Access Protocol (LDAP) or Security Assertion Markup Language (SAML) groups to different roles.

Splunk Employee and User Authentication

Authorized users supporting the delivery of Splunk services must identify and authenticate to the network, applications and platforms using their user ID and password. Splunk’s enterprise password management system requires minimum password parameters. SSH key authentication and enterprise password management applications are used to manage access to the production environment and two-factor authentication (2FA) is required for remote access and privileged account access for customer content production systems.

Splunk supports single sign-on (SSO) integrations (SAML v2) with compliant identity providers such as Okta, PingFederate, Azure AD, ADFS, CA SiteMinder, OneLogin, Centrify, SecureAuth, IdentityNow, Oracle OpenSSO, Google SAML2 provider and Optimal Id. Splunk also integrates with other authentication systems, including LDAP, Active Directory and e-Directory.

Data Anonymization

Splunk supports advanced anonymization to remove confidential data from data analysis results and queries. Learn more about data anonymization

Secure Data Access and Processing

Splunk Cloud provides secure data processing through access controls, logging and monitoring, auditability, threat and vulnerability management, encryption, incident management and third-party audit. For more detail on the administrative, technical and physical safeguards Splunk deploys to protect customer content, see the Splunk Cloud Platform Security Addendum (CSA).

Data Segregation

Splunk Cloud environments enforce logical separation of customer data.

Data Integrity

Indexed data can be hashed to ensure fidelity over time, giving you confidence that your data hasn’t been altered. Individual events and streams of events can be signed. Splunk also provides message integrity measures that show whether an event has been inserted or deleted from the original stream.

Data Encryption In Transit

Splunk Cloud uses industry standard SSL/TLS 1.2+ (Secure Sockets Layer/Transport Layer Security) encryption for data in transit. All forwarders and user sessions are secured in this manner. Electronic messaging is secured by opportunistic TLS encryption on email gateways.

Data Encryption At Rest

Splunk Cloud offers data encryption at rest using Advanced Encryption Standard (AES) 256-bit encryption. Encryption at rest is available as a premium service enhancement that customers can purchase.

Asset Management and Disposal

Splunk maintains an inventory of cloud infrastructure assets that it regularly updates and reconciles. Documented, standard build procedures are used for installation and maintenance of production servers. Upon expiration or termination of contract, Splunk retains customer content for 30 days, after which documented data disposal policies are used for the secure disposal of content as set forth in the relevant customer agreement.

Change Management

Splunk follows documented change management procedures for application, infrastructure and product-related changes. Changes undergo review and testing, including security and code reviews, regression testing and user acceptance testing before approval for implementation. Splunk deploys changes during maintenance windows, which are set forth in the relevant Support Program.

Vendor Risk Management

Splunk uses third-party service providers and solutions suppliers (“Vendors”) to provide the Cloud service. Vendors undergo a detailed security due diligence assessment prior to onboarding. Identified security risks are managed through Splunk’s risk management program. Splunk enters into written agreements with its Vendors that impose on them applicable security, confidentiality and privacy obligations necessary to maintain Splunk’s security posture. Splunk monitors its Vendors using a risk-based approach to provide a level of security appropriate to the services they provide.

Personnel Security

Splunk personnel with access to customer content are subject to background checks in accordance with the relevant legal requirements. The background checks are commensurate to an individual's job duties. The activity of Splunk personnel engaged in support or professional services with access to customer data, systems or facilities, is logged and monitored.

Physical Security

Splunk controls and monitors access to Splunk-managed facilities using a layered approach. Physical access is granted based on role and removed when no longer required (including upon termination). Physical access is logged, monitored and audited.

Disaster Recovery Plan

Splunk has a documented Disaster Recovery Plan to manage significant disruptions to Splunk Cloud operations and infrastructure, which is reviewed and approved by management annually. Disaster recovery testing is also performed annually.  Results and any corrective actions are documented and remediated as required. Robust data backup, replication and recovery systems are deployed to support resilience and protection of customer content.

Threat and Vulnerability Management

Splunk has a Threat and Vulnerability Management program to continuously monitor for vulnerabilities that are acknowledged by vendors, reported by researchers or discovered internally through vulnerability scans, Red Team activities or personnel identification. Threats are ranked based on severity level and assigned to the appropriate team(s) for remediation as needed.

For systems containing customer content, an external vendor conducts security penetration tests on the corporate and cloud environments at least annually to detect network and application security vulnerabilities. Critical findings from these tests are evaluated, documented and assigned to the appropriate teams for remediation. In addition, Splunk conducts internal penetration tests periodically and remediates findings as appropriate.

Intrusion Detection

Splunk Cloud employs host-based intrusion detection, which logs attempted access and provides automatic alerts to trigger incident management procedures in appropriate cases. Splunk collects its own log, event and sensor-based data to continuously monitor, detect and investigate suspicious activity as permitted by law.

Logging and Monitoring

Splunk continuously monitors application, infrastructure, network, data storage space and system performance. The Splunk Security Team reviews key findings daily and remediates as necessary.

Splunk Incident Response Framework (SIRF)

The Splunk Incident Response Framework (SIRF) establishes the actions and procedures that help Splunk prepare for and respond to security incidents, including how to initiate responsive action, remediate consequences; and document lessons learned for improvement of internal processes. Splunk tests its SIRF using a combination of planned reviews, live simulations and periodic training.

Splunk Global Security (SGS)

Led by the Splunk CISO, Splunk Global Security (SGS) is a team of professionals dedicated to securing Splunk. Splunk’s SGS professionals have obtained the CISSP, CISA, CTPRP, CDPSE, GIAC, CEH, CISM, CRISC, CCSK, GSLC, CHP, CHSS and other leading security certifications.

Information Security Policies

Splunk has implemented policies and procedures designed to guide Splunk personnel in the design, implementation and execution of Splunk’s information security program. Splunk policies are updated regularly to keep pace with changes in regulations, technologies and industry best practices. Splunk information security policies are made available to all Splunk personnel.

Information Security Awareness

Information security awareness training is required for all employees annually, and is complemented by ongoing campaigns on key topics such as phishing and social engineering.

Personnel Security

Splunk personnel are background checked prior to employment, are subject to written confidentiality obligations, and are required to acknowledge Splunk’s Acceptable Use Policy.

Physical Security

Splunk controls and monitors access to Splunk-managed facilities using a layered approach. Physical access is granted based on role and removed when no longer required (including upon termination). Physical access is logged, monitored and audited.

Security Architecture and Engineering

Splunk is committed to protecting customers by architecting, engineering, and delivering reliable enterprise security services across key business areas to protect the confidentiality, integrity and availability of Splunk systems and assets by doing the following:

  • Security tools: build and operate (R&D)
  • Automation: scripting and playbook development
  • IT support: provide security engineering support for IT projects (e.g., endpoints, email and networking)
  • Content development: Splunk SPL and alerting support
  • Solution security consultation and reviews: threat modeling and architecture review board
  • Technical risk assessments: formal risk assessments and ad-hoc advisory work
  • Technical security standards and design: technical security standards and reference architectures
  • Business application security: securing SDLC, secure coding and web application security
  • Integration security support: API security review and M&A integration

Cyber Risk Management

Splunk maintains a robust Cyber Risk Management Program to identify, prioritize and manage risks to its IT assets, including system infrastructure, networks, laptops, data and intellectual property. Through its Cyber Risk Management Program, Splunk identifies internal and external cyber risks, the likelihood and velocity of them occurring and their potential impact. Splunk collaborates with risk owners to mitigate and eradicate risks, as appropriate.

Vendor Risk Management

Splunk conducts security due diligence and risk assessments of its third-party vendors ("Vendors") prior to onboarding, thereafter, Splunk manages and monitors Vendor security risks through its risk management program in alignment with Splunk’s risk profile, customer commitments and applicable regulatory requirements.

Threat Intelligence and Vulnerability Management

Splunk’s Threat and Vulnerability Management team identifies and remediates proactively vulnerabilities to help reduce threats to Splunk’s infrastructure. They provide penetration testing services for Splunk assets and offer insights and recommendations on optimizing the security of Splunk's infrastructure, product and services.

Detection and Monitoring Operations

The Detection and Monitoring Operations team helps to ensure the confidentiality, integrity and availability of Splunk services.. Elements of their program include:

  • 24x7 security event triage and analysis
  • Threat hunt, threat intelligence and incident support
  • Enterprise security content development
  • Security tool content development
  • Data operations (hygiene, standard adherence, etc.)
  • Security automation

Splunk Incident Response Framework (SIRF)

The Splunk Incident Response Framework (SIRF) establishes the actions and procedures that help Splunk prepare for and respond to security incidents, including how to initiate responsive action, remediate adverse consequences; document “lessons learned”, and continuously improve Splunk’s incident response process. Splunk tests its SIRF using a combination of planned reviews, live simulations and periodic training.

Customer Trust

Splunk’s Customer Trust team helps Splunk customers assess Splunk’s security posture by responding to RFPs, and otherwise demonstrating how Splunk’s cyber security measures align with customer expectations, applicable standards and regulations.

Product Security (Secure Development)

As a software supplier to many of the world’s largest and most security-savvy organizations, Splunk has high standards and high expectations to meet when it comes to product security. To meet and exceed those standards, Splunk follows a rigorous, industry best practice approach to secure software development. Through a continuous process of security testing and review, and the addition of pro-security features and functionality, Splunk endeavors to provide software faster and safer whether to our Cloud or customer premises.

Security by Design

The best way to prevent security defects is by designing a product securely from the ground up. Splunk Product Security engages with development teams during the design and planning stages of the development lifecycle to make recommendations and push teams towards secure design patterns. Activities performed at these stages include:

  • Threat modeling
  • Identifying applicable security standards
  • Setting security requirements

Security Assurance

Once functional and security requirements are established, we perform a manual and automated validation activities designed to secure our products, including such things as:

  • Static application security testing (SAST)
  • Dynamic application security testing
  • Open source software security scanning
  • Internal whitebox penetration testing
  • Third-party whitebox penetration testing
  • Vulnerability scanning

Security Standards and Programs

Splunk aligns to industry-standard frameworks and leverages additional security validation, as appropriate, including such things as:

  • CVSS, CWE and OWASP Top 10 for vulnerability tracking
  • Secure software development lifecycle based on Microsoft SDL
  • Bug bounty programs
  • Product Security Incident Response Team (PSIRT) services framework

Responsible Disclosure Standards

Splunk follows industry best practices to discover and remediate vulnerabilities before release, and post-release addresses vulnerabilities reported by third parties using a risk based approach, which may include the following activities:

  • Promptly evaluating potential security vulnerabilities (within two business days of discovery)
  • Rating and prioritizing confirmed vulnerabilities using CVSS
  • Assigning CVEs to confirmed security vulnerabilities
  • Making reasonable efforts to issue releases to mitigate or fix vulnerabilities in supported versions
  • Issuing major and minor releases incorporating cumulative vulnerability fixes
  • Expediting maintenance releases for affected, supported versions for critical-risk, high-impact vulnerabilities
  • Notifying customers of vulnerabilities at the Splunk Product Security page and through the Splunk Product Security Announcements RSS feed

How Splunk Uses Data

Splunk provides detailed information about the data we collect and how we use it in our customer agreements, in-product communications, product documentation and in our website Splunk’s Privacy Policy.

Privacy Shield

Splunk is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks for the transfer of human resources and customer data to the United States, and while those Frameworks were recently invalidated by the European Court of Justice in its decision of July 16, 2020, and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland in its position paper of September 8, 2020, we remain committed to their underlying data protection principles.

We are monitoring events relating to these Frameworks and continue to rely on alternative transfer mechanisms for the transfer of data to the U.S., including the Standard Contractual Clauses. For more about cross-border data transfers to the Splunk Cloud Service, review: A Risk Assessment of EU Cross-Border Data Transfers to the Splunk Cloud Service.

EU Data Protection and the GDPR

The General Data Protection Regulation (GDPR) is a European data protection law that became enforceable on May 25, 2018. It applies to European Union (EU) companies, as well as non-EU companies that have employees in the EU or that offer goods or services to individuals (“data subjects”) in the EU.

The GDPR grants data subjects rights of control over the privacy of their personal data, meaning “any information relating to an identified or identifiable natural person.” Under the GDPR, companies are required to be transparent about what types of personal data they collect and how they use it, be responsible for secure data processing practices and provide notification to customers or data subjects when breaches occur. Splunk is committed to protecting customer personal data, whether our customer is based in the EU or elsewhere around the globe.

GDPR Article 4 defines “Personal Data” to be “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

GDPR Articles 12 to 22 provide data subjects certain rights in their personal data, including the right to: (a) be informed about  its collection and use ; (b) access and correct their  data; (c) request their data  be erased (“right to be forgotten”); (d) restrict the processing of their data; (e) port their data from one company to another; (f) object to  how their data is being processed; and (g) object to any automated data profiling in certain cases (for example, hiring decisions made only on the basis of an automated resume scans).

 Splunk employs technical, organizational and administrative measures to protect customer data and has certified its Splunk Cloud service to industry leading security standards, such as SOC2 Type II and ISO 27001. Splunk also offers heightened security standards for those customers who require Splunk Cloud’s HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card Industry) environments. For more on this topic, see Splunk’s Security Certifications.

Splunk believes in open and transparent disclosure about how we collect, use, share and transfer Personal Data and how you can opt-out of sharing Personal Data. For detailed information about Splunk’s data collection practices, see Splunk’s Privacy Policy.

No, to the contrary the GDPR expressly allows it.  Splunk relies on Standard Contractual Clauses, an approved transfer method, to transfer personal data from the EU to the U.S. for processing. For more about cross-border data transfers to the Splunk Cloud Service, review: A Risk Assessment of EU Cross-Border Data Transfers to the Splunk Cloud Service and Splunk’s Responses to the European Center for Digital Rights (noyb) questions regarding international data transfers.

A DPA is a contract between a data controller and processor that spells out what privacy and security protections will be used during processing of data, as well as what rules the processor will follow when processing the data. Splunk’s DPA and instructions for completion may be found here.

Click here to download an exemplar copy of Splunk's DPA

Splunk’s DPA meets the GDPR requirements that pertain to the services we provide, has been benchmarked against industry standards, and reflects our data privacy and security compliance programs.  It sets forth what we do and how we do it.  As such, we do not negotiate the provisions of Splunk’s DPA. 

Splunk’s DPA meets the GDPR requirements that pertain to the services we provide, has been benchmarked against industry standards, and reflects our data privacy and security compliance programs.  It sets forth what we do and how we do it.  As such, we do not negotiate the provisions of Splunk’s DPA. 

Splunk maintains a list of its sub-processors that process Personal Data and updates this list as needed. Splunk customers can subscribe to notifications of new sub-processors for the services we provide. To subscribe to Splunk’s sub-processor notification listserv, click here.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a California state law that expands the privacy rights of California residents and creates new compliance requirements for businesses that collect and process Personal Information of California residents. The CCPA went into effect on January 1, 2020.

The CCPA gives California residents new rights with respect to the collection and processing of their Personal Information (broadly defined to include information that, directly or indirectly, may lead to the identification of an individual or household). These new rights include:

 

  • the right to know what categories of Personal Information a business collects (generally) in the past twelve (12) months, how it’s used, with whom its shared and why;
  • the right to request a list of the specific pieces of Personal Information a business collected about the requestor in the past twelve (12) months, how it’s used, with whom its shared and why;
  • the right to request deletion of Personal Information (in certain cases); and
  • the right to object to the sale of Personal Information.

It also places requirements on businesses that collect and process Personal Information, such as:

 

  • the requirement to post on the business website every twelve (12) months information about the business’ privacy policy, including the categories of Personal Information collected, with whom shared and why;
  • the requirement to post on the business website a “Do Not Sell My Personal Information” link so California residents can “opt-out” of the sale of their Personal Information, if such information is sold by the business; and
  • the requirement to facilitate rights requests as outlined above.

The CCPA applies to businesses that collect or process the Personal Information of California residents and meet any one of the following criteria:

 

  • has annual gross revenues in excess of $25 million;
  • annually buys, receives, sells or shares Personal Information of 50,000 or more consumers, households or devices; or
  • derives 50 percent or more of their annual revenue from selling consumers’ Personal Information.

As Splunk processes the Personal Information of California residents and has gross annual revenues in excess of $25 million, the CCPA applies to Splunk.

Customers that use Splunk Cloud services to process Personal Information are “Businesses” under the CCPA. They are responsible for ensuring the lawful collection and processing of the Personal Information they send to Splunk Cloud.

 

Splunk is a “Service Provider” for the Personal Information its customers send to Splunk Cloud, and under the CCPA, is responsible for upholding its contractual commitment to only use the Personal Information it receives from customers for the purpose of performing the Splunk Cloud services.

Splunk does not sell the Personal Information its customers upload to Splunk Cloud. Further, Splunk does not sell the Personal Information Splunk collects in its capacity as a “Business," e.g., business contact information. For more information about how Splunk uses Personal Information, see Splunk's Privacy Policy.

Training and Internal Policies

It’s not enough to build secure products. Every person at an organization is responsible for making sure data is secure. We train employees on policies and procedures for secure data handling, and use physical and procedural safeguards to help keep our facilities and equipment secure.

Dedicated Data Protection Officer

Splunk employs a full-time DPO who is responsible for overseeing the processing of data at Splunk.

Security Certifications and Attestations

Splunk Cloud maintains a comprehensive security program designed to protect your data’s confidentiality, integrity and availability in accordance with the highest industry standards. Splunk Cloud has been certified by independent third-party auditors to meet the security standards described below.

ISO 27001 Certification

Splunk Cloud achieved the International Organization for Standardization’s information security standard 27001 (ISO 27001) certification in December 2015 and continues to update it annually. ISO 27001 is a specification that outlines security requirements for an information security management system (ISMS). Splunk’s current ISO certification may be found here.

SOC 2 Type II Report

Splunk Cloud undergoes annual Service Organization Controls 2 (SOC 2) Type II audits to evaluate its information security system controls as they relate to the Security, Availability and Confidentiality of the Trust Services Criteria.*

* Splunk continues to update and extend the scope of its SOC 2 Type II audit program, and therefore, for some regions, the corresponding SOC 2 Type II may not yet be completed. For more information; see the Splunk Cloud Security Addendum.

 

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that sets forth national standards governing the processing of protected health information or “PHI.” HIPAA is intended to improve the effectiveness and efficiency of healthcare systems by:

  • establishing standards for the use of electronic records in healthcare;
  • establishing standards for accessing, storing and transmitting PHI; and
  • protecting the privacy and security of PHI.

Splunk Cloud is reviewed by third-party auditors annually to certify that it meets HIPAA’s data security requirements, including encryption in transit and at rest.

PCI DSS

The PCI Data Security Standard (PCI DSS) is a set of comprehensive operational and technical controls required by businesses in the credit card industry to process payments. Splunk Cloud is audited annually to confirm its ongoing compliance with PCI DSS.

FedRAMP Authorized

Splunk Cloud is FedRAMP Authorized by the General Services Administration FedRAMP PMO at a moderate impact level. This authorization facilitates the use of Splunk Cloud by U.S. Federal Government agencies requiring cloud-based services up to the moderate security impact level. Additional details are available on the FedRAMP marketplace.

FIPS 140-2 Certification

The Splunk Enterprise cryptographic module achieved Federal Information Processing Standard 140-2 validation (FIPS 140-2: crypto modules, level 1 certificate #3126). Splunk Enterprise and Splunk Cloud leverages the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information when deployed on any compliant operating system. The Splunk Cloud offering, with appropriate compliance such as FedRAMP moderate, leverages the FIPS 140-2 validated Splunk Cryptographic Module for the protection of sensitive information.

Common Criteria

Splunk Enterprise is Common Criteria certified by National Information Assurance Partnership (NIAP). This certification facilitates the use of Splunk Enterprise by Government Agencies requiring products that meet the Common Criteria security standard. Additional details are available on the NIAP Product Compliant List website.

Whitepaper and FAQ: EU Cross-Border Transfers

This whitepaper is designed to assist Splunk customers with their evaluation of the protections provided by Splunk for cross-border data transfers to the Splunk Cloud Service. The FAQ answers customer questions about EU to U.S. cross-border data transfers using the form questions from the noyb organization. You may review a copy of the whitepaper here and the FAQ here.

Data Protection Addendum

Splunk offers a Data Processing Addendum (DPA) for customer GDPR or CCPA compliance needs. Click here to download and electronically sign the Splunk DPA.

Cloud Security Addendum

The Splunk Cloud Platform Security Addendum (CSA) sets forth the administrative, technical and physical safeguards Splunk takes to protect customer data in Splunk Cloud. Benchmarked against industry standard requirements (ISO 27001, SOC 2, HIPAA, PCI DSS and FedRAMP, as applicable), the CSA provides details regarding the data security controls in the Splunk Cloud environment, including information about risk management, incident response, breach notification and encryption. The controls are audited annually, and are designed to reflect the way Splunk Cloud operates.

Consensus Assessment Initiative Questionnaire (CAIQ)

Founded as a research organization in 2008, the Cloud Security Alliance defines standards, certification programs and best practices for a secure cloud computing environment.

The Consensus Assessments Initiative Questionnaire (CAIQ) is an industry-accepted cloud security questionnaire covering a comprehensive range of security controls against which customers may assess a cloud provider.

Standardised Information Gathering (SIG) Core Questionnaire

The SIG questionnaire was created by Shared Assessments, an organization that provides best practices and tools for third-party risk management teams.

The SIG Core is an extensive set of questions used to ascertain the security posture of third-party vendors. The SIG measures security risks across 18 distinct control areas and aligns with the most updated international regulatory guidance and standards.

Subprocessor Notification

Sign up to receive email notifications of changes to sub-processors for Splunk products and services. You can sign up here.