Fiddler has integrated security as part of our SDLC with controls and processes such as security design review, threat modeling, static and dynamic application security scans, container image scanning throughout the release cycles, host and network scanning, periodic node rotation, hardening base images, etc. Our vulnerability management program goal is to make sure no vulnerabilities exist in our code, continuously improve our product security, and assure our customers that their data is safe and secure.
All customer data is classified as confidential data, requiring the highest degree of controls and protections. Our support staff is prohibited from accessing, downloading and/or storing any customer data to their devices. We seamlessly authenticate customers leveraging SSO providers to keep user accounts secure. Customers shall utilize Role Based Access Controls to grant granular authorizations for their users. Development and production environments are maintained separately, and customer data is never loaded in the development environment.
Fiddler backs up the customer's encrypted data each day to ensure the data is safe and secure. We retain customers’ data in accordance with the data retention policy, and safely and securely delete the data at the end of the retention period. Once permanently deleted, customer data is rendered completely unrecoverable, giving you the peace of mind your confidential data can never be accessed.
All communications with and within the Fiddler customer clusters are encrypted with industry-standard HTTPS/TLS 1.2 (or higher) over the networks without exceptions. This ensures that all in-transit traffic between the customer and Fiddler is encrypted. All data-at-rest is encrypted using AES-256 key encryption (or higher).
Fiddler production infrastructure is hosted in the cloud in a service provider’s environment. Physical and environmental security related controls for our production servers, which includes buildings, locks or keys used on doors, are managed by the cloud provider.
Fiddler management is responsible for deploying, managing and executing the information security program. To ensure our controls are operating correctly, we have incorporated a third party security monitoring tool to monitor our controls continuously. We have implemented a security awareness training that all our personnel regularly undergo that weaves security into technical and non-technical roles. We have implemented a comprehensive Business Continuity & Disaster Recovery program. We test the business and disaster recovery plans annually.
Fiddler is highly committed to information security management and therefore regularly undergoes penetration testing and security audits.
SOC2 Type II: Fiddler’s SOC 2 Type II report covers the trust services categories of security, confidentiality, and availability and is audited annually. The report is available, upon request, for review by existing customers and new prospects. As the information is confidential, we require a signed NDA to review the report.
HIPAA: Fiddler is in compliance with the U.S. Health Insurance and Accountability Act (HIPAA). HIPAA requires any organization who service healthcare clients to comply with regulatory standards governing the security, privacy, and integrity of sensitive health care data, called Protected Health Information (PHI). PHI is any demographic healthcare-related information that can be used to identify a patient.