Security
Security is of paramount importance at Gremlin. To ensure we maintain a safe and secure environment we use a variety of industry-standard technologies and practices managed by our dedicated security team. We provide regular security awareness training to our employees in both technical and non-technical roles to ensure that security is always given utmost priority and importance. If you have any questions, concerns, or encounter any issues, please contact us at security@gremlin.com.
Still have questions? View Gremlin’s complete security compliance and audit documentation.
Product Security Features
Being secure is a guiding principle behind the Gremlin product. Achieving it starts with our agile development process and use of continuous integration, which allows for quick resolution of security issues as well as functional issues; and our strict adherence to a security centric change management and incident management programs.
To find out more about Gremlin’s product security features see our security docs.
SSO
For customers desiring more control over authentication, we support SAML 2, allowing us to integrate with many enterprise authentication systems. We also support Google OAuth2 for customers desiring to integration with Gmail or Google Workspace. Don't host your own authentication system? That's OK, we also provide username/password based logins!
MFA
Gremlin provides MFA for use with password logins. When enabled, MFA provides added security by requiring a separate rotating 6 digit code, typically via an app on your phone. This ensures that if your password were to be compromised your account would remain secure.
Proxy Support
Using a proxy for your outbound network traffic? That's just fine, the Gremlin agent supports HTTP/HTTPS proxies via standard Linux methods.
Access Logging
All access to the system is logged and made available to administrators in JSON format to facilitate integration with customer security monitoring systems.
Data Security
Gremlin operates on the principle of least privileges. Only those with a strict business need to access data are allowed to do so, and only after signing non-disclosure agreements. We employ multiple layers of authentication and access control to ensure only those authorized to access data are allowed to do so and monitor that access in real-time, altering to suspicious activity. All data is encrypted both in transit using TLS and at rest using AES-256. Passwords are randomly seeded and hashed using SHA2 prior to encrypted storage. All customer data is logically segregated and tagged with ownership to ensure it cannot be accessed or used by unauthorized users.
System And Software Security
Gremlin's systems are physically hosted in a managed secure cloud environment that is ISO 27001 & 27017, PCI DSS Level 1, and SOC 1 & 2 & 3 compliant and utilizes advanced security technologies that include biometric and hardware token identification. All Gremlin systems are hardened and regularly updated with the latest security patches. All systems are monitored in real-time and regularly audited to ensure they remain in compliance.
Auditing & Monitoring
All systems are regularly audited by our dedicated security team at least quarterly and for systems with access to sensitive data, at least monthly and in some cases daily.
We employ a 3rd party security auditing and penetration testing firm at least annually, or anytime there are major changes to our systems or architecture. This ensures that our internal systems and processes are performing as we believe they are.
We employ multiple real-time monitoring system with 24/7 alerting to inform us of violations of policy as well as suspicious activity that may indicate a compromise.
SOC 2 Type II
We've recently completed auditing for the Service Organization Control (SOC) 2 Type II report. Compiled by Peterson & Sullivan, the report documents how Gremlin's information security practices, policies, and procedures are suitable to meet the SOC 2 trust principles criteria for security and confidentiality.
The goal of the report is to verify the existence of internal controls designed and implemented to meet the requirements for the security principles set forth in the Trust Services Principles and Criteria for Security. It provides a thorough review of how Gremlin’s internal controls affect the security, availability, processing integrity, and confidentiality of the systems it uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. This independent validation of security controls is crucial for customers in highly regulated industries.
Physical Security
All data centers used by Gremlin are ISO 27001, SOC 1 & 2 certified. Access to facilities are restricted to authorized users via electronic means, including biometrics. All facilities are monitored by professional security staff.
Other compliance and security frameworks used
In addition to the above audits, Gremlin strictly adheres to the General Data Protection Regulation (GDPR), Open Web Application Security Project (OWASP), and National Institute of Standards and Technology (NIST) frameworks.
Avoid downtime. Use Gremlin to turn failure into resilience.
Gremlin empowers you to proactively root out failure before it causes downtime. See how you can harness chaos to build resilient systems by requesting a demo of Gremlin.