Compliance

ThreatX is committed to privacy and security of our customers’ data. The ThreatX platform collects and stores as little corporate data as possible while maintaining the highest level of security and efficacy for the sites we protect.

ThreatX has an AICPA certified auditor-issued SOC 2 Type 2 Report covering Security and Availability trust services criteria, including the following:

  • Locate and remove or redact specified confidential information as required.

  • Regularly and systematically destroy, erase, or make anonymous, confidential information that is no longer required for the purposes identified in its confidentiality commitments or system requirements.

  • Erase or destroy records in accordance with the retention policies, regardless of the method of storage.

  • Dispose of original archived, backed up, and ad hoc or personal copies of records in accordance with its destruction policies.

The ThreatX platform does not install an agent on servers or workloads, and has no privileged access to origin servers, API endpoints, or any supporting infrastructure related to the web applications the platform protects. The platform sits inline, scrutinizes HTTP and HTTPS requests, and allows or blocks traffic based on attributes inherent in the HTTP request. The platform does not directly interact with customer intellectual property.

The ThreatX Web Application Firewall can be used to satisfy PCI-DSS Requirement 6.6 when deployed within a customer’s PCI environment.
While the sensors do not store or transmit cardholder data (PANs, CVVs, etc.), maintaining effective security controls is the responsibility of the customer and should be validated by a QSA.

You can find more information about our physical and logical security posture, our controls, and our SOC 2 Type 2 standing on our website. The current report and bridge letter are available to customers who require it for compliance purposes.

Data Collection

The ThreatX platform gathers the following backend data (summarized):

  • Source IP

  • User-Agent header

  • Request Method (GET/POST/PUT)

  • Request Domain (for example, site.com)

  • Request Path (/request/path)

  • TLS Fingerprint

  • ThreatX metadata about security rule matches

The ThreatX sensor does not inspect response data.

Sensitive data is retained only if necessary for business purposes. This includes data required for processing transactions, supporting customers and business functions, and supporting current or historical event analysis. ThreatX requires transaction details to be available in databases and in log format to support customer requests and analysis.

The ThreatX SOC retains the data for 90 days.

Data Redactions

Specific portions of the request are automatically redacted and never sent to the backend, including tokens, credentials, and known patterns such as credit card and social security numbers. This redaction is applied to fields and URL encoded forms.

The remaining sanitized data is reduced to metadata before being sent to the ThreatX platform for analysis, and or visualization to customer security administrators.

Usernames are not automatically redacted, as this data is often critical to security analytics and forensics, for instance in identifying account takeover (ATO) attacks or login rotation.

The ThreatX Soc can help with custom redactions on a case-by-case basis. To scrub specific data, you can contact the Threat SOC.