Trust & Security Center

Treasure Data has reviewed and updated all IT + Security (ITS) policies for 2023. Customers can view and download Treasure Data's latest ITS policies under the Policies & Plans card of our Trust and Security Center.

Treasure Data is aware of CVE-2023-38545 and CVE-2023-38546, a heap buffer overflow in curl and libcurl between 7.69.0 and 8.3.0. These vulnerabilities affect curl/libcurl only in limited cases. This is because the vulnerabilities only exist when curl/libcurl is used through a SOCKS5 proxy with a specific set of configurations. These vulnerabilities were rated as high; however, few cloud workloads will meet the aforementioned preconditions and experts believe the risk of widespread exploitation is low. Exploiting these vulnerabilities requires local access to the system with sufficient access to create specific, named files. Upon learning of the CVEs, Treasure Data’s Security team investigated to determine if the CVEs were present within our network. Via the use of AWS Inspector, Treasure Data determined the CVEs were present within applicable production environments. At this time, Treasure Data has no evidence of any impact on the confidentiality, integrity, or availability of data stored in the Treasure Data CDP due to the aforementioned CVEs. Treasure Data has updated our base images used in production to address these CVEs. All production instances will be patched upon their next scheduled rotation, no later than 30 days. No action is required by Treasure Data customers.

Treasure Data has reviewed and updated the SIRP, as well as conducted a corresponding tabletop exercise. Treasure Data’s annual SIRP tabletop exercise provides an opportunity to practice and prepare for security incidents in a controlled environment. It also allows the Treasure Data teams to test their plans, procedures, and coordination without the pressure of a real incident. Customers can obtain Treasure Data’s most recent SIRP and Test Results by clicking on the Security Incident Response Planning & Testing card in the “Reports” section of our Trust & Security Center.

Treasure Data is excited to announce the completion of our annual independent penetration testing for 2023. Treasure Data engaged a penetration testing third party, NetSPI LLC., to conduct External Network, Web Application, and API testing of Treasures Data’s Customer Data Platform (CDP) in a production environment between August 8 - 25, 2023. Customers can obtain the Penetration Testing Results Report under the "Documents" section of our Trust and Security Center. This report includes Penetration Test Report Summaries by NetSPI and remediation plan/acceptance details by Treasure Data for high and medium vulnerabilities.

Treasure Data (TD) has published a new whitepaper on how customer data is secured and protected! This whitepaper dives deep into the administrative, technical, and physical safeguards TD has implemented to ensure the confidentiality, integrity, and availability of the CDP and customer data. Customers can obtain this Whitepaper under the "Reports" section of our Trust and Security Center.

Treasure Data (TD) is excited to announce that we have completed a mapping of internal security controls to the regulation that governs Japanese medical institutions on the use of third-party services, collectively known as “Two Guidelines from Three Ministries (2G3M).” As part of the mapping exercise, we have published (1) a dedicated Whitepaper, and (2) a Controls Mapping document, both are available within our Trust & Security Center. The Controls Mapping document and Whitepaper will help our customers understand how our CDP supports compliance with 2G3M and provides peace of mind that your data is safe with us. For additional information, please reach out to the TD Sales team or your Customer Success Manager.

Treasure Data is pleased to announce that we have received our updated Privacy Mark Certification valid until February 2025. You can obtain a copy of the Certificate by clicking on the “Privacy Mark” card in the “Documents” section of our Trust & Security Center. This Certification is the validation of Treasure Data’s compliance with Japanese privacy legislation and our commitment to providing a safe and secure platform that our customers can continue to trust and rely on.

Treasure Data does not use MOVEit Transfer for FTP/SFTP services and is not impacted by the recent announcement of a zero-day vulnerability actively being exploited. Customers who use MOVEit Transfer should review available information and follow the recommended remediation activities provided by Progress (MOVEit service provider).

Refer to the following blog by Progress for more info: https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

Bridge Letters (aka Gap Letters) for our most recent SOC 2 Type 2, HIPAA report, and PrivacyMark certification are now available! You can obtain the letters by clicking on the applicable card in the “Documents” section. What are Bridge Letters? A Bridge Letter bridges the gap between the end date of the review period from the applicable audit report/certification and the date of the bridge letter. The letter is designed to identify and address any material changes in Treasure Data's internal control environment that have occurred during the “gap” period covered by the letter.

Treasure Data understands that prospective and existing customers need assurances over our security and privacy practices. In order to provide these assurances with speed and efficiency in mind, we’ve created the Treasure Data Trust & Security Center!

The Trust & Security Center's objective is to be a centralized self-service portal for all Security and Privacy information regarding Treasure Data’s CDP. The portal offers on-demand access to the most common artifacts typically requested via email, as well as supplemental artifacts to help ensure customers can perform due diligence.

Looking for more information? Prospective customers should reach out to our Sales team here if you're interested in learning more about our CDP. Existing customers should reach out to your Customer Success Manager if you're interested in more information.