Welcome to Treasure Data's Trust & Security Center.
At Treasure Data, Trust and Security are at the forefront of everything we do. Use this portal to learn about our security posture and request access to our security assurance documentation.
Prospective customers should reach out to our Sales team here if you're interested in learning more about our CDP. Existing customers should reach out to your Customer Success Manager if you're interested in more information.
Trust & Security Center Updates
Treasure Data has reviewed and updated all IT + Security (ITS) policies for 2024. Customers can view and download Treasure Data's latest ITS policies under the Policies & Plans card of our Trust and Security Center.
Treasure Data is excited to announce the completion of our annual independent Web Application penetration testing of the Customer Data Platform (CDP) Console for 2024. Treasure Data engaged a penetration testing third party, NetSPI LLC., to conduct Web App testing of Treasures Data in a production environment between June 17-21, 2024. Customers can obtain the Web App Penetration Testing Results Report under the "Documents" section of our Trust and Security Center. This report includes the Web App Penetration Test summary of findings & results and the remediation plan by Treasure Data for any identified vulnerabilities.
Treasure Data is excited to announce the completion of our annual independent penetration testing of the Customer Data Platform (CDP) APIs for 2024. Treasure Data engaged a penetration testing third party, NetSPI LLC., to conduct API testing of Treasures Data in a production environment between March 11 - 22, 2024. Customers can obtain the API Penetration Testing Results Report under the "Documents" section of our Trust and Security Center. This report includes the API Penetration Test summary of findings & results and the remediation plan by Treasure Data for any identified vulnerabilities.
In prior years, all penetration testing scopes (External Network, Web Application, APIs, and Thick App) were tested in a single quarter. Starting in 2024, Treasure Data will conduct one penetration test scope per quarter of the calendar year.
2023 ISO/IEC 27001 Certificate Now Available + Additional Compliance with ISO/IEC 27017 and 27018!
ComplianceCopy linkTreasure Data has completed our annual ISO/IEC 27001:2013 audit and received our updated 2023 certificate. Additionally, to further bolster our compliance program and meet our customer’s expectations, we are excited to announce compliance with two additional ISO standards - ISO/IEC 27017:2015 and ISO/IEC 27018:2019! Customers can view and download the applicable certificates within the ISO 27001 card of our Trust and Security Center.
Treasure Data has completed the 2023 SOC 2/3 Type 2 PLUS HIPAA external audit covering controls within Treasure Data’s Enterprise Customer Data Platform (CDP) from January 1, 2023 to December 31, 2023. Our external auditor, A-LIGN, has informed us that no exceptions were identified. Customers can view and download Treasure Data’s most recent external audit report under the SOC 2 Type 2 Report and SOC 3 Type 2 Report card of our Trust and Security Center.
Treasure Data has completed the 2023 Type 2 SOC 2 / SOC 3 PLUS HIPAA external audit fieldwork. Our external auditors, A-LIGN, have informed us that no exceptions were identified. To see the 2023 Type 2 SOC 2 / 3 Confirmation of Audit Opinion, visit the SOC 2 Type 2 Report card on our Trust and Security Center. We are on track to receive the final reports in early 2024 and will notify all stakeholders via Trust Center Updates once published.
Treasure Data has reviewed and updated all IT + Security (ITS) policies for 2023. Customers can view and download Treasure Data's latest ITS policies under the Policies & Plans card of our Trust and Security Center.
Treasure Data is aware of CVE-2023-38545 and CVE-2023-38546, a heap buffer overflow in curl and libcurl between 7.69.0 and 8.3.0. These vulnerabilities affect curl/libcurl only in limited cases. This is because the vulnerabilities only exist when curl/libcurl is used through a SOCKS5 proxy with a specific set of configurations. These vulnerabilities were rated as high; however, few cloud workloads will meet the aforementioned preconditions and experts believe the risk of widespread exploitation is low. Exploiting these vulnerabilities requires local access to the system with sufficient access to create specific, named files. Upon learning of the CVEs, Treasure Data’s Security team investigated to determine if the CVEs were present within our network. Via the use of AWS Inspector, Treasure Data determined the CVEs were present within applicable production environments. At this time, Treasure Data has no evidence of any impact on the confidentiality, integrity, or availability of data stored in the Treasure Data CDP due to the aforementioned CVEs. Treasure Data has updated our base images used in production to address these CVEs. All production instances will be patched upon their next scheduled rotation, no later than 30 days. No action is required by Treasure Data customers.
Treasure Data has reviewed and updated the SIRP, as well as conducted a corresponding tabletop exercise. Treasure Data’s annual SIRP tabletop exercise provides an opportunity to practice and prepare for security incidents in a controlled environment. It also allows the Treasure Data teams to test their plans, procedures, and coordination without the pressure of a real incident. Customers can obtain Treasure Data’s most recent SIRP and Test Results by clicking on the Security Incident Response Planning & Testing card in the “Reports” section of our Trust & Security Center.
Treasure Data is excited to announce the completion of our annual independent penetration testing for 2023. Treasure Data engaged a penetration testing third party, NetSPI LLC., to conduct External Network, Web Application, and API testing of Treasures Data’s Customer Data Platform (CDP) in a production environment between August 8 - 25, 2023. Customers can obtain the Penetration Testing Results Report under the "Documents" section of our Trust and Security Center. This report includes Penetration Test Report Summaries by NetSPI and remediation plan/acceptance details by Treasure Data for high and medium vulnerabilities.
Treasure Data (TD) has published a new whitepaper on how customer data is secured and protected! This whitepaper dives deep into the administrative, technical, and physical safeguards TD has implemented to ensure the confidentiality, integrity, and availability of the CDP and customer data. Customers can obtain this Whitepaper under the "Reports" section of our Trust and Security Center.
Treasure Data (TD) is excited to announce that we have completed a mapping of internal security controls to the regulation that governs Japanese medical institutions on the use of third-party services, collectively known as “Two Guidelines from Three Ministries (2G3M).” As part of the mapping exercise, we have published (1) a dedicated Whitepaper, and (2) a Controls Mapping document, both are available within our Trust & Security Center. The Controls Mapping document and Whitepaper will help our customers understand how our CDP supports compliance with 2G3M and provides peace of mind that your data is safe with us. For additional information, please reach out to the TD Sales team or your Customer Success Manager.
Treasure Data is pleased to announce that we have received our updated Privacy Mark Certification valid until February 2025. You can obtain a copy of the Certificate by clicking on the “Privacy Mark” card in the “Documents” section of our Trust & Security Center. This Certification is the validation of Treasure Data’s compliance with Japanese privacy legislation and our commitment to providing a safe and secure platform that our customers can continue to trust and rely on.
Treasure Data does not use MOVEit Transfer for FTP/SFTP services and is not impacted by the recent announcement of a zero-day vulnerability actively being exploited. Customers who use MOVEit Transfer should review available information and follow the recommended remediation activities provided by Progress (MOVEit service provider).
Refer to the following blog by Progress for more info: https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
Bridge Letters (aka Gap Letters) for our most recent SOC 2 Type 2, HIPAA report, and PrivacyMark certification are now available! You can obtain the letters by clicking on the applicable card in the “Documents” section. What are Bridge Letters? A Bridge Letter bridges the gap between the end date of the review period from the applicable audit report/certification and the date of the bridge letter. The letter is designed to identify and address any material changes in Treasure Data's internal control environment that have occurred during the “gap” period covered by the letter.
Treasure Data understands that prospective and existing customers need assurances over our security and privacy practices. In order to provide these assurances with speed and efficiency in mind, we’ve created the Treasure Data Trust & Security Center!
The Trust & Security Center's objective is to be a centralized self-service portal for all Security and Privacy information regarding Treasure Data’s CDP. The portal offers on-demand access to the most common artifacts typically requested via email, as well as supplemental artifacts to help ensure customers can perform due diligence.
Looking for more information? Prospective customers should reach out to our Sales team here if you're interested in learning more about our CDP. Existing customers should reach out to your Customer Success Manager if you're interested in more information.
If you need help using this Trust Center, please contact us.
If you think you may have discovered a vulnerability, please send us a note.