Aqua takes the security and privacy of its customers and data seriously. Through a variety of technical and process controls, we ensure the absolute strictest security policies.


TABLE OF CONTENTS


Security overview

Aqua takes every effort to safeguard your data when using our product. Beginning with data storage, only the information required to use the product is collected and stored. Data is transmitted and stored in a secure, encrypted manner, and can only be accessed by authorized Aqua personnel on a need-to-know basis. Aqua also undergoes an annual pentest and, ISO 27001 and SOC 2 Type II certification processes.


Certification

Aqua is ISO 27001 and SOC 2 Type II certified and undergoes annual recertification and pentest by an accredited third-party provider. To know more about these certifications, see the Compliance page.


Data collection

Aqua only saves data that is necessary to deliver the product and feature set to end-users. In the context of its features, this data includes:

  • User email address and hashed passwords
  • (If used) SAML configuration data for SSO login
  • IP addresses and user agents of users connecting to the SaaS interface or APIs
  • Cloud account read-only connection details
  • (For CSPM) Cloud account configuration metadata (but never the details of the contents within the cloud resources)
  • (For Image Scanning) the image vulnerability findings and image details


Payment data

If you pay Aqua for a paid plan via credit card, the payment information is not saved, processed, or even seen by Aqua servers. Aqua uses Stripe, a third-party, PCI-compliant, and the accredited payment processor to handle all billing information.


Cloud provider usage

Aqua is hosted in Amazon Web Services, and stores data in its us-east-1 (Northern Virginia) datacenter.


Cloud account connections

When connecting to your cloud accounts, Aqua uses a third-party read-only role or application. This role provides visibility into the configuration of your cloud resources, but not the contents within them.


For some optional features (such as automated Remediations), Aqua will deploy an additional write-level role that is restricted to specific resources or API calls. Read more about the security of this feature.


Data processing and storage

All data that is collected from the cloud provider connection is encrypted at rest when stored, and in transit at all phases of the transmission process (i.e. from user to API server, API server to database, etc.).


Data is encrypted at rest in all places it is stored (database, S3 buckets, etc).


Data deletion

Data that is not required by the Aqua is disposed of quickly. For example, when performing cloud security scans, some API responses contain data that is not used by the scan. This is simply an artifact of how the cloud provider APIs work. Aqua processes the scan data, saves what is relevant to the scan, and permanently deletes the remaining data within 36 hours.


Logging and auditing

Aqua has extensive API and activity logging that records all activity within your account, by users, admins, or Aqua administrators. This data is saved for at least 365 days for auditing purposes.


Within your Aqua account, you can also access audit logs for user activity and the write-level activity performed by your users and API keys.


"Bring Your Own Key" encryption

Aqua supports the ability to "bring your own" bucket and KMS key for users who want their scan details separately stored and encrypted from the multi-tenant bucket owned by Aqua.


Uptime status

Uptime status for the last 90 days is publicly available for review.