Aqua Security Data Processing
TABLE OF CONTENTS
- Legal implications
- Compliance certifications
- How Aqua handles your data
- Data shared with Aqua
- Access to Customer environments
Aqua Security makes extensive efforts to safeguard your data, and to maintain its confidentiality, privacy, integrity, and availability. The present document describes how the Aqua Platform software and Aqua Security ("Aqua") process your data in accordance with these objectives. It covers data collection, transmission, and storage, as well as the related processes and policies. As the Aqua Platform continues to evolve and include new capabilities, we will update our policies and processes, and update this document to reflect these changes.
This document is provided as a supplement to all other Aqua-provided legal documents. It is not intended to supersede or modify legal documents in any way.
Aqua is ISO 27001 and SOC 2 Type II certified. We undergo annual recertification and pen testing by an accredited third-party provider. To learn more about these certifications, please see Compliance at Aqua.
How Aqua handles your data
Data collection, encryption, transmission, and storage
Aqua collects, transmits, and stores only the data that is necessary to provide and support its products and services for our Customers. All data that is collected is encrypted in every phase of transmission (e.g., from users to servers, and servers to databases) and while at rest (e.g., in databases, Amazon S3 cloud object storage).
The Aqua Platform SaaS Edition is deployed in multiple regions around the world. Each region operates as an independent instance of the Aqua Platform, with all Customer data remaining physically in that region. Aqua provides you with the option to pre-select the region of your deployment; this may help you comply with cross-border personal data transfers and other legal requirements (such as the GDPR and similar privacy laws) you may be subject to. For more information, see SaaS Regions.
Data that is not required by Aqua is disposed of quickly. For example: When performing cloud security scans, some API responses contain data that is not used by the scan; this data is simply an artifact of how cloud-provider APIs work. Aqua processes the scan data, saves only what is relevant to the scan, and permanently deletes the remaining data within 36 hours.
The Aqua Platform uses telemetry to transmit selected information to Aqua-managed computing environments. This is required to support various operations, including problem resolution. As with all other data, telemetry data is protected as described.
If you pay Aqua via credit card, your payment information will not be processed, saved, or even seen by us. Aqua uses Stripe, a third-party, PCI-compliant, accredited payment processor, to handle all billing information. Stripe's comprehensive privacy and security policies and information can be viewed here.
Activity logging and auditing
The Aqua Platform logs all activity related to your account. This includes actions performed by your users (administrators and others) and by Aqua administrators, whether performed via the UI or by using product APIs. Log data is saved for at least 365 days for auditing purposes. You can access the audit logs via the UI.
The right to be forgotten
You can close your account at any time. Once you have done so, Aqua will stop collecting and transmitting data as described above, and stop logging activity related to your account.
If you want us to delete your data within a specific timeframe, please contact Aqua Support to request a full data wipe. Otherwise, your data will be deleted during a regularly scheduled period (typically within 48 hours).
Please note, however, that we may still retain certain personal data, such as data which we are required to retain to comply with legal obligations to which we are subject, to exercise and defend from legal claims, to perform accounting and billing, and for similar legitimate purposes.
Data shared with Aqua
This section lists the kinds of data that are shared with Aqua when you use specific Aqua Platform functionality or components.
Supply Chain Security
The Aqua Platform supports two deployment models:
- Remote access: You provide Aqua remote read-only access to your source code repositories. Aqua pulls your code to its infrastructure for the duration of the scan only, and then removes it. Your code is never kept.
- Local access: You deploy the Aqua supply chain broker locally in your private environment. Your code is never sent to Aqua. The data shared with Aqua includes metadata and security findings.
CSPM and Inventory
Data shared with Aqua includes:
- Read-only connection details for cloud provider accounts, such as AWS (Amazon Web Services), Microsoft Azure, and GCP (Google Cloud Platform)
- Cloud asset configuration metadata (but not the details of the contents within the cloud resources)
- (If used) Cloud provider event streams, such as AWS CloudTrail, and Azure Activity log
Image registry and image scanning
Data shared with Aqua includes container image metadata and security findings discovered by the Aqua Scanner. For every image scanned, Aqua receives the following data for use in querying Aqua's security threat database:
- Aqua image digest
- Image operating system
- List of layer digests in the image
- List of packages installed in the image, including:
- Package format (e.g., rpm, deb, apk)
- Package name (e.g., nginx)
- Package version
- Package hash (if applicable)
- List of non-package executables, including:
- Name of software
- SHA1 hashes of file contents, for purposes of malware identification
- List of programming-related files (e.g., php, js, jar), and SHA1 hashes of file contents
The Aqua Platform supports two deployment models:
- Remote access: You provide Aqua remote access to your registry. Aqua will pull and scan your container images from its own computing infrastructure. Aqua has read-only access to your container images, and stores this information in its infrastructure for the duration of the scan. Data shared with Aqua includes connection parameters for your registries (e.g., Amazon ECR, Azure ACR, or Google GCR).
- Local access: You deploy the Aqua Scanner locally in your private environment. Your images are never sent to Aqua. The data shared with Aqua includes metadata and security findings.
This data is shared with Aqua:
- Runtime audit trail and incident information
- Runtime indications (evidence) of security compromises, such as copying files infected with malware
- Audit events include:
- Host address
- Container address
- Image name
- IP/DNS address (when relevant)
- User commands (when relevant)
- Process ID and name
- Malware name (when relevant)
- (If Aqua is integrated with secret key stores) Encrypted secrets. If an external vault is used, Aqua will keep only the secret keys, not their values. Enforcers keep the authentication tokens to the Server encrypted on the workload.
The KubeEnforcer is the platform component responsible for Kubernetes security. KubeEnforcers run as Deployments on the clusters to be protected. Security capabilities are implemented at the cluster level without sending the full raw data (the resource manifest) to Aqua. The following data is sent to Aqua:
- List of Kubernetes resources:
- Service Accounts
- Security findings for these resources
- Metadata of these resources:
- Resource name
- Resource type
- Number of pods
- AWS IAM ARN (if present in a role)
A KubeEnforcer Auto-Discovery setting, “Add discovered registries”, allows Aqua to read Kubernetes secrets that hold container registry credentials (“secret docker-registry”) and send this data to Aqua for integration with the registries. This allows Aqua to scan container images directly from the registries. This setting is disabled by default.
Data shared with Aqua includes:
- User email addresses and hashed passwords
- (If used) SAML configuration data for SSO login
- IP addresses and user agents of users connecting to the SaaS interface or APIs
Access to Customer environments
The Customer agrees and consents to Aqua accessing the Customer’s systems solely for the purpose of resolving errors.
Did you find it helpful? Yes NoSend feedback